Outsourcing – a relieve or a headache?
As advisors, we are preparing for a year with regulatory events. That also applies to the AFM and DNB. In this first Finnius View of the new year, I would like to focus on one of the supervisory subjects that I expect to receive the necessary attention again in 2022: the management of outsourcing risks.
It has been at the top of the priority lists of the AFM and DNB for years. Both the AFM (in its Trend View 2022) and DNB (in Supervision in View 2021), with an emphasis on outsourcing of data storage and IT processes) recently drew attention again to (increasing) risks of outsourcing. They indicated that they will focus on this in 2022. In this Finnius View, I focus primarily on the asset management sector (mainly: MiFID, AIFMD and UCITS) that falls under the supervision of the AFM, but other market participants can also find inspiration here.
Each of the supervisory frameworks contains rules regarding the outsourcing of activities. In short, these rules relate to (i) the mandatory drafting of written policies, (ii) requirements for the outsourcing agreement, (iii) evaluation and monitoring of the relationship and (iv) the adoption of a contingency plan and exit plan. An asset manager may not outsource in such a way that it becomes a letter box entity. Oh, and don’t forget, reporting of outsourcing relationships to the AFM is required.
The preliminary question that always arises in connection with the outsourcing rules is: does a certain relationship qualify as an outsourcing relationship to which the supervisory rules apply? This question is simple to ask, but not so easy to answer. This is mainly due to the breadth of definitions and terminology that is now used in the market, such as ‘critical or important’, ‘material’, ‘internal and external’ outsourcing, ‘purchasing’ and ‘insourcing’.
In practice, this qualification thus often leads to headaches. When is something really outsourcing? I find it one of the trickier supervisory qualifications, which also seems to be constantly changing. In any case, it concerns activities that the asset manager would normally carry out himself, but has instructed a third party to do so. Even with this rule of thumb, there is often plenty of room for interpretation. Every asset manager will have to work his way through the qualification.
As far as I am concerned, if there is one policy that is eligible for a review in Q1 2022 by asset managers, it is the Outsourcing Policy. For that review, I can recommend the following system:
- Legal framework. Assess which supervisory framework is applicable to you and thereby map out which (recent) guidance from regulators you need to involve. Be sure to include the letter “Keten in Beeld” from the AFM, now already dated November 2019. In July 2021, the AFM published results of a follow-up study on outsourcing and once again called to mind the letter ‘Keten in Beeld’ for asset managers.
- Scope. Determine which service providers or suppliers you use as part of your operations. Assess which relationships you should qualify as outsourcing given the framework that applies to you. Record this in writing, for example in the form of a schedule, preferably with substantiation for the choice made.
- Review. Next comes the review of the Outsourcing Policy. Determine what parts need to be changed given the legal framework. Part of the outsourcing policy should also be the way in which you go through the selection procedure. This should preferably consist of a concrete step-by-step plan, with or without checklists, by means of which you guarantee that all mandatory components are completed before an outsourcing relationship is established. For example, the reasons for outsourcing (such as optimization of business processes, cost efficiency, knowledge and experience, specific disciplines or access to certain trade opportunities) must be made clear. Record that the review has taken place and when the next review will take place. The board must approve the changes.
- Cloud. As a special sub-area: assess the extent to which your outsourcing relationships involve a cloud component, in which case the ESMA Guidelines on Outsourcing to Cloud Service Providers also apply. These should then be incorporated into the Outsourcing Policy. Note that even if the relationship with a service provider does not, in itself, have a cloud component, but that service provider does, for example, store your data in the cloud, the ESMA Guidelines could apply, as this may qualify as sub-outsourcing.
- Implementation. Next, you must implement the revised Outsourcing Policy.
- At a minimum, identify the risks associated with your specific outsourcing. This is typically something that the rules do not always explicitly prescribe, but the AFM now requires. Use the letter “Keten in Beeld” as well as the follow-up study by the AFM for inspiration. Take measures where necessary to address risks.
- Outsourcing contracts. Ensure that a compliant outsourcing agreement has been entered into with every relationship you qualify as an outsourcing. Note that existing outsourcing agreements with cloud providers must comply with the ESMA Guidelines by December 31, 2022.
- Notification AFM. If you have not already done so, notify the AFM of the outsourcing. We see that the AFM also draws explicit attention to this in its ongoing supervision, for example in connection with fund reports.
- Monitoring. Ensure that you are monitoring existing outsourcing relationships and that this has taken place in a demonstrable manner.
In this way, ensure that outsourcing leads to unburdening rather than headaches. Of course, I don’t have a crystal ball, but something tells me that this year there will also be more in-depth investigations of individual market parties into compliance with the outsourcing rules.
Furthermore, I wish you another healthy – and of course sound, prudent and integer – year of financial supervision!