SUPERVISION REPORT

SEPTEMBER 2024 AFM shares recommendations on outsourcing monitoring

In short The Dutch Authority for the Financial Markets (AFM) has conducted research in the asset management sector and concludes that monitoring of outsourcing can be improved in several areas. The AFM provides recommendations regarding the qualification, design, monitoring activities themselves, and monitoring in the case of outsourcing within a group and ICT outsourcing. The AFM expects companies to incorporate the recommendations in this report into the ongoing control of outsourcing.

Management Summary

Administrators and investment firms are outsourcing an increasing amount of their activities. Outsourcing can contribute to the efficiency and quality of business operations, but also brings risks with it.

The Dutch Authority for the Financial Markets (AFM) has therefore conducted investigations in recent years with investment firms, administrators of investment institutions, and administrators of UCITS regarding outsourcing in the asset management sector in a broad sense. The AFM has thereby gained an image of the material activities carried out by third parties and the control measures companies take in this regard ('Chain in View').

In 2023, the AFM started a new investigation into outsourcing. The goal of the investigation was to determine to what extent investment firms, administrators of investment institutions, and administrators of UCITS give shape to the applicable laws and regulations regarding the ongoing control of outsourcing risks. This report contains feedback on the findings of the investigation and provides recommendations regarding the control of outsourcing risks.

The investigation focused on the ongoing control of outsourcing risks. This control takes place mainly during the monitoring of existing outsourcing relationships, but begins earlier in the process. Essential for the control is the qualification of the outsourcing and the design of the outsourcing relationship, including making agreements with the service provider and determining which control measures are necessary.

This report therefore contains recommendations for the qualification, design, and monitoring of outsourcing in the asset management sector.

The main findings are:

1. Companies do not always have a well-founded approach to determining what should be considered outsourcing and which outsourcing qualifies as material.
2. When designing outsourcing, companies often think too narrowly about measures and agreements that anticipate appropriate monitoring.
3. Companies handle the monitoring of outsourcing very differently; a more consistent and explainable approach based on risks is necessary.
4. For intra-group outsourcing, there is often (too) much reliance on informal measures and agreements.
5. Companies are not always aware of ICT components in outsourcing and the associated ICT risks.

---

AFM shares recommendations on outsourcing monitoring 2

SUPERVISION REPORT

Based on the investigation and findings, the AFM has made a number of recommendations for companies. An overview of these recommendations is included in Appendix I. Not all recommendations are equally relevant for every company. Some recommendations are, for example, more relevant for companies of a certain size or for certain types of activities.

The recommendations are intended to provide more direction to legal obligations. They are not intended as an exhaustive checklist to comply with laws and regulations on outsourcing, but must be read in conjunction with existing laws and regulations and guidelines on outsourcing.

The AFM also specifically looked at ICT outsourcing in the investigation. These currently mostly fall under the outsourcing rules. The recommendations in this report are therefore in most cases also relevant for ICT outsourcing.

The AFM does not make specific recommendations in this report regarding the control of ICT risks in outsourcing. On January 17, 2025, financial companies must comply with DORA (Digital Operational Resilience Act, (EU) 2022/2554), which introduces a specific legal framework for ICT services from third parties. We expect that companies are already working on implementing the DORA requirements. However, the AFM has included a number of observations on ICT outsourcing in the report.

Chapter 1 of the report contains an introduction, including further information about the AFM's investigation, the legal framework, and an outsourcing cycle based on which the AFM explains the focus of the investigation. Chapter 2 of the report contains an overview of the findings the AFM established based on the investigation. Based on these findings, the AFM has included recommendations in Chapter 3 of this report, with an explanation for each recommendation. ICT outsourcing is mentioned in a separate chapter where the AFM provides a number of observations. Finally, Chapter 4 of the report contains a conclusion.

---

SUPERVISION REPORT

Table of Contents Management Summary 1

1. Introduction 4 1.1 Introduction 4 1.2 The outsourcing cycle and the focus of the investigation 4 1.3 Design of the investigation 6 1.4 Legal framework 6
2. Findings 7
3. Recommendations 9 3.1 Qualification 9 3.2 Design 10 3.3 Monitoring 13 3.4 Intra-group outsourcing 16 3.5 Use of third-party ICT 18
4. Conclusion 21 Appendix I: Recommendations 22 Appendix II: Outsourcing Flowchart 23 Appendix III: Legal Framework 26 Appendix IV: Sector Letter Chain in View 2019, part "assessing outsourcing" 28

---

AFM shares recommendations on outsourcing monitoring 4 SUPERVISION REPORT

1. Introduction

1 Outsourcing of activities specifically related to performing investment activities is not included in this investigation.

1.1 Introduction

Financial companies are outsourcing an increasing amount. This development is also occurring among investment firms, administrators of investment institutions, and administrators of UCITS, hereinafter 'companies'. Outsourcing can increase the efficiency and quality of business operations, but also brings specific risks with it. The AFM has therefore designated outsourcing as a priority in supervision for several years.

The AFM conducted the 'Chain in View' investigations in 2018 and 2020. These primarily looked at the design of outsourcing, focusing on determining what companies outsource, to which service providers, and whether companies have written policies and procedures. Findings from these investigations were shared with the sector via letters. These sector letters contain observations and points of attention that are still relevant for the control of outsourcing risks. See the Sector Letter of November 28, 2019, and Sector Letter of July 21, 2021.

In 2023, the AFM started a new investigation into outsourcing in the asset management sector¹. The goal of the investigation was to determine to what extent companies give shape to the applicable laws and regulations regarding the ongoing control of outsourcing risks. This report contains feedback on the findings of the investigation and provides recommendations regarding the control of outsourcing risks.

1.2 The outsourcing cycle and the focus of the investigation

In the control of outsourcing, a number of phases and activities can be distinguished. These are presented in different ways in the market and literature. The outsourcing cycle below summarizes these phases and activities for this report.

Policy and Governance In the outsourcing cycle, the organizational structure that facilitates controlled business operations is central. This includes, among other things, written policies and procedures and a good governance structure. Part of this is also a company's view on outsourcing and how it qualifies outsourcing.

Phase 1. The selection of an outsourcing partner. The first phase of a specific outsourcing relationship consists, among other things, of following the decision-making process regarding the outsourcing of activities, the subsequent selection process, and due diligence research on selected companies. This is followed by finalizing the analysis of the objective reasons for the outsourcing relationship, including the Cost-Benefit Analysis (CBA).

Phase 2. The design of the outsourcing relationship. This phase involves shaping the relationship with the service provider based on the scope of the services and the risks determined based on that. The risk analysis forms the basis for the design of appropriate control measures, such as setting up performance indicators (KPIs) and shaping continuity and exit plans. This is ultimately recorded in an agreement.

---

AFM shares recommendations on outsourcing monitoring 5 SUPERVISION REPORT

Phase 3. The monitoring of the outsourcing. Monitoring can be divided into ongoing, periodic, and reactive (event-driven) control of the outsourcing relationship. For each outsourcing relationship, it will vary which form of monitoring and which monitoring measures are emphasized.

Phase 4. The evaluation of the outsourcing relationship. In this phase, it is periodically assessed whether the relationship should be continued.

The control of the risks of outsourcing takes place mainly during the monitoring of existing outsourcing relationships, but begins earlier in the process. Essential for the control is the qualification of the outsourcing and the design of the outsourcing relationship, including making agreements with the service provider and determining which control measures are necessary.

Besides the monitoring phase (phase 3 in the figure below), the AFM will therefore also reflect on the design of the outsourcing (phase 2 in the figure below) and the qualification (part of the central part in the figure below) in this report.

Figure 1. The outsourcing cycle - In the outsourcing cycle below, the four phases are depicted, namely selection, design, monitoring, and evaluation. Each phase has its own activities.

[Diagram Description]

• Policy and Governance (Central)
• Selection (Left): 1. Decision to outsource, 2. Selection process, 3. Due Diligence, 4. Objective reasons (incl. CBA), 5. Choice of service provider.
• Design (Top): 6. Scope of services and risk analysis, 7. Performance indicators, Continuity and exit planning, Contractual agreements, Start of services.
• Monitoring (Right): 8. Roles and responsibilities, 9. Daily monitoring, 10. Periodic monitoring, 11. Reactive control.
• Evaluation (Bottom): 12. Evaluation.

---

AFM shares recommendations on outsourcing monitoring 6 SUPERVISION REPORT

1.3 Design of the investigation

The AFM wanted to form an image with this investigation of the extent to which companies do enough to continuously control the risks of outsourcing, and to provide handles for that control if necessary.

The investigation had two phases. First, the AFM selected 50 companies, varying in size and activities. These companies received a questionnaire. This list contained questions about, for example, the recent scale of outsourcing, the design of monitoring, which functions are involved in monitoring, and the risks companies see.

Based on the results of the questionnaire, a selection was made of six companies from the earlier selection of 50 companies. With these six companies, an in-depth conversation took place regarding the monitoring of outsourcing. Here, it was looked at how they practically shape the ongoing control of outsourcing. A number of service providers were also spoken to, to get an image of their role and view on the control of outsourcing by and associated risks at companies.

1.4 Legal framework

When outsourcing activities, companies must adhere to Dutch and European laws and regulations. These rules also apply to the monitoring of outsourcing.

The AFM previously created a schematic overview of the relevant legal requirements per type of company, included in table 1 of the 'Chain in View' sector letter of November 28, 2019. This is included as Appendix 3 of this report. Furthermore, both the 2019 sector letter and a 'Chain in View' sector letter from 2021 contain various handles for the qualification of the outsourcing of activities and the design of control measures, including monitoring.

2 For example, the guidelines on outsourcing of the European Banking Authority (EBA/GL/2019/02, February 25, 2019), which are currently not applicable to companies in the asset management sector (except for class 1 investment firms). The guidelines will be revised in the future, whereby the scope may be adjusted.

When a company doubts how control measures should best be designed according to the regulation applicable to it, handles regarding the control of outsourcing risks under other regulations or from other (supervisory) bodies, such as the good practices of De Nederlandsche Bank or the guidelines of the European Banking Authority (EBA)², may offer practical depth.

The report assumes the laws and regulations as they stand at the time of publication. After the publication of this report, on January 17, 2025, DORA will come into force. Part of this includes rules on the control of ICT services, creating a connection with this report.

This report contains recommendations for the practical implementation of existing standards for outsourcing in general. These are in principle relevant for all outsourcing, including ICT outsourcing. To the extent that following certain recommendations in this report would be incompatible with complying with the obligations under DORA, the latter must be followed with priority.

To the extent that specific recommendations are needed regarding ICT outsourcing, these are more appropriate within the framework of DORA. Therefore, this report does not contain specific recommendations regarding outsourcing with ICT components. However, the AFM has made a number of observations on ICT outsourcing during this investigation. These are included in the report.

Outsourcing is expected to remain a topic high on the agenda of international legislative and supervisory authorities. For example, the recently published AIFMD revision (Directive (EU) 2024/927) also contains various developments in the field of outsourcing. The AFM recommends that companies follow developments closely and, if necessary, follow up in a timely manner.

---

AFM shares recommendations on outsourcing monitoring 7 SUPERVISION REPORT

2. Findings

3 The term 'material' is used in this report to designate outsourcing of activities that fall within the scope of the outsourcing rules in the Financial Supervision Act (Wft) and European sectoral legislation. By material, this report understands outsourcing as intended in the definition of outsourcing in Article 1:1 Wft, critical and important as intended in Article 16, fifth paragraph, MiFID II (Markets in Financial Instruments Directive (EU) 2014/65) and Article 31 MiFID II Delegated Regulation 2017/565, and the functions as intended in Article 20 AIFMD and Annex I of AIFMD (Alternative Investment Fund Management Directive (EU) 2011/61) and the functions as intended in Article 13 UCITS Directive and Annex II of the UCITS Directive (Undertakings for Collective Investment in Transferable Securities Directive, 2009/65/ec).

In broad terms, the AFM's investigation results in five overarching findings. The first three findings are generic; the last two findings relate to specific situations. Regarding the five findings, the AFM establishes recommendations in the following chapter.

Finding 1 - Qualification Companies do not always have a well-founded approach for determining what should be considered outsourcing and which outsourcing qualifies as material.

As part of the investigation, a list of outsourcing relationships was requested, both material³ and non-material. Upon inquiry, it appeared that the concept of outsourcing was interpreted too narrowly on more than one occasion. It also appeared that the way companies determine which outsourcing is material was often limited and inconsistent, and the justification was limited. It was noted that the handles regarding the qualification of outsourcing, as included in the 'Chain in View' sector letter from 2019, were regularly not followed.

Incorrect qualification can lead to insufficient control measures being taken.

Finding 2 - Design When designing outsourcing, companies often think too narrowly about measures and agreements that anticipate appropriate monitoring.

The monitoring activities regarding outsourcing take place (among other things) based on documents provided by the service provider, such as reports and certifications. This requires that risks have been mapped at an earlier stage, and that good agreements have been made based on that regarding which performances and documents the service provider will deliver. The investigation showed that the link between this earlier design phase and the later monitoring phase was not sufficiently established in all cases. This can lead to uncertainty in the monitoring phase regarding the responsibilities and rights between the company and the service provider, whereby risks are insufficiently identified and controlled by the company.

---

AFM shares recommendations on outsourcing monitoring 8 SUPERVISION REPORT

Finding 3 - Monitoring Companies handle the monitoring of outsourcing very differently and do not always use the most suitable methods to control the risks of outsourcing; a more consistent and explainable approach based on risks is necessary.

Companies must determine themselves which form and frequency of monitoring is necessary, depending on the specific risks associated with an outsourcing. The expectation is that the monitoring of outsourcing of comparable activities, with comparable risks, will take place in a comparable manner. The investigation noted that outsourcing of comparable activities at different companies was monitored differently, which was not always explainable by the specific risks. For example, companies handle the assessment of service provider certifications very differently. The form and frequency of review meetings with the service provider also differ per company, even when purchasing the same services. These differences were often not well explainable. It is important that companies can sufficiently justify why they choose a certain form and frequency of monitoring.

Finding 4 - Intra-group For intra-group outsourcing, there is often (too) much reliance on informal measures and agreements.

Within groups, structures are regularly used where group resources are utilized, for example via central services from the group ('shared services'). Companies often do not see this as outsourcing from a practical perspective, while it often is according to laws and regulations. Also, monitoring in practice often takes place informally and/or (too) limitedly. When weighing the risks, the grip on the service that is outsourced and the group service provider can be taken into account, but this does not mean that monitoring does not need to be designed. Although it is often assumed that interests within the group are always equal, this is not the case in practice. Companies therefore cannot fully rely on the group function and must take appropriate control measures themselves.

Finding 5 - ICT specific Companies are not always aware of ICT components in outsourcing and the associated ICT risks.

For many outsourcing arrangements, the service provider uses ICT, including (web) applications, data processing, and storage. However, these ICT components in an outsourcing have their own ICT risks. Companies do not always sufficiently reflect on these ICT components and their risks, such as risks regarding the availability, integrity, and confidentiality of the processed data.

---

AFM shares recommendations on outsourcing monitoring 9 SUPERVISION REPORT

3. Recommendations

In this part of the report, the AFM provides a number of recommendations regarding the ongoing control of outsourcing per finding, as described in Chapter 2. This part of the report also contains specific observations regarding ICT outsourcing.

3.1 Qualification

Companies have different approaches regarding determining what should be considered outsourcing and which outsourcing qualifies as material. The AFM has previously provided handles on this in a sector letter regarding Chain in View (see Appendix IV of this report). Those handles still apply but seem to have been insufficiently followed.

The AFM therefore provides a number of recommendations for a more appropriate qualification regarding outsourcing.

Recommendation 1 - Definition Establish written policy in which it is elaborated how it is determined in a uniform manner whether there is outsourcing.

It is important that companies establish policies and procedures in which it is determined in a uniform manner when there is outsourcing. Companies can include the perspectives mentioned in Appendix II. It is also important to record the analyses and their outcomes for each situation. When going through the procedures, sub-outsourcing must also be included. Sub-outsourcing occurs when the service provider to whom outsourcing has been awarded also (partially) outsources the relevant activities. A company that outsources is responsible for all risks. And sub-outsourcing falls under that. Sub-outsourcing occurs particularly often in the case of the use of ICT systems, for example by hosting ICT systems in the cloud.

The AFM's investigation showed that many companies often do not qualify relationships with third parties as outsourcing without recorded analysis or justification. This mainly concerns outsourcing to parties where personnel, services, or systems are used. Many companies see this as 'purchasing', 'insourcing', 'standard services', or 'support'. We observe that in those cases, there is indeed regularly outsourcing.

By incorrect qualification, possible ri

*(Note: The provided source text ends abruptly at