The new FINMA circular 18/3 on Outsourcing

Jens Probst Partner Digital Assurance FS, PwC Switzerland 11 Jan 2018

Changes and implications


FINMA has revised its circular 08/7 on Outsourcing for Banks and replaced it with the new version FINMA circular 18/3 Outsourcing for Banks and Insurance companies. Obviously, one of the main changes is the new applicability of the circular for insurance companies.

A draft version has been published by end of 2016. During the hearing period many banks, insurance companies and other stakeholders handed in their opinion and provided feedback to FINMA. FINMA has acknowledged relevance of many of these feedbacks and implemented some changes to the discussed topics. Main discussion points were the definition of materiality, conditions for outsourcing abroad, conditions for group-internal sourcings, specific requirements for system-relevant banks, outsourcing of compliance and risk functions, and transition time for existing outsourcing agreements.

Enactment date of the new circular is 1.4.2018. For existing outsourcings there is a transition period of five years, however, for new outsourcings the new circular will be immediately relevant.


The new circular does no longer consist of nine principles, but newly consists of eight main requirements. Some of these requirements match with old principles, others are new whilst some of the old principles have been omitted. The mapping table below provides a comprehensive overview of the principles:

FINMA circ. 08/7 principles FINMA circ. 18/3 requirements
1) Determination of the business area to be outsourced  -
 - A) Inventory of outsourced services
2) Selection, instruction and control of service provider B) Selection, instruction and control of service provider
 - C) Group-internal Sorucing
3) Responsibility D) Responsibility
4) Security E) Security
5) Business and banking secrecy  -
6) Informing customers  - 
7) Audit and supervision F) Audit and supervision
8) Outsourcing abroad G) Outsourcing abroad
9) Contract H) Contract

Main changes to old version

There are multiple changes compared to the old version 08/7. Below, we summarise these changes:

  • The new circular is applicable for banks AND insurance companies.
  • The definition of materiality is more principle-based, there are no longer any examples within the circular.
  • The differentiation for group-internal outsourcing agreements is still included but is more principle-based in the new version. Financial institutions need to decide based on risks, whether certain requirements can be omitted or eased.
  • The principles regarding data protection and client orientation have been omitted. FINMA points out that relevant regulation is already given by data protection law and Appendix 3 of FINMA circular 08/21 (Handling of electronic Client Identifying Data [CID]). – Therefore, Data Protection law and requirements from Banking Secrecy remain relevant.
  • Financial institutions need to keep an inventory about all outsourced functions and services. The inventory needs to include sub-outsourcings, CID relevance and the responsible person for governance of the agreement at the financial institution.
  • The new circular provides guidance on whether it is allowed to outsource risk and compliance functions and tasks.

Main questions and how PwC can help

Obviously, there are material changes with the new version of the circular on outsourcing. There are important strategic decisions on which we may help you and your organisation.

Besides helping you to set up new outsourcing agreements and making your existing outsourcing agreements compliant, there are strategic decisions to be taken, like:

  • Can we source services from abroad and under what conditions? What requirements from Data Protection Law and other FINMA circulars need to be kept in mind?
  • Can we use cloud services for sourcing?
  • Are we allowed to have CID abroad or in the cloud and under what conditions?
  • What do we need to do in order to have our group-internal sourcing agreements be compliant?
  • Under what conditions are we able to outsource risk and compliance functions?
  • How can we protect our company from cyber risks and data stealing in a sourcing environment?
  • How can we accurately govern our suppliers?

Please contact our experts. We can advise you on your strategic decisions in the area of outsourcing and help you to make use of latest technology. Furthermore, we help you to set up audit-proven solutions for your sourcing agreements.

  • Lorem ipsum dolor sit amet, an vix prima deseruisse, per te aeque virtute. Ius ea offendit platonem deterruisset.
  • Lorem ipsum dolor sit amet, an vix prima deseruisse, per te aeque virtute. Ius ea offendit platonem deterruisset.
  • Lorem ipsum dolor sit amet, an vix prima deseruisse, per te aeque virtute. Ius ea offendit platonem deterruisset.

Share this post:      


Jens Probst

Partner Digital Assurance FS, Zürich, PwC Switzerland

+41 79 372 57 88


Michèle Hess

Partner, Regulatory & Compliance Services, Zurich, PwC Switzerland


Yan Borboën

Partner Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

+41 58 792 84 59


Ralf Hofstetter

Director for Trust & Transparency Solutions, PwC Switzerland

+41 58 792 5625