FAQs > Institutions > Outsourcing by banks print

Outsourcing by banks

Circular 2008/7 "Outsourcing banks"

(status 1 April 2009)

1. What are the criteria for applying the rules specified in Circular 2008/7?

As specified in the Circular, outsourcing is present if a company contracts a service provider to independently supply its services on a long-term basis. It involves the relocation of a central service. As specified in the Circular, a service is considered central when it affects the recording, restriction and monitoring of a bank’s risks (cf. mn. 2). The risk evaluation must also cover operational and reputation risks. Another important criterium is whether the outsourced area conducts typical banking activities or trades in securities. Furthermore, the purpose of the Circular (cf. mn. 1) is, amongst other things, to safeguard the protection of sensitive data in respect of banking secrecy and data security if a business area is outsourced to a service provider. If the latter does gain access to sensitive data (in particular client data), outsourcing as defined in the Circular may generally exist.

2. Does involving affiliates come under the Circular?

The term "autonomy" distinguishes clearly between involving affiliates and outsourcing to an independent service provider.

3. Is setting up an informal office (equipped with PCs, servers, etc. aside from the main office buildings) in the event of a major catastrophe considered as outsourcing in the meaning of the Circular?

No, since this does not involve relocating a business area to another company. Subsequently, the prescriptions in the Circular are not applicable.

4. Is it permissible for an internationally active financial group to centralise all its data processing and to have its account statements and transaction confirmations for clients of its subsidiary bank in Switzerland issued abroad?

In line with the Circular, processing client data abroad is considered as outsourcing in which case it is necessary to comply with the principles outlined in the Circular. Margin numbers 6 to 8 of the Circular are partially applicable for outsourcing within a financial group, while margin numbers 37 to 39 remain applicable and require that clients are informed about the outsourcing.

5. A certain company intends storing its book-keeping data at its parent company abroad. Is this also considered as outsourcing?

Storing book-keeping data at a parent company is considered as outsourcing in accordance with item III of the appendix (storing data). In line with mn. 8, the Circular is only partially applicable.

6. Do printing and dispatching payment forms come under outsourcing?

Yes, the outsourcing of this particular service area comes under item VI. of the appendix.

7. A bank is planning to hold valuable objects belonging to its clients by commissioning a third party to keep them safe. Is this outsourcing in the meaning of the Circular?

Outsourcing in the meaning of the Circular exists if a company commissions a service provider to independently take on one of its central business services on an ongoing basis. As referred to in the Circular, services that may pose image and legal risks are considered to be central. This also includes the typical bank service of renting out safes and safe deposit boxes. To limit risk exposure when applying safety standards, the principles outlined in the Circular regarding the outsourcing of the safe-keeping of valuable objects are applicable.

8. What is meant by group companies that require consolidation as set down in mn. 4a?

All companies consolidated in a group must adhere to the Circular, i.e., including parent companies and subsidiaries unless they are subject to supervision which provides for outsourcing regulations. The same applies to consolidated foreign group subsidiaries referred to in mn. 5.

9. What is meant by a "central organisation" referred to in mn. 8?

Examples of this are group structures such as RBA banks and the Raiffeisen Group.

10. A certain company has exclusively provided services for its shareholding banks and thus comes under the scope of partial application defined in the Circular. Now this company also provides services for a few third parties. Is mn. 9 still applicable?

If the company no longer exclusively provides services for the shareholding banking group, mn. 9 is irrelevant.  In such cases, all the rules prescribed in the Circular are applicable.

11. What is meant by financial resources under mn. 22?

The service provider must be able to finance the assignment as referred to in the Circular, in which case liability reserves may play a part. In particular, see mn. 23 which requires that company and service provider competences are to be set down and defined.

12. What is the relationship between a bank and a subcontractor?

The outsourcing company is not party to the contract between the service provider and the subcontractor. In fact, two contracts are concluded: one contract between the outsourcing company and the service provider and one contract between the service provider and the subcontractor. The latter requires the consent of the bank which, however, does not then render it a contracting party. As specified under mn. 23, the interfaces, responsibilities, competences and liability issues are to be regulated in the contract. This is also applicable to the relationship between the service provider and the subcontractor.

13. What information must be included in the terms and conditions? Is it necessary to specifically mention the service provider’s name?

It does not suffice to make a general reference to the likelihood of outsourcing in the terms and conditions. This is deemed as inadequate. Financial intermediaries are to define the areas of business which they intend outsourcing if these areas are directly linked to the services offered to clients. The service provider's details (e.g. company name) are not required.

14. Does the wording "rights are reserved for the outsourcing of, e.g. ..." in the terms and conditions suffice?

Complying a list of outsourced services suffices if the services indicated are representative and include the key outsourced services.

15. Must the terms and conditions for clients declare anonymised data processing abroad or does it suffice to indicate that data processing is outsourced to a third party?

As specified in mn. 38, the duty to inform clients is important and information provided is to contain precise details of the outsourced areas. If no inferences can be drawn from the client data, it is not necessary that the terms and conditions inform clients specifically about data processing abroad.

16. If a bank outsources a certain service area to a Swiss company, is it unnecessary to provide general information as specified in mn. 38 when it is clear that no inferences can be drawn from the data concerning client identity?

Since mn. 38 provides no easing in this respect, the duty to inform clients still remains.

17. May the auditor of the outsourcing company and the external auditor of the service provider coordinate the audit?

This is feasible provided that the requirements in mn. 40 to 47 are adhered to.

18. Some banks have concluded an outsourcing contract with a certain company (company A), which in turn outsources part of the services to another company (company B). Is it deemed adequate if company A concludes a contract with company B or must each bank conclude a contract with company B?

It suffices for company A to have a contract with company B. (See question 13).

19. To whom may I address any further queries?

banks@finma.ch or phone +41 31 327 93 00