In brief
The Belgian Financial Services and Markets Authority (FSMA) has developed a new handbook on outsourcing.
The handbook applies to UCITS management companies, alternative investment fund managers (AIFMs) and portfolio management and investment advice companies (collectively, “In-Scope Entities“). It sets out several principles of sound management for the outsourcing of functions.
The handbook repeals and replaces the old Circular PPB 2004/5 of the former Banking, Financial and Insurance Commission (CBFA) dated 22 June 2004 on sound management practices in outsourcing by credit institutions and investment firms.
While the new rules are not revolutionary, they are more extensive than before. In-Scope Entities may need to bring their current outsourcing arrangements, policies and practices in line with the handbook by June 2024 at the latest.
Contents
- Key takeaways
- Dos and don’ts to consider
- Do consider the proportionality principle
- Do distinguish between critical or important functions and other functions
- Do not create letterbox or empty shell constructions
- Do apply the rules in an intra-group context as well
- Do review your outsourcing policy and procedures against the new handbook
- Do not forget to establish an outsourcing register
- Do consider the FSMA’s checklist when drafting outsourcing agreements
- Do not forget to notify the FSMA when outsourcing critical or important functions
- How to prepare
- Dos and don’ts to consider
Key takeaways
This regulatory briefing provides some dos and don’ts for Belgian AIFMs, UCITS management companies and portfolio management and investment advice companies to consider, such as in relation to the proportionality principle, intra-group outsourcing, the drafting of outsourcing agreements and the outsourcing register.
Dos and don’ts to consider
Do consider the proportionality principle
The organization of an In-Scope Entity must be proportionate to the scope, nature, scale and complexity of its activities. Accordingly, all principles established in the outsourcing handbook must also be interpreted and applied proportionately.
This means that In-Scope Entities must consider the complexity of their outsourced functions, the risks arising from their outsourcing arrangements, the significant or critical nature of their outsourced function, and the potential impact of outsourcing on their ongoing activities.
This principle does not mean that In-Scope Entities can be exempted from certain requirements. Rather, it means that the way in which In-Scope Entities should comply with these requirements must be appropriate to their structure and activities.
By way of example, In-Scope Entities whose structure, activities and/or outsourced functions are less complex could also have less complex outsourcing policies, procedures and internal control mechanisms in place. In-Scope Entities wishing to rely on the proportionality principle must document their analysis by way of a “comply or explain” mechanism.
Do distinguish between critical or important functions and other functions
While the FSMA’s handbook applies to the outsourcing of all functions, particular attention must be paid to the outsourcing of functions that are critical or important.
In-Scope Entities must determine for themselves which functions are critical or important. In doing so, they must determine whether that function is essential to their operations.
The FSMA considers that at least the following functions are critical or important:
- Portfolio management of (alternative) investment funds.
- Investment services.
- Independent control functions (risk, compliance, internal audit).
When outsourcing critical or important functions, more stringent rules apply. In-Scope Entities must take more appropriate measures to evaluate the potential risks and impact that the disruption of an outsourced critical or important function may have on their operations, financial solidity, reputation, etc. In-Scope Entities must also consider the extent to which it is possible to transfer the proposed outsourcing arrangement to another service provider or to reintegrate the outsourcing arrangement in-house if necessary or preferred. The necessary contractual arrangements must be put in place to facilitate this.
From time to time, In-Scope Entities must reassess the qualification of each outsourced service to determine whether they (still) qualify as critical or important, and this analysis must be documented.
Do not create letterbox or empty shell constructions
The FSMA reiterates that In-Scope Entities must always retain sufficient substance and not become an “empty shell” or a “letterbox company.” Outsourcing too many (critical or important) functions may lead the regulator to conclude that the In-Scope Entity lacks the required substance to obtain authorization or remain authorized.
Remember that for AIFMs and UCITS management companies, it is not possible to completely delegate both portfolio management and risk management simultaneously. They must choose one or the other, and the third-party service provider must be appropriately licensed or authorized to carry out asset management functions.
Do apply the rules in an intra-group context as well
Intra-group outsourcing is subject to the same regulatory framework and conditions as outsourcing to external service providers outside the group.
When outsourcing to an intra-group entity, the In-Scope Entity must ensure that the decision is based on objective reasons, and parties must ensure that the service provider is remunerated at arm’s-length.
Do review your outsourcing policy and procedures against the new handbook
The FSMA’s handbook contains extensive guidance on sound management principles in relation to outsourcing. In-Scope Entities should check whether their outsourcing policies and procedures need to be updated or amended as a result.
Among others, the handbook provides for in-depth guidance regarding In-Scope Entities’ risk management framework in relation to outsourcing, rules on responsibilities, the scope and content of outsourcing policies, the outsourcing register that needs to be established, conflicts of interest, business continuity plans and internal audit procedures.
The handbook also extensively describes the rules that apply to the entire outsourcing process, ranging from the decision to outsource, to the outsourcing agreement, the supervision of outsourced functions, exit strategies and notification procedures with the FSMA.
In-Scope Entities may wish to check whether their existing outsourcing frameworks, policies and procedures are fully in line with the new guidance of the FSMA. Entities that wish to apply for authorization with the FSMA as an In-Scope Entity (e.g., as an AIFM) will need to take the new guidance into account as well.
Do not forget to establish an outsourcing register
In-Scope Entities must keep a register containing information on all outsourcing operations, thereby distinguishing between outsourcing of critical or important functions and outsourcing of other functions.
The FSMA handbook contains an exhaustive list of elements that need to be included in the register. For example, the register must contain the identification details of the service provider, a description of the outsourced services, whether the services are critical or important, a summary of the service provider’s replaceability, the applicable law and competent forum under the outsourcing agreement, names of sub-delegates, the dates of most recent or planned audits, etc.
While keeping track of outsourced functions was already considered a best practice before, this is now being formalized in more detail in the FSMA’s handbook. This registration requirement comes on top of the required reporting on cooperation with critical service providers that must be made under FSMA circular 2019_19 on the report of effective management on internal control.
In-Scope Entities must be able to make the complete register, or specified parts of it, available in computer-readable form to the FSMA at its first request.
Do consider the FSMA’s checklist when drafting outsourcing agreements
When outsourcing functions, In-Scope Entities must conclude a written agreement with their third-party service provider. The FSMA’s handbook prescribes a series of minimum clauses that must be included in the written arrangements. Some key clauses that must be included are the following:
- A clear description of the outsourced services.
- The conditions under which the service provider may sub-delegate the outsourced services.
- The agreed service levels (key performance indicators).
- The obligation for the service provider to notify any developments that may materially impair its ability to properly carry out the services.
- The obligation for the service provider to implement and test business continuity plans.
- The obligation for the service provider to cooperate with the FSMA and answer any of its questions.
- The unlimited right of the In-Scope Entity to carry out inspections or audit the service provider, especially in case of outsourcing critical or important functions.
- Appropriate termination clauses.
In-Scope Entities must ensure that their written outsourcing arrangements contain all the required clauses listed in the FSMA’s handbook. Existing arrangements may need to be reviewed and amended based on the list.
Do not forget to notify the FSMA when outsourcing critical or important functions
In principle, outsourcing does not require the FSMA’s prior approval. However, when outsourcing critical or important functions, In-Scope Entities must inform the FSMA in advance of how the principles set out in the handbook will be applied. The notification must be made prior to entering into the outsourcing agreement. The same duty to inform also applies to any subsequent major developments concerning critical or important outsourced functions.
How to prepare
In-Scope Entities will need to verify whether their existing outsourcing policies, procedures and arrangements fully comply with the FSMA’s new guidance by conducting a gap analysis. Entities seeking to obtain authorization as an In-Scope Entity will equally need to take the new handbook into account as part of their licensing process.
The FSMA’s handbook does not apply to sub-threshold AIFMs, as the FSMA has, strictly speaking, no legal basis to impose these measures upon sub-threshold AIFMs.
The new rules must be implemented by 30 June 2024 at the latest.