Current legal framework for outsourcing

Financial undertakings can outsource certain activities. The rules on outsourcing for financial undertakings fall under the Dutch act on the financial supervision (Wet op het financieel toezicht, AFS) and focus on activities that are part of or arise from the core activities of financial undertakings. The responsibility for compliance with the laws and regulations remains with the financial undertakings that outsource their activities. The Dutch Financial Markets Authority (Autoriteit Financiële Markten, AFM) plays an important role in supervising outsourcing by financial undertakings.

For financial service providers, such as providers of investment objects, credit providers, advisors, intermediaries and (sub)authorized agents, the outsourcing rules are limited. The main obligations arise from Article 4:16 AFS and Article 37 of the Decree on Conduct Supervision of Financial Undertakings (BGfo). These obligations stipulate that a financial service provider outsourcing activities to a third party must ensure that this party complies with the applicable laws and regulations (Article 4:16 AFS). Additionally, current legislation stipulates that financial service providers may not outsource activities if this hinders adequate supervision by the AFM (Article 37 BGfo).

AFM investigates outsourcing in practice

In 2020, the AFM conducted research regarding outsourcing risks among financial service providers. The aim was to gain insight into the nature and scope of these risks and how they are managed. The AFM found that in 11% of cases, there was no signed agreement with the third party to whom the activities were outsourced. Additionally, it seemed that 70% of the financial service providers do not map out outsourcing risks, leading to an increased risk of non-compliance with the laws and regulations.

Based on these findings, the Minister of Finance aims to tighten the outsourcing rules for financial service providers and the supervision thereof with the Amendment Decree. To achieve this, the Amendment Decree introduces further requirements, as outlined below.

Key requirements under the Amendment Decree

Outsourcing register

Financial service providers will be required to maintain a register with information about all outsourced activities and the third parties to whom these activities have been outsourced (new Article 38I(1) BGfo). Third parties also include companies within the same group to which the financial service provider belongs.

Written outsourcing agreement

Additionally, financial service providers will be required to draw up a written agreement with the relevant third party (new Article 38I (2) BGfo). This agreement should include at least the following elements (new Article 38I(3) BGfo):

  • The rights and obligations of the financial service provider and third party;
  • The mutual exchange of information, including arrangements for making information available to regulators. This is relevant because regulators may ask the supervised institution that has outsourced the activities to provide further information in this respect;
  • The ability for the financial service provider to make changes to the way the third party performs the outsourced activities. This may be in response to directions or instructions from the AFM;
  • The obligation for the third party to ensure that the financial service provider continues to comply with its legal obligations;
  • Measures to ensure the continuity of business operations;
  • A description of how the security of automated processes is ensured and how incidents are reported; and
  • The method of termination. It is important to ensure that the financial service provider can resume the outsourced activities itself or through another third party after termination of the agreement.
Expertise and control

The Amendment Decree stipulates that financial service providers should always possess the necessary skills and expertise, and should therefore perform due diligence when entering into, managing, or terminating agreements with third parties (new Article 38I(4) BGfo). Financial service providers will remain responsible for the activities they outsource under the current legal framework (Article 4:16 AFS). Therefore, before outsourcing activities, financial service providers must investigate the suitability of third parties. Additionally, financial service providers should be able to exercise effective control over the outsourced activities (new Article 38I(5) BGfo). Exercising control also means that financial service providers must monitor the risks associated with outsourcing.

Next steps?

The consultation on the Amendment Decree runs until March 7, 2025. It is expected that financial service providers will need to critically evaluate their outsourced activities this year to comply with the new regulations by 2026.

Contact

If you have any questions regarding the above or other financial regulatory topics, please contact one of our colleagues listed below.