The Financial Supervisory Authority has issued outsourcing guidelines for supervised entities that apply to all supervised entities. The term outsourcing is defined as an agreement between a supervised entity and a third party (service provider) under which the service provider/outsource entity undertakes tasks or services that generally fall within the scope of the supervised entity. The European Banking Authority (EBA) has issued guidelines on outsourcing (EBA/GL/2019/02), covering credit institutions, payment institutions and electronic money undertakings. Likewise, the European Insurance and Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA) have issued guidelines on outsourcing and cloud services (EIOPA-BoS-20-002), (ESMA-50-164-4285). These guidelines provide corresponding definitions of the term outsourcing.
It should be pointed out that supervised entities are not permitted to outsource activities that require a licence from the Financial Supervisory Authority unless the service provider itself has authorisation to provide the service or carry out the task in question.
A supervised entity generally does not need permission from the Financial Supervisory Authority to outsource activities, but must notify the Authority of the outsourcing, as discussed later. In the sector specific laws that apply to the activities of each supervised entity, however, there are various restrictions on the authorisations of supervised entities to enter into contracts for the outsourcing of specific tasks or services, which the parties need to familiarise themselves with before concluding a contract for the outsourcing of services.
Act No. 128/2011 on UCITS and Act no. 45/2020 on Alternative Investment Fund Managers, contain provisions that place restrictions on outsourcing. These parties are thus not permitted to outsource both the asset management and risk management of the same fund. Further restrictions on outsourcing can be found in the aforementioned acts, which the parties need to familiarise themselves with before entering into an outsourcing contract.
Act no. 100/2016 on Insurance Activities also places restrictions on the outsourcing of key areas of work.
It should be noted that the Central Bank must be notified of outsourcing before it is carried out, as well as any changes to the outsourcing arrangement.
Before outsourcing begins, care must be taken to ensure that the requirements of the law, instructions and guidelines for outsourcing are met.
In all cases, the AMSB[1] of the supervised entity is responsible for projects, whether they are outsourced or not. It is therefore vital to allocate the undertaking’s time and human resources to the monitoring and supervision of the outsourced task.
Furthermore, it must be certain that outsourcing does not hinder effective supervision or prevent the regulated party from working with the interests of fund members and customers in mind.
In an application for an operating licence, information about the outsourcing arrangement must always be provided, and the Financial Supervisory Authority assesses whether the outsourcing arrangement meets the requirements and whether the outsourcing may hinder supervision, etc. However, responsibility for the projects always lies with the party subject to supervision.
Entities subject to supervision must maintain a register of the activities that are outsourced, as stated in the various legal sources and instructions that have been issued on outsourcing by entities subject to supervision. This register must be updated and reviewed as often as necessary.
Cloud outsourcing must also be notified 30 days before its intended use and a checklist for such outsourcing must be submitted. See here in the site's form search (in Icelandic).
[1] Administrative management or supervisory board