Guidance on Outsourcing

CIRCULAR: 7/2021 DATE: 21.12.2021 THE CIRCULAR APPLIES TO: All entities under supervision

FINANSSTILSYNET Postboks 1187 Sentrum 0107 Oslo

Guidance on Outsourcing

2 | Finanstilsynet

Contents

1. Introduction 3
2. Assessments to be carried out before outsourcing 4
3. On outsourcing 5
4. Limitations on which tasks can be outsourced 7 4.1 Scope 7 4.2 Nature 8 4.2.1 Core tasks 8 4.2.2 Control functions and control tasks belonging to such functions 8 4.2.3 Tasks under the Money Laundering Act 9 4.3 Information handling 9
5. Assessment of the contractor 9
6. The outsourcing agreement 10
7. Financial Supervision Act § 4c 12 7.1 Overall overview of outsourcing agreements 12 7.2 Notification obligation under the Financial Supervision Act § 4c 13 7.2.1 Outsourcing agreements concerning tasks related to control functions 13 7.2.2 ICT activities 14 7.2.3 Certain outsourcing agreements in insurance companies 14 7.2.4 Changes in outsourcing agreements 15 7.3 Further details on notifications under the Financial Supervision Act § 4c and Finanstilsynet's processing 15 7.4 Entities exempt from the notification obligation under the Financial Supervision Act § 4c 16 7.5 Finanstilsynet's authority regarding outsourcing 17
8. Risk management and internal control 17 8.1 Responsibility of the board and senior management 17 8.2 Guidelines and procedures for outsourcing 18 8.3 The entity's own capacity and competence 19 8.4 The entity's contingency plans 20

Guidance on Outsourcing

Finanstilsynet | 3

1 Introduction

Nearly all entities under the supervision of Finanstilsynet have entered into agreements involving the outsourcing of parts of their operations. This circular provides guidance on what constitutes outsourcing, limitations on the ability to outsource, and how supervised entities must identify, assess, and handle the risks associated with outsourcing. The circular also discusses the Financial Supervision Act § 4c regarding outsourcing and the notification obligation to Finanstilsynet.

The entity's responsibility towards customers, public authorities, and others does not change as a result of the outsourcing. The responsibility remains with the entity, regardless of what follows from the agreement between the entity and the party undertaking to perform the task (the "contractor").

The various topics in the circular are discussed at a high level. Sector-specific regulations may provide more detailed rules and impose duties beyond what is discussed in the circular. Finanstilsynet assumes that all entities have good knowledge of the requirements following from the relevant sector-specific regulations.

The European supervisory authorities EBA, EIOPA, and ESMA have established guidelines concerning outsourcing.¹ Finanstilsynet assumes that entities have good knowledge of the requirements following from the guidelines applicable to them, and of Finanstilsynet's supervisory work directed at the relevant sector. In the administration of the relevant sector-specific regulations, Finanstilsynet will also place weight on guidelines established by other EU bodies and international organizations.

This circular replaces Finanstilsynet's previous guidance on outsourcing in circular 3/2020. The guidance has been amended as a result of a new regulation on exemptions from the notification obligation for outsourcing of business (the notification regulation supplementing entities' duties under the Financial Supervision Act § 4c). The new regulation enters into force on January 1, 2022, and changes among other things which outsourcing agreements must be notified, what the notifications must contain, and which entities are exempt from the notification obligation. The notification obligation for entities that did not previously have a notification obligation under the Financial Supervision Act with regulations applies to agreements entered into after the regulation came into force. The regulation further clarifies the duty for all entities under supervision to have an updated overview of all outsourcing agreements, regardless of when the agreements were entered into. The regulation replaces the previous notification regulation.²

1. EBA (the European Banking Authority): https://www.finanstilsynet.no/regelverk/eba-retningslinjer/eba-retningslinjer/ EIOPA (the European Insurance and Occupational Pensions Authority): https://www.finanstilsynet.no/regelverk/eiopa-retningslinjer/eiopa-retningslinjer/ ESMA (the European Securities and Markets Authority): https://www.finanstilsynet.no/regelverk/esma-retningslinjer/esma-retningslinjer/
2. Regulation of June 5, 2015 No. 613 on exemptions from the notification obligation for outsourcing, which is repealed: https://lovdata.no/forskrift/2015-06-05-613

Guidance on Outsourcing

4 | Finanstilsynet

2 Assessments to be carried out before outsourcing

Before an outsourcing agreement is entered into, the entity must assess whether there are limitations on the ability to outsource the relevant tasks, see section 4.

The entity must also assess what risks the outsourcing of the individual tasks will entail for the entity's business. This applies even if outsourcing is a measure to reduce the entity's risk. The assessment must include:

• a specification of the various risks,
• the probability of the relevant events occurring, and
• what consequences this could have for the entity's business.

The entity's assessment must also include the possibility of terminating the agreement without causing significant disruptions to the business, and in a manner that ensures compliance with legal requirements and obligations towards customers. In this regard, the following options must be assessed:

• moving outsourced functions and data to alternative providers
• taking the task back into the entity, including access to capacity and competence
• any other measures that ensure continuous delivery of business that is outsourced

If the same contractor performs many tasks on behalf of the entity, the entity's assessment must include vulnerabilities related to this. The entity must ensure that there is legal right to terminate the agreement.

Based on the risk assessment, the entity must decide on and implement risk-reducing measures. A prudent assessment of the contractor and the content of the outsourcing agreement are important risk-reducing measures. This is discussed further in sections 5 and 6.

The entity must ensure that the notification obligation to Finanstilsynet under the Financial Supervision Act § 4c and sector-specific regulations is complied with, see section 7.

Outsourcing and notification obligations must be anchored in and followed up through the entity's established governance and control systems, see section 8 on handling risks related to outsourcing.

The scope of risk assessments and risk-reducing measures will vary depending on the nature, scope, and complexity of the entity's business, and the significance of the outsourced tasks for the entity's business. The risk assessments must be documented.

Guidance on Outsourcing

Finanstilsynet | 5

3 On outsourcing

Outsourcing occurs when an entity chooses to have another legal entity (the contractor) perform tasks on behalf of the entity. This also applies when the entity is in the same group or group-like structure as the contractor. Group-like structures refer, for example, to groups mentioned in the Financial Undertakings Act § 1-4 second paragraph, audit networks, and franchise agreements that involve the franchisee outsourcing tasks to the franchisor.

How important the task(s) are for the entity's business or the scope of the task(s) is not relevant for whether an agreement constitutes outsourcing, but it may be relevant for which rules apply. For example, there may be rules that limit the ability to outsource, impose requirements on what the entity must specifically assess, and specify whether entering into the agreement triggers a notification obligation to Finanstilsynet. Guidelines established by the EU may also define what is considered outsourcing.

Below are examples of what constitutes outsourcing and what does not, based on questions Finanstilsynet has received. The examples must be viewed in conjunction with the limitations on outsourcing discussed in section 4.

a) ICT activities

• Purchase of software that is installed on the entity's own server and operated by the entity itself does not constitute outsourcing of ICT activities. When using such software, the entity operates, processes, and stores its own data.
• If the entity has software on its own server but outsources the operation of the server to a contractor, this constitutes outsourcing of ICT activities.
• An agreement on the right to use software, platform, and/or infrastructure (ICT systems and services) that is operated by the contractor on the contractor's servers is considered outsourcing of the entity's ICT activities. Examples include: a. IaaS (Infrastructure as a Service) b. PaaS (Platform as a Service) c. SaaS (Software as a Service) Using IaaS, PaaS, or SaaS means that the entity also outsources the operation, processing, and/or storage of data registered in connection with the use of such software and services.

b) Receipt of customer funds An agreement where the entity instructs a contractor to receive customer funds on the entity's behalf is an outsourcing agreement. That a deposit keeper stores funds on behalf of funds and managers is not outsourcing.

c) Marketing and sales

• A bank using loan agents as part of the marketing or sale of loans has outsourced business to the agent. The same applies when an insurance company uses insurance agents.
• Loans concluded between a bank and a customer because the customer has used a financial broker (intermediary) do not constitute outsourcing from the bank to the financial broker. The same applies to an insurance agreement between an insurance company and a customer that has been concluded through an insurance brokerage company.
• Loans concluded with an entity because the customer has been in contact with a financial advisor do not constitute outsourcing from the entity to the financial advisor.
• An alternative investment fund manager using contractors to market alternative investment funds has outsourced the marketing.
• An entity's purchase of services related to the planning of sales campaigns is not outsourcing.

Guidance on Outsourcing

6 | Finanstilsynet

• An insurance company and a customer that has been concluded through an insurance brokerage company.
• Loans that have been concluded with an entity because the customer has been in contact with a financial advisor do not constitute outsourcing from the entity to the financial advisor.
• An alternative investment fund manager using contractors to market alternative investment funds has outsourced the marketing.
• An entity's purchase of services related to the planning of sales campaigns is not outsourcing.

d) Internal audit An agreement that a contractor should handle all or part of the entity's internal audit is outsourcing. Purchase of certain services to illuminate or confirm specific questions is not outsourcing.

e) Handling of individual tasks/relationship with customers

• It is outsourcing when a debt collection company uses a contractor to follow up debtors by phone in connection with debt recovery.
• It is outsourcing when an insurance company uses a contractor to conduct damage settlements. An agreement to purchase handyman services for damage repair is not outsourcing.
• It is outsourcing if an audit firm uses a contractor for tasks necessary to comply with the requirements of the Auditors Act or audit standards for audit execution. This applies, for example, to preparation of analyses, consultations, stocktaking, obtaining bank letters, and other external confirmations, or potential task control before signing the audit report, etc. The same applies to accounting firms.

f) Use of a contractor for the execution of the following administrative or operational tasks is outsourcing:

• Use of an external accountant for all or part of the accounting.
• Use of a contractor for debt collection.
• Use of a contractor for the production and sending of invoices.
• Use of a contractor for receiving and processing customer inquiries, for example a call center.
• Use of a contractor for sending information to the entity's customers or debtors.

g) Purchase of the following services is not outsourcing:

• Banks' use of security companies for physical transport of money to and from the bank or the bank's representatives.
• Use of general risk assessments, standard guidelines, etc. prepared by industry associations or other actors.
• Purchase of caretaker, cleaning, and cafeteria services.

h) Legal services, etc. Purchase of legal services in connection with dispute resolution and general legal advice is not outsourcing. The same applies to the use of auditors or others to investigate a specific matter in the entity's business.

Guidance on Outsourcing

Finanstilsynet | 7

i) Use of temporary workers An agreement with a temporary staffing agency that it should make one or more persons available temporarily to fill specific positions in the entity is not outsourcing. The same applies to other temporary hiring of persons to perform tasks normally done by the entity's employees. The right to hire labor may be limited within the various supervisory areas and must be done in accordance with the Working Environment Act.

Even where an agreement regulates the purchase of service(s) or hiring of labor, the entity must handle the risks prudently. This means among other things that the risks must be identified, assessed, and controlled. Both the choice of contracting party and the content of the agreement will be of significance for the risk. The guidance in sections 5 and 6 will therefore also be relevant for these cases.

4 Limitations on which tasks can be outsourced

The entity must itself set strategies and overarching guidelines for risk management and internal control, including the entity's risk profile and risk limits (where the latter is relevant), see section 8.1.

The entity may only outsource business if it is considered prudent. This presupposes among other things that the contractor has the competence and resources required for the task, see section 5. The entity must itself have the capacity and competence to ensure necessary governance and control of outsourced business, see section 8.3. In addition, the entity must ensure that Finanstilsynet can supervise outsourced business.

Even if a task cannot be outsourced, the entity can normally outsource ICT activities that support the execution of the relevant task. The use of ICT solutions is regulated by the ICT Regulation, which also contains provisions on outsourcing.³

4.1 Scope

Limitations related to the scope of outsourcing may follow directly from legislation, for example as in the Financial Undertakings Act. Limitations may also follow from Finanstilsynet's practice.

The starting point is that entities conducting licensed business must themselves provide the services requiring a license. Entities cannot outsource tasks to such an extent that the entity itself does not have sufficient resources to follow up and potentially terminate outsourcing agreements, and ensure continuity if the tasks must be taken back, see section 8.3.

An entity may in any case not outsource licensed business to such an extent that the entity appears as a "shell company." How much of the business can be outsourced depends on a concrete assessment.

³ Regulation on the use of information and communication technology: https://lovdata.no/forskrift/2003-05-21-630

Guidance on Outsourcing

8 | Finanstilsynet

4.2 Nature

A task may be of such significance to the operational business that outsourcing, after a total assessment, cannot be considered prudent. This must be assessed concretely, and the requirements for the entity's assessments become stricter the greater the significance the outsourced tasks have for the entity's business. Sector-specific regulations may have different regulation of which tasks can be outsourced.

4.2.1 Core tasks

Financial undertakings cannot outsource core tasks. In insurance companies, setting frameworks to manage the company's insurance risk is a core task. This includes among other things the frameworks for insurance products and types of insurance risk, and setting premium levels and quantitative limits for the underwriting of insurance risk. Outsourcing of tasks that give the contractor powers related to the design and/or pricing of insurance products or powers to exercise discretion in accepting risk on behalf of the insurance company may be considered outsourcing of core tasks. A bank cannot outsource interest rate setting or the setting of the basis for granting credit. Otherwise, it depends on a concrete assessment what is considered core tasks.

For pension funds, the Insurance Business Act § 2-3 grants wider opportunities for outsourcing than what applies to financial undertakings in general.

Financial undertakings cannot outsource credit assessments and credit decisions. This is, however, not a hindrance to obtaining credit information from external sources or using externally developed systems for credit analysis. The central point is that the financial undertaking itself must have the competence to understand the risk and to make the credit assessment and the final credit decision.

4.2.2 Control functions and control tasks belonging to such functions

The internal audit function can be outsourced, but not to the entity's chosen auditor. The control functions responsible for risk management and compliance are central to the entities' business governance. The same applies to the actuarial function in insurance companies. It is important that the execution of tasks belonging to these functions is closely integrated into the entity's system for governance and control. Both the type of control tasks outsourced and the scope of outsourced tasks will be decisive in a concrete assessment of whether the tasks are collectively handled in a prudent manner. Even if the entity outsources control tasks belonging to a control function, an employee in the entity must still be appointed as responsible for the function. This person must follow up the contractor and ensure that the tasks are performed in accordance with the contract. For banks, this is discussed in EBA's "Guidelines on internal governance" (GL2021/05) point 170⁴ and for insurance companies in EIOPA's "Guidelines on system of governance" (EIOPA-BoS-14/253) Guideline 14, point 1.4⁵. For securities firms, outsourcing of control tasks is discussed further in Finanstilsynet's circular 5/2015.⁶

4 EBA/GL/2021/05: Draft Guidelines on internal governance under Directive 2013/36/EU 5 https://www.eiopa.europa.eu/content/guidelines-system-governance_en 6 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2015/kontrollfunksjonen-compliancefunksjonen-i-verdipapirforetak/

Guidance on Outsourcing

Finanstilsynet | 9

For smaller entities, outsourcing of control tasks may be necessary to achieve sufficient independence from the operational business. For example, a sole practitioner auditor must outsource the cyclical controls that are part of the quality management system or mandatory task control before signing the audit report where this is relevant. If there is no one other than the managing director who can handle the control function, the contractor must also report to the board, in addition to reporting to the managing director as responsible for the control function.

4.2.3 Tasks under the Money Laundering Act

Customer due diligence under the Money Laundering Act can be outsourced within the scope opened by the Money Laundering Act § 23. Outsourcing of tasks under the Money Laundering Act is discussed in Finanstilsynet's general guidance to the Money Laundering Act in circular 8/2019⁷ and in other circulars respectively on the real estate brokerage area (11/2019)⁸, audit area (14/2019)⁹ and accounting area (15/2019)¹⁰.

7 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2019/veileder-til-hvitvaskingsloven/ 8 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2019/Veiledning-til-etterlevelse-av-hvitvaskingsregelverket-i-eiendomsmeglingsvirksomhet/ 9 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2019/veiledning-om-revisorers-og-revisjonsselskapers-etterlevelse-av-hvitvaskingsregelverket/ 10 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2019/veiledning-om-regnskapsforeres-og-regnskapsforerselskapers-etterlevelse-av-hvitvaskingsregelverket/

4.3 Information handling

Statutory confidentiality obligations or duties related to information handling are normally not a hindrance for the entity to outsource tasks that involve the contractor gaining access to such information. See further in Finanstilsynet's guidance on confidentiality (circular 3/2019).¹¹ The entity has a duty to implement risk-reducing measures that prevent information from being leaked or misused, for example by using confidentiality agreements. Special requirements for protecting information may follow from other regulations, for example requirements for a data processing agreement. The entity's assessment of the contractor and the regulation and follow-up of information handling in the agreement are important contributions to preventing information from being leaked, cf. respectively sections 5 and 6.

11 https://www.finanstilsynet.no/nyhetsarkiv/rundskriv/2019/veiledning-om-taushetsplikt/

5 Assessment of the contractor

Before any potential outsourcing, the entity must assess the contractor and also sub-contractor(s) where this is relevant. The following matters may be of significance:

a) Does the contractor have the necessary permission where this is required? b) Is there a relationship between the contractor and the entity that may give rise to conflicts of interest? c) Does the contractor have sufficient capacity, competence, and experience to perform the tasks in a prudent manner within the legislation applicable to the entity outsourcing? This applies also to tasks that the entity has in its own contingency plans assumed should be handled by the contractor, and tasks that must be performed by the contractor if crisis solutions must be implemented.

Guidance on Outsourcing

10 | Finanstilsynet d) Does the contractor have an satisfactory system for risk management and internal control? e) Is the contractor certified, and what controls lie behind the current certification? f) Does the contractor have sufficient financial strength to handle problems that might arise in the contractor's business? g) Where is the contractor located, and where will the tasks be performed? This may be of significance for among other things:

• the risk that personal data and other confidential information is misused or leaked
• which legislation and which control and enforcement regime applies to the contractor and the contractor's business
• the entity's and Finanstilsynet's opportunity to conduct physical control h) Does the contractor have a good reputation? i) Does the entity have ownership control or other overarching governance rights over the contractor that give the opportunity to influence the contractor's behavior beyond what follows from the agreement? j) Does the entity's board have a real opportunity to fulfill its responsibility for prudent business operations when outsourcing to the parent company, entities with the same owner, or similar? k) Does the contractor follow principles of good corporate governance, and does the contractor act in a manner consistent with the entity's values and ethical guidelines?

Assessment criteria may, for example, be the contractor's relationship to international standards for human rights and the UN's sustainable development goals, such as working conditions, environmental protection, etc.

Which more detailed investigations the entity should conduct of the contractor, and sub-contractors where this is relevant, depends on the agreement's significance for the entity's business and reputation. The requirements for the entity's assessments of the contractor and any sub-contractors become stricter if the outsourced tasks are business-critical or otherwise

---

Note: The provided source text ends abruptly at "otherwise". The translation above reflects the complete text provided in the prompt.