nEW fiNMA cIRCULAR
Download Document here

1    Joint Circular for banking and insurance

The Swiss Financial Market Supervisory Authority (FINMA) has issued a new draft Circular “Outsourcing Banks and Insurers” together with an Explanatory Note which set the regulatory framework and requirements applicable to outsourcing arrangements. The draft is subject to consultation until 31.1.2017 and is expected to enter into force on 1st July 2017. The new Circular replaces the existing one on outsourcing of banks (RS 2008/7), and extends the scope to insurance and reinsurance companies. It is the first FINMA Circular regulating outsourcing by (re)insurance companies. Given its cross-sectoral nature, most provisions of the Circular apply to both, the insurance and banking industry.

2    Change of business plan – subject to FINMA approval

There is one big difference between banks and insurance which is not constituted by the Circular, but originated in the law. Unlike banks, outsourcing of core functions by (re)insurance companies is an element of their business plan which is subject to FINMA approval. This requirement cannot be changed by a Circular since it has its basis in the insurance supervision law (Art. 4 para. 2 lit. j VAG). A material change of an existing outsourcing arrangement must be notified to FINMA and is considered as approved unless FINMA initiates an examination proceeding (Art. 5 para. 2 VAG).

3    Definition of outsourcing

Service agreements are qualified by FINMA as outsourcing if the following conditions are met:

-    It delegates a core function that is essential for the operation (re)insurance;
-    It is long-term (not just the provision of a one-off service);
-    The service provider has sufficient scope of discretion to fulfil the tasks on the basis of delegated competences.

In principle, all core functions can be outsourced. The following core functions of (re)insurance companies are listed in the Circular: product development, distribution, underwriting, portfolio management, claims management, accounting, asset management, IT, risk management and compliance. According to the FINMA Explanatory Note to the Circular, the qualification of an agreement as outsourcing depends on the size and materiality of the outsourced function and the scope of freedom which the service provider has in fulfilling the tasks. For example, the delegation of asset management on the basis of tight investment guidelines leaving little scope to the investment firm is unlikely to be qualified as outsourcing while the delegation of the entire recovery function to a loss adjuster is likely to be qualified as outsourcing.

4    Supervisory practice restated

The Circular basically restates the current supervisory practice of FINMA with regard to outsourcing arrangements of (re)insurance companies. Some aspects of this practice are laid down in an Explanatory Note to the change of business plan forms. As under the existing regime, there are a number of key principles and requirements that (re)insurance companies must observe when outsourcing functions:

Ultimate responsibility

Companies remain fully responsible towards their clients and the regulator for the outsourced activities. A responsible person must be appointed to steer and monitor the performance of the service provider and to propose remedial action if necessary.

Management functions
Key management functions - e.g. determination of strategy, internal control, conclusion and termination of business relationships - cannot be outsourced. For captives, a more flexible approach applies: They could outsource senior management functions to their parent company or to a specialised captive management company.

Service levels
Outsourcing of core functions must be based on a clear and documented service level profile (key performance indicators).

Risk assessment
Prior to outsourcing, companies must conduct a risk assessment documenting the economic benefits and operational risks.

Due Diligence
The selection of a service provider must be based on a due diligence evaluation. The service provider must have the ability and capacity to perform the outsourced function according to the required standards and service levels on a sustained basis.

Companies must consider the transition of functions at the beginning and termination of the outsourcing. This implies contingency planning enabling companies to smoothly resume or reassign the outsourced function.

Internal Control System
The outsourced function must be integrated into the company’s internal control system and business continuity management. 

Supervisory control
Outsourcing of functions may not impair the regulatory oversight and enforcement by FINMA or the exercise of audit rights by the company’s auditor. The service contract must oblige the service provider to disclose documents and to provide information upon request of FINMA or the company’s auditor. It must also allow on-sight inspection at the service provider’s premises at any time.

Service Agreement
The outsourcing must be based on a written Outsourcing or Service Level Agreement which must contain at minimum the following terms:

-    Sub-delegation of tasks (subject to prior approval by the company)
-    Instruction and control
-    Reporting and inspection
-    Security measures (IT security)

Outsourcing Policy
Responsibilities, processes and requirements of outsourcing must be laid down in an internal Outsourcing Policy.

Group-internal outsourcing
Outsourcing to related companies is subject to the same supervisory standards.

 Filing procedure (Form J)

Outsourcing arrangements must be filed to FINMA by using the Form J for business plan change. This FINMA form sheet requires a description of the outsourced function. Each additional outsourcing must be added to the same Form J which serves as an inventory of all outsourced functions. Form J also contains the name of the service provider and the person of the insurance company responsible for steering and monitoring the provision of the service. Form J must be appended by a copy of the service agreement and a self-assessment in accordance with a FINMA questionnaire. This set of documents must be bound by a cover sheet for business plan changes which must be signed by a member of the Board of Directors. On the basis of this submission, FINMA decides whether a more in-depth investigation is necessary which usually involves follow-up requests. The entire procedure takes a couple of weeks or longer in case of an extended examination. Once all open points are cleared FINMA issues a decree permitting the outsourcing, with or without conditions. The Decree is subject to a fee which varies according to the complexity of the matter and workload of FINMA.


5    What is new

Compared to the existing supervisory practice, the Circular contains only a few new elements:

No limitation of outsourced core functions

Insurance companies are allowed to outsource all core functions (production, portfolio management, claims management). Under current supervisory practice, only two of the three core functions could be outsourced. FINMA acknowledges that there are cases where an insurance company only acts as a risk carrier whereby all relevant client-facing functions (underwriting, pricing, claims handling) are outsourced to an insurance intermediary or Managing General Agent.

Outsourcing of control functions restricted
FINMA does not allow the outsourcing of the integral Compliance or Risk Management function. Companies are only permitted to outsource certain operational sub-functions, such as identification, assessment or monitoring of individual risks or risk categories or the conduct of screening processes. More flexibility have smaller insurance companies (classified by FINMA as category 4 or 5) which could outsource all operational tasks of the compliance function. The outsourcing of the internal audit function is subject to the conditions laid down in Circular 2017/2 Corporate governance insurers (Section 53 - 56).

Data flows and data protection
Increased focus of FINMA will be on data flows connected to outsourcing, notably when client identifying data are processed by a service provider abroad. Special notification to FINMA is necessary already under the current regime. The Circular clarifies that FINMA does not review the implications of outsourcing on data protection as this falls outside the competence of insurance supervision. *

Outsourcing abroad
Outsourcing to service providers abroad is permitted provided FINMA has sufficient comfort that the company, its auditor and FINMA itself have anytime full access to the data processed abroad. Accessibility means that the data can be downloaded and processed in Switzerland which could necessitate certain adjustments of IT systems and electronic records management. FINMA reminds that access to policy and claims data is necessary to satisfy information rights of customers, and is relevant for statutory accounting and prudential reporting. Access to portfolio and financial data stored abroad could also be critical in case of recovery and resolution measures. A new element is that FINMA could require a legal opinion or confirmation by the foreign supervisory authority that inspection rights can effectively be exercised at the premises of the service provider abroad.

 Outsourcing by branches of foreign companies

FINMA still requires a change of business plan if a Swiss branch of a foreign (re)insurance company outsources certain core functions to its parent company abroad. Unlike intra-group outsourcing (between different entities of the same group), such a transaction is legally not an outsourcing agreement since the branch is not an independent legal entity. The function is simply moved within the same legal entity.

* Nonetheless, companies are well advised to establish processes and agree on contractual terms with the service provider to ensure compliance with data protection requirements. Since insurance companies remain responsible for the outsourced function towards their clients and employees, it is critical that the service provider observes the relevant compliance framework of the company (also beyond data protection).

6    Evolving supervisory practice

FINMA Circulars in general complement the laws and regulations on financial supervision, aiming to provide more specific guidance with regard to a particular topic, such as outsourcing. But most Circulars still use generic terms and do not introduce a too prescriptive framework. In its Explanatory Note to this new Circular, FINMA emphasizes to maintain a principle-based approach with regard to outsourcing. This means that FINMA still has discretion how to deal with outsourcing arrangements on a case-by-case basis. If justified in a concrete case, FINMA can impose conditions which are not foreseen in the Circular or can fully or partly exempt the application of the Circular.  

The following examples illustrate some practical aspects of outsourcing which are not explicitly addressed by the Circular and may be subject to evolving supervisory practice of FINMA.   

Outsourcing to intermediaries

There is a trend in the insurance market that insurers select distribution partners outside the insurance sector in order to exploit their distribution network by way of cross-selling. The cooperation with the distribution partner usually relates to a specific product line or narrow market segment. It often involves the outsourcing of certain functions to the distribution partner (e.g. claims and payment processing). Given its very limited scope it is questionable whether such outsourcing of partial functions should be treated as a change of business plan. In line with FINMA’s Explanatory Note, the outsourcing may not be material enough to justify an approval proceeding. Since the Circular does not provide specific guidance, the treatment of such distribution arrangements will depend on a case-by-case assessment.

The Explanatory Note also reminds that outsourcing to intermediaries in general may not impair policyholders’ interests and must avoid conflict of interests. Reference is made to FINMA Communication 63 (2014) which introduced additional requirements for outsourcing of core functions to intermediaries: (i) companies must demonstrate that they comply with pre-contractual customer information duties, (ii) companies must retain control over the acquired insurance portfolio, and (iii) the service and distribution agreement must clearly allocate the tasks and competences between insurer and intermediary. It is noteworthy that the Circular does not incorporate this Communication which could mean that supervisory practice in this area is still in flux.

Outsourcing of actuarial functions
The appointment of a responsible actuary requires itself a change of business plan (Form H filing). There is no need for a separate Form J filing if this function is outsourced to an external service provider. The outsourcing of the calculation and evaluation of the Swiss Solvency Test (SST) to a third party does not require a change of business plan. But FINMA expects that the company has the ability to review the SST report prepared by the service provider since the ultimate responsibility for SST reporting remains with Board of the company (Circular 2017/3 SST, section 147 144).

Outsourcing to a cloud
The Explanatory Note to the Circular refers to the new phenomenon to outsource certain IT or records management functions to a cloud. FINMA reminds that the Circular is “technology-neutral” and that it would assess cloud outsourcing on a case-by-case basis. FINMA could grant exceptions from certain provisions of the Circular, for example the inspection right of FINMA which could not be enforced in case of a cloud.

Operational risk
Outsourcing arrangements usually increase complexities and affect an insurer’s exposure to operational risks. Effective control over outsourcing must be considered in the context of operational risk assessment (Art. 50f and 98 AVO).

7    Conclusion

In recent years, outsourcing of functions has become an increasingly important factor to organise and manage (re)insurance companies. Main drivers are cost efficiencies (e.g. offshoring abroad), growth strategies (e.g. expanding the value chain with distribution partners) or exit strategies (e.g. external run off). It is expected that new digital technologies (like cloud computing) will change the boundaries of enterprises which will further boost horizontal and vertical outsourcing solutions. Outsourcing is often an element of company restructuring which has become apparent in the context of Brexit when certain firms intend to re-domicile their European headquarter, while keeping operational functions in the UK which can be done by way of group-internal outsourcing.

In light of the changing economic landscape, the FINMA Circular on Outsourcing is timely. As shown in this outline, the Circular mainly restates current supervisory practice and does not significantly change the regulatory framework of outsourcing in Switzerland. But the Circular reminds the industry that outsourcing of functions can be quite complex. Attention must be paid to due diligence and risk assessment, drafting of outsourcing agreement, setting and monitoring service levels, data flows and reporting, contingency planning, taxation (VAT), and the regulatory approval process of the business plan change.  

For a consulting firm like PRS, the complexities of outsourcing provide multiple opportunities to support (re)insurance clients. PRS can advise on all features relating to outsourcing: conducting due diligence and risk assessment, designing and drafting the service agreement, preparing contingency planning, monitoring the service provision and last but not least representing clients in the regulatory approval process. Assuming functions on behalf of (re)insurance clients is our core business. PRS has the capability and capacity to be the outsourcing partner of (re)insurance companies for almost all functions. Therefore, this FINMA Circular on outsourcing is vital for our business as it is vital for our clients’ business.

Do not hesitate to contact us should you have questions or wish additional information.

Dr. Rolf Nebel
Legal & Compliance
Phone: +41 (41) 725 32 13
Mobile: +41 (79) 234 46 84