What should you do to comply with the FSMA new outsourcing handbook?

The FSMA new outsourcing handbook raises the bar on outsourcing requirements. What should you do to be compliant by June 30, 2024?

In brief:

• The FSMA new handbook on outsourcing is applicable to management companies of UCITS/AIFs and for portfolio management and investment advice companies.
• The handbook replaces and repeals the previous circular PPB 2004/5 of the CBFA. It raises the bar on outsourcing governance based on recent regulatory guidance.
• The principles of sound management of the outsourcing of any function and the outsourcing process are set out.

On 12 October 2023, the FSMA published its first practical outsourcing handbook applicable to portfolio management and investment advice companies, and management companies of UCITS and AIFs (hereafter: entities in scope). This handbook repeals and replaces the previous circular PPB 2004/5 of the CBFA, which was still the leading circular on outsourcing requirements for the entities in scope. By issuing this handbook, the FSMA is seeking greater alignment¹ for the entities in scope with other recent clarifying guidelines (from the NBB and EBA) on outsourcing that have been made applicable to other entities within the financial sector that fall under the supervision of the NBB (such as insurance companies and credit institutions). Although the fundamental principles on outsourcing remain largely the same as in the previous CBFA circular, the FSMA now provides more in-depth guidance on the effective implementation of outsourcing covering multiple topics (on e.g. risk management, outsourcing policy, etc.), setting the bar equally high for the entities in scope. Emphasis is provided to the outsourcing of critical and important functions. While the increased extensiveness of the handbook results in more clarity with regard to the criteria and internal controls entities must adhere when outsourcing activities, it also implies that more aspects have to be taken into account.

This revision of the guidance regarding outsourcing seems to be in line with the apparent trend of the FSMA to set a particular focus on outsourcing functions when exercising its supervision. Entities in scope will have to take immediate action, as the FSMA requires the outsourcing handbook to be fully implemented in practice by 30 June 2024.

Below are the key takeaways with the most impact:

Elaboration on the proportionality principle

The principle that the organization of the entities in scope should be proportionate to the size, nature, scale and complexity of its activities was already established by law. Nevertheless, its application was open to interpretation due to the more general wording. The FSMA confirms that smaller entities may adapt the application of outsourcing requirements to the size of their organization, but notes that this should not give rise to a carve-out of one or more requirements. In other words, small scaled entities will have to comply with all the outsourcing requirements, but in a lesser extent if full compliance would be disproportionate. Entities wishing to rely on this principle should perform a documented proportionality analysis to justify the application of this lighter regime (the so-called 'comply or explain principle').
 

Distinction between outsourcing of critical or important functions and outsourcing of other functions

A critical or important function is assessed by the concerned entity itself.² An important question in this regard is whether the function is essential to the operations of the entity. More stringent rules apply to critical functions because of their impactful nature. This manifests itself in various aspects such as: 

• Risk management, where more appropriate measures should be taken to manage risks when outsourcing critical or important functions. Some factors to consider are the potential impact of a disruption of the outsourced function and the possibility to reintegrate the function within the entity to ensure business continuity of its most essential activities;
  
  
• The outsourcing agreement, which should include more safeguards for critical or important functions such as the service provider's obligation to notify any development that may materially affect its ability to perform the outsourced functions efficiently and in compliance with the applicable legal and regulatory framework;
  
  
• Supervision, with more frequent and rigorous follow-up to be provided. For critical or important functions, the entity should continuously monitor the performance of service providers related to all outsourcing arrangements through a risk-based approach. The focus is on ensuring the availability, integrity and security of data and information.

The qualification of each outsourced function should be regularly reassessed by the entity to determine whether it has become critical or important or should be further considered critical or important.

Currently, within this framework, there is also a particular focus on 'cooperation with critical service providers' in accordance with circular FSMA_2019_09. In the latter, the FSMA requires that for each outsourcing or delegation, the company must complete a fiche. An overlap with this circular now exists, due to the introduction of the outsourcing register. It is our reading both requirements need to be complied with next to each other.

¹ See the reference in the handbook to the EBA guidelines on outsourcing of 25 February 2019 that apply for instance to credit institutions.

² In general, a function is considered critical or important if that function is essential to the operations and continuity of the business. The FSMA lists which criteria needs to be taken into account when assessing if the function needs to be considered critical or important.