Publications

Outsourcing in the Financial Sector

Uitbesteding in de financiële sector en pensioensector (Peter Laaper), Nederlands Juristenblad 2015, p. 3071.

 

 

ENGLISH SUMMARY OF THE CONCLUSIONS

1. Conclusions and recommendations

This research is aimed at understanding the rules on outsourcing in the (entire) financial sector. It is also focused on pension funds that outsource their asset management. As a result, this study includes not only conclusions and recommendations regarding the rules on outsourcing, but also with respect to certain pension law, civil law and administrative law issues.

Conclusions regarding the rules on outsourcing

In order to obtain an understanding of the rules on outsourcing in the financial sector, the following research questions were posed:

1. Is there a common underlying system to the mutually different outsourcing regulations for the various financial sectors and, if so, what is that system?

2. When does an outsourcing fall within the scope of the rules on outsourcing?

3. How can or should an outsourcing organisation implement the rules on outsourcing?

4. How does outsourcing affect the position of the regulator?

5. How does outsourcing affect the position of the beneficiary or the customer of the outsourcer?

First question: a common system

The first research question is relevant because the rules on outsourcing in the Financial Supervision Act and the Pensions Act are unsystematic. In the first chapter I described them as a “hodgepodge”. The outsourcing rules vary from financial sector to another, but they also show similarities. Should there be a common underlying system, then the outsourcing rules for “other” financial sectors would be relevant to one’s “own” financial sector.

This study shows that the various sectoral outsourcing regulations do indeed share a common underlying system. The basic principle of the system is that the outsourcing company remains fully responsible to its regulator and to its clients or beneficiaries for the acts or omissions of its services provider as if it were its own acts or omissions. In order to live up to its responsibility, it must remain “in control” over the outsourced activities as if they were its own activities.

As a result of the outsourcing, activities “leave” the organisation. In the sense of the outsourcing regulations, however, they remain part of its own operations. The rules on outsourcing can be understood as an interpretation or extension of the requirement that a pension fund or financial institution has a controlled and incorruptible operations management. In essence, therefore, it is an open standard of care. The outsourcer must assess which risks are connected to its outsourcing of activities and then take appropriate action. Measures are adequate when they are proportionate to the risks they address.

For various financial sectors, this standard of care has partly been worked out in more or less specific rules. These rules vary fromone financial sector to another, but they are always an elaboration of the same underlying common system. Therefore, I advocate a cross-sectoral analogous application of the rules on outsourcing.

Second research question: the scope

The scope of the outsourcing rules is defined by three criteria. These criteria

are:

1. the service provider is a “third party”

2. the outsourced activities are “own” to its operations, and

3. the outsourced activities are “material” for its operations.

Licensed or authorised activities are by definition “own” and “material”. Activities that are supporting to licensed or authorised activities are “own” activities, but not necessarily “material”. It is not possible to draw a sharp line between “material” and “non-material” activities. For each case, one should make a re-assessment of the extent of the (negative) consequences for the outsourcing firm or its clients, should there be problems in the performance of the outsourced activities. A minor issue for one outsourcing company, may be a capital issue for another company. The materiality of the activities should periodically be reassessed because the materiality of the outsourced activities may change over time.

In pensions law literature, the general opinion is that an occasional outsourcing does not fall within the scope of the rules on outsourcing. This view is incorrect. An occasional outsourcing may be “material” as well. While this will probably not often be the case, a categorical exception of occasional outsourcing is unjustified and inconsistent with the intent of the legislator.

The importance of the distinction between outsourcing that does or does not fall within the scope of the outsourcing rules should not be exaggerated. The outsourcing rules are an elaboration of the requirement of a controlled and incorruptible operations management. Even when an outsourcing just misses to meet the criteria to fall within the scope of the rules on outsourcing, the company must ensure a controlled and incorruptible operations management. Although there is no obligation in such cases to comply with the rules on outsourcing, it is a logical step to remain in keeping with rules on outsourcing.

1.1.3 Third research question: the implementation by the outsourcing Organization

The outsourcing rules are essentially an open standard of care. They require an approach, proportional to the risks associated with outsourcing. It is therefore not possible to indicate what concrete measures an outsourcer should take. Sometimes, sectoral regulations include concrete, precise rules. It is not sufficient, however, for an outsourcing company to tick off such detailed sectoral regulations. There is no sectoral regulations that contains precise rules on every aspect of any outsourcing. In the end, what counts is that risks are identified and adequately addressed. This may take more stringent measures than have been detailed in a specific (or even other) sectoral regulation.

In this study, numerous measures that a company can take tomanage the risks associated with outsourcing are systematically brought into the limelight. Those suggestions should (certainly) not always be followed. The taken measures must be proportionate to the risks. The matter always boils down to the question whether the set of taken measures is sufficient to adequately control the risks associated with the outsourcing at hand. Thus, a limited power to issue instructions may be quite acceptable when a termination arrangement is included in the agreement that allows the outsourcer to terminate anytime without costs. (Of course, this would require that the activities can actually be handed over to a successive services provider within a short time). Also, a limitation of liability in favour of the services provider may be fair, provided that sufficient incentive remains for the services provider to use its best efforts.

Fourth question: the position of the regulator

Both the supervision and the enforcement by the regulator focus primarily on the outsourcing company. However, the regulator can “reach through” to the services provider. This is particularly important when the outsourcer or services provider frustrates the exercise of the supervisory powers. In principle, the outsourcing company is the party that should provide its regulator with all necessary information. However, the outsourcing company must stipulate for its regulator for a right to directly address its requests for information to the services provider and a right to execute a site survey at the premises of the services provider. This enables the regulator to obtain control information faster and to determine for himself that the outsourced work is carried out correctly. Nevertheless, the burden for the service will be limited. The proportionality principle requires that the regulator exercises its powers in the least burdensome way. Consequently, he must focus, in principle, on the outsourcer. It also follows from the principle of proportionality that if the regulator turns to the services provider, it can request no more information than is reasonably needed for the exercise of its statutory duties. Moreover, it can exercise no powers towards the services provider which he had been unable to exercise against the outsourcer. This is true even if the services provider has agreed contractually with further-reaching investigative powers for the regulator.

Also when seeking to enforce the compliance to regulations, the regulator must, in principle, focus on the outsourcer. The regulator has plenty of powers to force an outsourcing company to comply with the applicable rules. In practice, it uses mostly the “standards conveying conversation”, the instruction, the penalty and the provisional penalty. An instruction or a provisional penalty may also require an outsourcing company to intervene in the outsourcing relationship in a prescribed manner. The outsourcing company may even be required to terminate the relationship. In any way, the required action must be proportionate to the offense.

Question five: the position of the beneficiary or client

An outsourcing arrangement must not alter the relationship with the beneficiaries or clients. It is difficult to imagine that it could, in the legal sense. The beneficiary or client has a relationship with his pension fund or financial institution. It is the pension fund or financial institution that is responsible for the performance of its obligations towards its beneficiaries or clients, whether that company has outsourced certain activities or not.

Nevertheless, the relationship with the beneficiary or client may change if the pension fund or financial institution has agreed to an exclusion of liability for the services provider (or at least to a further extend than it has limited its liability for its own actions). In such a case, the opportunities for a beneficiary or client to tackle his pension fund or financial institution about deficiencies or to take recourse are limited by the outsourcing arrangement. Therefore, an outsourcing company cannot limit its liability for acts or omissions of its services providers to a further extent than it has limited its liability for its own acts and omissions.

Final Conclusion

As stated above, the basic principle is that the outsourcing company remains fully responsible to its regulator and its clients or beneficiaries for the acts or omissions of its service as if it were its own acts or omissions. In order to live up to this responsibility, it must remain “in control” over the outsourced activities as if they were its own.

In essence, the outsourcing rules hinge on three basic rules: 1) A company that outsources activities must do so in a careful way, 2) the outsourcing must not obstruct supervision by the regulator and 3) the outsourcing must not change the relationship with its beneficiaries or clients.

All things considered, the outsourcing rules do not change that much compared to a world without them. Indeed, outsourcing must not change the relationship with the beneficiaries or clients. I already discussed that such a change in relationship is difficult to imagine. An outsourcing must not obstruct supervision either. That seems obvious. In the same way that a company must fulfill its obligations towards beneficiaries or clients, regardless of whether the work is outsourced, it must also fulfill its obligations to the regulator. A company that outsources activities, must do so in a careful way. Nonetheless, even without rules on outsourcing, an outsourcing company would have had to do arrange the outsourcing in a careful way in order to meet its obligations towards its regulator and its beneficiaries or clients.

The outsourcing rules clarify especially what an outsourcing company should do, even without those outsourcing rules. Careful outsourcing is a matter of analyzing the (potential) risks and controlling these risks by taking adequate measures. The outsourcing rules can therefore be understood as an elaboration of the obligation to possess a controlled and incorruptible operations management.

I do not claim, however, that the outsourcing rules do not matter, nor that outsourcing is a topic that does not matter. On the contrary. It takes quite an effort to carefully tackle an outsourcing. That would also be the case without such outsourcing rules. The relevance of the outsourcing rules lies, among others, in putting the subject at the agenda of pension funds and financial institutions. Previously, that has been different. In addition, they provide outsourcing companies with a guide what issues to pay attention to when outsourcing (carefully). It would have been better, though, had that “guide” been more consistent.