Introduction of a register of outsourcing arrangements
The outsourced functions shall be recorded in a designated register including a distinction between the outsourcing of critical or important functions and other outsourcing functions. This distinction is relevant as more information should be included for critical or important functions. Some examples include the date when a risk assessment was last carried out, a brief summary of the main results, the outcome of the assessment of the service provider's replaceability, the possibility of reintegrating an outsourced function back into the entity, or the impact of terminating the function. Whereas archiving all outsourcing functions was already considered good practice in this regard, entities were free to determine how to establish this, which resulted in different formats of documentation across the market. As of June 2024, the outsourcing register has to be conducted in accordance with the conditions stipulated by the handbook.
Extensive guidance regarding the outsourcing process
The handbook provides more extensive guidance regarding the outsourcing process. This handbook sets out what elements should be taken into account when selecting a service provider and implementing the outsourcing process. The most important concerns relate to the assessment of the risks of the outsourcing arrangements, the selection of the service provider, the outsourcing agreement and exit strategies.
The service provider requirements to observe are set out more extensively in the handbook compared to the previous circular. The entity must ensure that the service provider has all the required qualities to perform the outsourced critical or important function. Among other things, it must take into account professional reliability, appropriate and sufficient skills and necessary expertise.
With regard to the outsourcing agreement, the handbook contains an extension of the previous circular, consisting of a detailed list of mandatory elements in the agreement for critical or important functions. Some notable elements are the unrestricted right of an entity to inspect and audit the service provider, the method of information exchange and reporting obligations, and the obligation for the service provider to cooperate with FSMA and respond directly to its queries on the outsourced functions. When critical or important functions are outsourced, the FSMA should be informed in advance of how the handbook’s principles will be applied.