Modern FinTech companies rely heavily on third parties — cloud providers, KYC vendors, payment processors, and RegTech platforms. FINMA Circular 2018/3 "Outsourcing — banks and insurers" establishes requirements for delegating critical functions while maintaining supervisory accountability. This guide explains what constitutes outsourcing, FINMA's requirements, and how to build an effective third-party risk management programme.

What Is Outsourcing Under FINMA Circular 2018/3?

Outsourcing occurs when an institution delegates a function that is material to its business, has been supervised by FINMA, or involves client data processing to a third party. Materiality depends on impact on profitability, liquidity, risk profile, or reputation — not merely cost savings. Common outsourced functions in Swiss FinTech include:

  • Cloud infrastructure and hosting (IaaS, PaaS, SaaS)
  • Customer identity verification and AML screening
  • Payment processing and card issuing
  • Core banking and portfolio management systems
  • Compliance monitoring and regulatory reporting via RegTech

Core Requirements of Circular 2018/3

Due Diligence Before Outsourcing

Institutions must assess vendor financial stability, operational capability, regulatory standing, and security controls before entering outsourcing arrangements. Due diligence documentation must be retained and reviewed periodically — typically annually for critical vendors.

Contractual Safeguards

Outsourcing contracts must include: scope of services, performance standards, audit and inspection rights, data protection obligations, business continuity requirements, termination and exit provisions, and sub-outsourcing controls. FINMA must be able to audit outsourced functions directly or through the institution.

Ongoing Monitoring and Oversight

Delegating a function does not delegate accountability. Institutions must monitor vendor performance through SLAs, control reports (SOC 2, ISAE 3402), and periodic reassessments. Material service degradation or vendor financial distress triggers escalation and contingency planning.

Concentration and Exit Risk

Over-reliance on a single vendor creates unacceptable concentration risk referenced in Circular 2023/1. Exit strategies — data portability, transition timelines, and alternative providers — must be documented before outsourcing critical functions.

Cloud Outsourcing Specifics

Cloud adoption is the most common outsourcing decision for FinTech startups. Additional considerations include data residency, encryption key management, shared responsibility models, and cross-border data transfers under FADP. Cyber security requirements from our cyber compliance guide apply directly to cloud vendor assessments.

RegTech as Outsourced Compliance

Using a RegTech platform for AML monitoring or regulatory reporting constitutes outsourcing if the function is material. Vendor selection should follow the same due diligence process, and institutions should verify that RegTech providers support audit trails, data export, and contractual audit rights required by Circular 2018/3.

Common Pitfalls

  • Undocumented shadow outsourcing — Teams adopting SaaS tools without compliance review.
  • Missing audit rights — Contracts without FINMA inspection access clauses.
  • No exit plan — Vendor lock-in without data migration strategy.
  • Sub-outsourcing blind spots — Vendors using subcontractors without notification or approval.
  • Stale due diligence — Initial vendor assessment never updated after material changes.

Outsourcing Compliance Checklist

  • Outsourcing register listing all material third-party arrangements
  • Materiality assessment methodology documented and applied consistently
  • Pre-contract due diligence completed and filed for each critical vendor
  • Contracts include audit rights, data protection, BCP, and exit clauses
  • Annual vendor performance reviews with SLA monitoring
  • SOC 2 or equivalent control reports obtained and assessed annually
  • Concentration risk analysis for critical vendor dependencies
  • Exit and transition plans tested for top-three critical vendors
  • Sub-outsourcing approval process defined and enforced
  • Board or management reporting on outsourcing risk at least annually

Effective third-party risk management enables FinTech companies to leverage external expertise while maintaining the supervisory standards FINMA expects. Document, monitor, and test — outsourcing compliance is ongoing oversight, not a one-time contract review.