7 minute read 3 Nov 2023

What should you do to comply with the FSMA new outsourcing handbook?

Authors
Filip Bogaert

EY Belgium Financial Services Legal and Regulatory Leader

Seasoned regulatory leader for the financial sector. Champion of leading and delivering high-stakes, transversal regulatory transformation and remediation projects.

Daan Thijs

EY Belgium FSO Legal & Regulatory Senior Manager

Experienced Legal and Regulatory professional with a deep knowledge of financial regulations. Keen to deliver the highest quality of work.

7 minute read 3 Nov 2023
Related topics Banking and capital markets Wealth and asset management Financial Services Law
Upvote

Show resources

The FSMA new outsourcing handbook raises the bar on outsourcing requirements. What should you do to be compliant by June 30, 2024?

In brief:

  • The FSMA new handbook on outsourcing is applicable to management companies of UCITS/AIFs and for portfolio management and investment advice companies.
  • The handbook replaces and repeals the previous circular PPB 2004/5 of the CBFA. It raises the bar on outsourcing governance based on recent regulatory guidance.
  • The principles of sound management of the outsourcing of any function and the outsourcing process are set out.

On 12 October 2023, the FSMA published its first practical outsourcing handbook applicable to portfolio management and investment advice companies, and management companies of UCITS and AIFs (hereafter: entities in scope). This handbook repeals and replaces the previous circular PPB 2004/5 of the CBFA, which was still the leading circular on outsourcing requirements for the entities in scope. By issuing this handbook, the FSMA is seeking greater alignment1 for the entities in scope with other recent clarifying guidelines (from the NBB and EBA) on outsourcing that have been made applicable to other entities within the financial sector that fall under the supervision of the NBB (such as insurance companies and credit institutions). Although the fundamental principles on outsourcing remain largely the same as in the previous CBFA circular, the FSMA now provides more in-depth guidance on the effective implementation of outsourcing covering multiple topics (on e.g. risk management, outsourcing policy, etc.), setting the bar equally high for the entities in scope. Emphasis is provided to the outsourcing of critical and important functions. While the increased extensiveness of the handbook results in more clarity with regard to the criteria and internal controls entities must adhere when outsourcing activities, it also implies that more aspects have to be taken into account.

This revision of the guidance regarding outsourcing seems to be in line with the apparent trend of the FSMA to set a particular focus on outsourcing functions when exercising its supervision. Entities in scope will have to take immediate action, as the FSMA requires the outsourcing handbook to be fully implemented in practice by 30 June 2024.

Below are the key takeaways with the most impact:

Elaboration on the proportionality principle

The principle that the organization of the entities in scope should be proportionate to the size, nature, scale and complexity of its activities was already established by law. Nevertheless, its application was open to interpretation due to the more general wording. The FSMA confirms that smaller entities may adapt the application of outsourcing requirements to the size of their organization, but notes that this should not give rise to a carve-out of one or more requirements. In other words, small scaled entities will have to comply with all the outsourcing requirements, but in a lesser extent if full compliance would be disproportionate. Entities wishing to rely on this principle should perform a documented proportionality analysis to justify the application of this lighter regime (the so-called 'comply or explain principle').

 

Distinction between outsourcing of critical or important functions and outsourcing of other functions

A critical or important function is assessed by the concerned entity itself.2 An important question in this regard is whether the function is essential to the operations of the entity. More stringent rules apply to critical functions because of their impactful nature. This manifests itself in various aspects such as: 

  • Risk management, where more appropriate measures should be taken to manage risks when outsourcing critical or important functions. Some factors to consider are the potential impact of a disruption of the outsourced function and the possibility to reintegrate the function within the entity to ensure business continuity of its most essential activities;

  • The outsourcing agreement, which should include more safeguards for critical or important functions such as the service provider's obligation to notify any development that may materially affect its ability to perform the outsourced functions efficiently and in compliance with the applicable legal and regulatory framework;

  • Supervision, with more frequent and rigorous follow-up to be provided. For critical or important functions, the entity should continuously monitor the performance of service providers related to all outsourcing arrangements through a risk-based approach. The focus is on ensuring the availability, integrity and security of data and information.

The qualification of each outsourced function should be regularly reassessed by the entity to determine whether it has become critical or important or should be further considered critical or important.

Currently, within this framework, there is also a particular focus on 'cooperation with critical service providers' in accordance with circular FSMA_2019_09. In the latter, the FSMA requires that for each outsourcing or delegation, the company must complete a fiche. An overlap with this circular now exists, due to the introduction of the outsourcing register. It is our reading both requirements need to be complied with next to each other.
 

Introduction of a register of outsourcing arrangements

The outsourced functions shall be recorded in a designated register including a distinction between the outsourcing of critical or important functions and other outsourcing functions. This distinction is relevant as more information should be included for critical or important functions. Some examples include the date when a risk assessment was last carried out, a brief summary of the main results, the outcome of the assessment of the service provider's replaceability, the possibility of reintegrating an outsourced function back into the entity, or the impact of terminating the function. Whereas archiving all outsourcing functions was already considered good practice in this regard, entities were free to determine how to establish this, which resulted in different formats of documentation across the market. As of June 2024, the outsourcing register has to be conducted in accordance with the conditions stipulated by the handbook.
 

Extensive guidance regarding the outsourcing process

The handbook provides more extensive guidance regarding the outsourcing process. This handbook sets out what elements should be taken into account when selecting a service provider and implementing the outsourcing process. The most important concerns relate to the assessment of the risks of the outsourcing arrangements, the selection of the service provider, the outsourcing agreement and exit strategies.

The service provider requirements to observe are set out more extensively in the handbook compared to the previous circular. The entity must ensure that the service provider has all the required qualities to perform the outsourced critical or important function. Among other things, it must take into account professional reliability, appropriate and sufficient skills and necessary expertise.

With regard to the outsourcing agreement, the handbook contains an extension of the previous circular, consisting of a detailed list of mandatory elements in the agreement for critical or important functions. Some notable elements are the unrestricted right of an entity to inspect and audit the service provider, the method of information exchange and reporting obligations, and the obligation for the service provider to cooperate with FSMA and respond directly to its queries on the outsourced functions. When critical or important functions are outsourced, the FSMA should be informed in advance of how the handbook’s principles will be applied.

How EY can help

Financial services law

EY Law teams advise on all legal and regulatory, risk management, enforcement and compliance issues across multiple jurisdictions.

Read more

More extensive risk management on outsourcing required

As part of its risk management, the entity should identify, assess, monitor and manage all risks arising from outsourcing functions. The FSMA stipulates aspects to be taken into account at different stages of the outsourcing process, being (i) the decision to outsource and (ii) during outsourcing. Entities should identify risks and take measures that particularly relate to outsourcing, which include ,for instance, data confidentiality, business continuity, and cyber security risks. Depending on the size of the entity involved, this may result into the requirement to set up a separate risk assessment on outsourcing or at least an update of the risk management policy or risk assessment in place.
 

Guidance on intragroup outsourcing

The FSMA explicitly states that the same outsourcing conditions apply to outsourcing functions between entities of the same group. Besides, the outsourcing needs to be justified by objective reasons (meaning that the other group entity has the experience and capacity to perform the outsourced function). The operational management of the outsourcing can be centralized in one entity. 
 

Other aspects covered by the handbook are often already applied in practice due to legal requirements and supplementary regulatory guidelines (e.g.: conflicts of interest, BCP, internal audit, etc.). In addition, the handbook also does not affect (and certainly does not diminish) the specific legal requirements related to the outsourcing of licensed activities of portfolio management and investment advice company and management companies.

Entities have until 30 June 2024 to implement this handbook and its sound management principles and should start to assess to what extent their current outsourcing framework may have to be updated to be compliant with the new rules. 

1 See the reference in the handbook to the EBA guidelines on outsourcing of 25 February 2019 that apply for instance to credit institutions.

2 In general, a function is considered critical or important if that function is essential to the operations and continuity of the business. The FSMA lists which criteria needs to be taken into account when assessing if the function needs to be considered critical or important.

Newsletters EY Belgium

Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more. 

Subscribe

Summary

The FSMA published a new handbook on outsourcing, applicable to management companies of UCITS/AIFs and for portfolio management and investment advice companies. The handbook sets out the principles of sound management of the outsourcing of any function and creates a clearer picture of what the FSMA expects from the entities in scope. Emphasis can be put on the seemingly increased vigilance of the FSMA on this subject. Compliance is thus key.

About this article

Authors
Filip Bogaert

EY Belgium Financial Services Legal and Regulatory Leader

Seasoned regulatory leader for the financial sector. Champion of leading and delivering high-stakes, transversal regulatory transformation and remediation projects.

Daan Thijs

EY Belgium FSO Legal & Regulatory Senior Manager

Experienced Legal and Regulatory professional with a deep knowledge of financial regulations. Keen to deliver the highest quality of work.

Related topics Banking and capital markets Wealth and asset management Financial Services Law
Upvote