Why devote attention to outsourcing?
Under the Financial Supervision Act (Wet op het financieel toezicht) and the Pensions Act (Pensioenwet), corporations are permitted to conditionally outsource activities to third parties. The conditions attached to outsourcing of activities have the purpose of controlling the relevant risks and ensuring that outsourcing of activities does not impede adequate supervision. In order to ensure controlled outsourcing, institutions must make a materiality assessment prior to outsourcing activities. The outcome of this assessment determines whether outsourcing is material (important, critical).
Institutions can use the following criteria to assess whether outsourcing qualifies as material.
- The critical nature and inherent risk profile of the activity the institution proposes to outsource. The institution must consider whether the activity is vital to its operational management, continuity as a going concern or viability and to its obligations towards its customers, members or policyholders. This means that the institution is unable to provide its services without this activity.
- The immediate operational consequences that interruptions of the activity may have, and the associated legal and reputation risks.
- The impact that a disruption in the activity may have on the institution's anticipated revenues.
- The impact that a breach of confidentiality or integrity, or the unavailability of data may have on the institution or its customers, members or policyholders.
Supervised institutions are required to inform DNB about their material outsourcing and cloud outsourcing. Material outsourcing of activities must be notified to DNB via the Digital Supervision Portal (Digitaal Loket Toezicht Uitbestedingen - DLT).
In addition to performing a materiality assessment, financial institutions are required to perform a risk analysis of outsourcing and cloud outsourcing. This risk analysis should provide insight into inherent risks, mitigating measures and residual risks. DNB has selected a minimum number of 10 items that institutions must include in their risk analysis. They should then supplement their risk analyses with risks that are relevant to the institution itself.
The 10 minimum items to include are
- Vendor lock-in
- A lack of resources needed to manage acquisitions or existing outsourcing contracts.
- Service provider ceases operations
- Compliance with legal and regulatory requirements.
- Inadequate performance
- Data location
- Physical separation or environments
- Data access
Which conditions are attached to outsourcing?
In the past years, new specific requirements with respect to outsourcing were included or anticipated in legislation. These updated requirements need an adjusted legal framework for outsourcing by banks, insurance companies and pension funds. Various thematic examinations have led to the compilation of good practices for insurers and other sectors.
Cloud computing qualifies as outsourcing. Out of the many definitions going round for cloud computing, DNB adopted the NIST definition.
Banking sector 2
The EBA Recommendations on outsourcing to cloud service providers came into force on 1 July 2018. As DNB has adopted the EBA Recommendations, they apply to all banks (and payment institutions) in the Netherlands,
cancelling the 2011 cloud computing circular for this sector.
Insurance sector 3
The Solvency II framework for the insurance sector has been in force since 1 January 2016. The requirements that Solvency II sets for outsourcing of activities by insurance companies have been implemented into the Financial Supervision Act (Wet financieel toezicht - Wft) and further detailed into a good practices document for outsourcing in the insurance sector.
There is as yet no adjusted legislation in place for pension funds, meaning that the cloud circular issued on 6 December 2011 is still in force.
Right to examine and right to audit
With the new statutory requirements under Solvency II and the EBA Recommendations on outsourcing to cloud service providers coming into effect, a distinction is made between the right to examine for supervisors and the right to audit for financial institutions. Both rights must be included in the outsourcing contract. In the past, DNB made agreements with several cloud service providers about the text of these mandatory contractual clauses. This list of agreements was removed from our Open Book on Supervision. Based on the information given below, all financial institutions and service providers can shape the content of these contractual clauses themselves. We will explain both rights briefly below.
Right to examine
One of the mandatory contractual requirements is the supervisor's right to examine. The supervisor's right to examine has two conditions attached, which are:
(a) allowing full access to all information and functions, as well as to business premises (headquarters and operational centres), including all provisions, systems, networks and data that the service provider uses to deliver the outsourced services (access right);
(b) giving unlimited rights for examination and verification of outsourced services (examination right).
These two conditions must be stated in the mandatory clause in outsourcing contracts. The principle here is that outsourcing of activities may not prevent the supervisory authority from exercising its duties.
Right to audit
In addition to the various means that the financial institution has to verify the internal controls in place at the service provider, there is a mandatory clause pertaining to the financial institution's audit right that must be included in the outsourcing contract.
The financial institution's right to audit has two conditions attached, which are:
(a) allowing full access to all information about outsourced activities and functions, as well as to business premises (headquarters and operational centres), including all provisions, systems, networks and data that the service provider uses to deliver the outsourced services (access right);
(b) giving unlimited rights for examination and verification of outsourced services (audit examination right).
Here too, the actual exercise of the right to audit may not be impeded or limited by contractual stipulations.
Note that this does not mean that actual audits must be performed. Audits must be risk-based and can take various forms. There are also other ways of verifying the internal controls in place at service providers. If financial institutions do not have sufficient audit instruments at their disposal, one or more of the following instruments may be considered.
a) Joint audits together with other customers of the same service or cloud services provider can be organised.
b) External certifications or external or internal audit reports provided by the services provider.
Cloud solutions are very complex technically speaking. The financial institution must verify beforehand whether the auditor performing the audit has the required knowledge and skills to perform audits and/or assessments of cloud solutions in an effective and appropriate manner.
- Service provider can also be read as: third party, pensions administrator, asset manager, subcontractor.
- The banking sector is taken to include settlement institutions, payment services providers, clearing institutions, electronic money institutions, and banks.
- The definition of insurer equals that included in Section 1:6 of the Wft.