AFM Feedback on Outsourcing Reporting for Investment Firms and Managers

Stichting Autoriteit Financiële Markten Chamber of Commerce Amsterdam, no. 41207759 Reference of this letter: Visit address Vijzelgracht 50 Postbus 11723 • 1001 GS Amsterdam Telephone +31 (0)20-7972000 • Fax +31 (0)20-7973800 • www.afm.nl AFM - Confidential Confidential NoSteegG.MGerwin SteegGerwinGnSg-21079756

• Feedback on research Outsourcing reporting Investment firms and Managers Date 21 July 2021 Our reference Page Telephone 1 of 8 E-mail Subject Feedback on research Outsourcing reporting Investment firms and Managers Dear Board of Directors,

1. Introduction Outsourcing of activities is widespread and usually stems from a company's pursuit of more efficient business operations. Outsourcing can, for example, contribute to improving the quality and/or reducing the costs of service provision. However, outsourcing also brings risks.

Between October 2018 and May 2019, the Dutch Authority for the Financial Markets (AFM) conducted the "Chain in View" (Keten in Beeld) research among investment firms, managers of investment institutions, and managers of UCITS (collectively: firms). The aim of this research was, among other things, to gain insight into the activities that firms outsource to service providers.

On 28 November 2019, the AFM shared its insights from the "Chain in View" research with the sector in a letter (reference: WtHg-19086914) (Sector Letter). In the Sector Letter, the AFM provides various tools for assessing which outsourcings concern "critical or important" tasks and thus fall under legal requirements regarding outsourcing. The Sector Letter also provides various points of attention regarding the design of control measures. The AFM expressed the expectation that the insights from the "Chain in View" research would prompt firms to investigate and, if necessary, improve the design of their business operations regarding outsourcing.

Following the "Chain in View" research, on 24 September 2020, the AFM requested firms via an information request (reference: WtHg-20081130) (Information Request) to provide an overview of critical activities that have been outsourced. Firms were also asked to report on the characteristics of specific control measures regarding these outsourcings (Outsourcing Reporting). Through the Outsourcing Reporting, the AFM expects to gain insight into (i) current outsourcing risks, (ii) control measures taken by firms, and (iii) the follow-up given by firms to the points of attention from the Sector Letter. This insight helps the AFM ensure proactive and risk-based supervision of outsourcing.

The purpose of this letter is to (i) share sector-wide insights from the Outsourcing Reporting and (ii) once again highlight the necessity of controlling the risks arising from outsourcing activities. This letter should be read in conjunction with the Sector Letter.

Although this letter is addressed to firms that responded to the Information Request, the AFM expects all investment firms and managers to take note of the content of this letter. The AFM expects firms to use this letter to further investigate and, if necessary, improve the design of their business operations and service provision.

This letter briefly addresses the legal framework and points of attention as outlined in the Sector Letter. This is followed by more general images and developments indicating that controlling outsourcing risks remains of undiminished importance. Subsequently, insights are highlighted demonstrating that in individual cases, legal requirements are still not met and improvement in the control of outsourcing risks is necessary. Finally, the AFM informs you about the next steps it will take in light of the insights gained.

The Information Request can be consulted on the AFM website: https://www.afm.nl/nl-nl/professionals/onderwerpen/uitbesteding-bobi.

Date Our reference Page 21 July 2021 2 of 8

2. Legal Framework & Points of Attention The AFM once again draws firms' attention to relevant legal requirements, including those listed in the overview below.

Type of (Dutch) financial firm	Legal Framework
Investment Firm	Manager of an investment institution
Financial Supervision Act (Wft) 4:16, paragraph 1,3	4:16, paragraph 1-3
Decision on Conduct Supervision of Financial Firms Wft (Bgfo) 37	37
	38
Directive 2011/61/EU (AIFMD Directive) regarding managers of alternative investment funds	20
Delegated Regulation (EU) 231/2013 (AIFMD Regulation) supplementing Directive 2011/61/EU	75-82
Directive 2014/65/EU (MiFID II Directive) concerning markets for financial instruments	16, paragraph 5, first paragraph
Delegated Regulation (EU) 2017/565 (MiFID II Regulation) supplementing Directive 2014/65/EU	29, paragraph 5, and 30-32
Delegated Regulation (EU) 2017/589 (MiFID II Regulation) supplementing Directive 2014/65/EU with organizational requirements for investment firms engaged in algorithmic trading	2, paragraph 3

In addition to the legal framework, the Sector Letter mentions several points of attention that the AFM specifically wishes to bring to attention again:

I. Identifying outsourcing risks: A firm must identify, analyze, monitor, and manage all risks to which it is exposed, including risks arising from outsourcing. A firm assesses outsourcing risks, among other things, with regard to the fact that it remains responsible for outsourced activities. Outsourcing risks are associated with all outsourced activities. It is a misconception that outsourcing only concerns activities performed by external third parties. Activities performed by internal group companies can also fall under outsourcing.

II. Establishing adequate outsourcing policy: Every firm that outsources activities, or intends to do so, must have an adequate outsourcing policy and must evaluate and update this policy periodically. The outsourcing policy describes how a firm exercises due competence, care, and vigilance and ensures that outsourcing does not detract from its legal obligations, including obligations arising from its (specific) license conditions. The outsourcing policy describes the outsourcing risks. The outsourcing policy is approved by the board of directors of the firm.

III. Establishing an adequate selection procedure: A firm remains responsible for all activities it outsources and will not wish to outsource activities to a third party that could damage trust in the firm or in the financial markets. Therefore, a firm will proceed with due competence, care, and diligence in the selection, appointment, and periodic evaluation of a third party. A firm records this in a selection procedure. This procedure will describe, among other things, how a firm investigates a third party to ensure that the quality of activities by a third party is (continuously) performed at the desired level.

IV. Recording rights and obligations in outsourcing agreements: If a firm outsources activities to a third party, the firm ensures that this third party complies with the rules applicable to the firm regarding those activities. To this end, a firm concludes a written agreement with the third party and exercises due competence, diligence, and vigilance in entering into, managing, or terminating the agreement. A firm also keeps track of ongoing outsourcing agreements (and their conditions).

V. Establishing an adequate conflicts of interest policy: A firm must act in the interest of its clients or participants in an investment institution and must avoid weighing conflicting interests. This begins with maintaining an adequate policy to prevent and manage conflicts of interest, including conflicts of interest arising from outsourced activities. When outsourcing, including outsourcing within a group, leads to conflicts of interest, firms must ensure that these conflicts are monitored and managed, and that clients or participants are informed about these conflicts.

VI. Retaining independence: Outsourcing of activities usually stems from a pursuit of more efficient business operations. However, this pursuit is bound by limits. Outsourcing lightens the operational tasks of a firm on the one hand, but on the other hand, it obliges the firm to intensify its control tasks. To remain in control, a firm must possess sufficient independence. Only a firm with sufficient independence can guarantee that it continuously has controlled and honest business operations.

Date Our reference Page 21 July 2021 3 of 8

3. Insights Gained The following insights were obtained based on the Outsourcing Reporting filled in by 313 respondents, including 219 investment firms and 94 managers.

In line with the definitions used in the Sector Letter, the Outsourcing Reporting was analyzed based on inherent risk, concentration risk, and control risk, which together form the outsourcing risk. The insights gained confirm that attention to outsourcing remains of undiminished importance. This is described in paragraphs 3.1 and 3.2. Finally, the AFM sees that improvement is still needed regarding the control of outsourcing risk. This is discussed further in paragraph 3.3.

3.1 Inherent Risk The Outsourcing Reporting shows that 78% of respondents have outsourced one or more critical activities. A significant shift was visible among investment firms. From "Chain in View," it followed that 91% of investment firms had outsourced one or more critical tasks. In the Outsourcing Reporting, this percentage dropped to 71%. As an explanation, some respondents stated that the tools in the Sector Letter led to certain activities no longer being classified as critical or being classified as procurement instead of outsourcing. Among managers, there was an increase. The Outsourcing Reporting shows that over 91% of managers outsourced critical activities (it was 85%).

In total, respondents reported more than 1,120 critical outsourcings with a total annual value of more than 1.5 billion euros. This concerns both outsourcing to a parent, sister, or subsidiary company (Internal Outsourcing) and outsourcing to a party other than in Internal Outsourcing (External Outsourcing). It applies that fewer Internal than External outsourcings were reported, but the counter-value of Internal outsourcings is considerably higher.

A (limited) number of firms report a very high degree of outsourcing (> 75% of operational costs consist of outsourcing costs). With a high degree of outsourcing, a point of attention is to what extent the firm is sufficiently capable of bearing responsibility for business operations as a whole. On the other end of the spectrum, it was established that particularly relatively small investment firms outsource limitedly or not at all. In these cases, a point of attention is how parties, for example, control the quality and costs of their service provision without using the services of specialized third parties. Although a very high degree of outsourcing or not outsourcing at all does not necessarily relate to the control of outsourcing risks, this gives the AFM reason to further investigate what impact this has on the business operations of firms.

Date Our reference Page 21 July 2021 4 of 8

3.2 Concentration Risk It still applies that a relatively small group of service providers is mentioned by a large number of firms regarding the same type of activities. This applies particularly to activities in the field of Compliance, Internal Control, and Risk, and to a lesser extent also to activities in the field of Administration and IT. It applies that more than half of the respondents state that one or more outsourcings concern Compliance, Internal Control, and Risk. Regarding outsourcings concerning activities in the field of Administration and IT, this is 67%.

In the geographical distribution of the service providers to whom outsourcing occurs, a number of (small) shifts have been observed. The relative importance of outsourcing to Dutch service providers has dropped to 63% (it was over 75%). This development underscores the international character of the sector and the associated outsourcing risks. Based on the Outsourcing Reporting, it further appears that outsourcing to the United Kingdom (UK) accounts for 12% (it was 7%). Thus, the number of outsourcings to the UK is approximately equal to the total outsourcings within Europe. After the UK, the most outsourcings are with service providers in the United States (9%). Consequently, the AFM remains actively involved in initiatives regarding supervisory convergence and international cooperation in the field of controlling outsourcing risks.

3.3 Control Risk Although there are still firms that outsource but have no policy, we see a significant sector-wide decrease in the number of firms stating they have no outsourcing policy. The Outsourcing Reporting shows that 4% (it was 33%) state they have no outsourcing policy but do outsource. However, more than 18% of respondents state they have a policy but do not conduct research (due diligence) prior to entering into the outsourcing agreement. Almost 25% of investment firms state they do not conduct this research. The Sector Letter also indicated that 46% of respondents stated that no (frequent) monitoring of service quality took place. We see improvement among managers, but it still applies that 46% of investment firms do not apply quality monitoring.

Approximately half of the respondents stated they have quality monitoring procedures, with the caveat that they do not actually monitor quality in all outsourcings. It is stated that in Internal Outsourcing, actual quality monitoring is often omitted. The AFM emphasizes that controlling outsourcing risks, regardless of whether Internal or External outsourcing is involved, is of great importance. The legal requirements also apply to both Internal and External outsourcings.

The AFM notes that the points of attention mentioned in the Sector Letter are still not adequately translated into policy or control measures by all firms. The AFM expects firms to comply with the outsourcing rules and that the depth of the control measures grows with the complexity of a firm and the degree of outsourcing. To that end, every firm must assess which activities, performed by a third party, formally fall under outsourcing.

Date Our reference Page 21 July 2021 5 of 8

4. Outlook The AFM expects you to use the points of attention provided to further investigate the design of your organization and – if necessary – improve it. In this context, the AFM once again draws attention to the points of attention mentioned above and in the Sector Letter, as well as the legal framework.

The AFM observes in supervisory practice that, in light of the corona pandemic, for example through complete remote working, dependence on third parties is increasing. Furthermore, we see that the consequences of the corona pandemic place many demands on organizations and their employees to ensure that the continuity and quality of activities are not or as little as possible put at risk. Increasing dependence and challenging circumstances underscore the importance of adequate control of outsourcing risks, such as good due diligence and quality monitoring.

The insights gained help the AFM give shape to its risk-based supervision. Based on the insights, the AFM will conduct further research into individual firms regarding the control of outsourcing risks. The AFM anticipates taking into account the degree to which firms outsource activities, because differences in the degree of outsourcing lead to differences in the challenges firms face.

In addition to insights regarding the control of outsourcing risks, the Outsourcing Reporting also provides the AFM with some insights regarding business operations in general. Where the results of the Outsourcing Reporting raise questions about business operations in general, the AFM will also conduct further individual research. This may be the case, for example, if no outsourcing occurs at all, or in the case where almost all activities are outsourced.

The AFM also requests attention for the reporting procedure regarding outsourcing. When you begin to outsource certain activities, you may need to report this to the AFM in advance. A report of an (planned) outsourcing provides the AFM with a current overview of the activities being outsourced.

With this overview, the AFM can ensure proactive and risk-based supervision of outsourcing. The reporting form and the manual are available on the AFM website.

In addition to translating into individual supervision of firms, the AFM will also focus on controlling the risks of the sector as a whole based on the insights. The AFM wishes to further sharpen its insight into service providers important to the sector. Due to the international character of these service providers and the sector, the AFM favors further supervisory convergence, harmonization, and international cooperation in the field of controlling outsourcing risks. It addresses the subject internationally and actively seeks cooperation with other regulators.

If you have questions in light of this letter, you can contact the Entrepreneur Service Desk. The Entrepreneur Service Desk is available by telephone on working days from 10:00 – 17:00, via telephone number 0800 – 6800 680 (free) or by e-mail: ondernemersloket@afm.nl.

Sincerely, Authority for the Financial Markets