Total revi­si­on of the FINMA RS “Out­sour­cing Banks”: Dele­ti­on of the data pro­tec­tion provisions

In the Media release on Decem­ber 6, 2016, FINMA published its draft for a total­ly revi­sed RS 17/xx “Out­sour­cing – Banks and Insu­r­ers”. The con­sul­ta­ti­on peri­od lasts until Janu­ary 31, 2017, and ent­ry into force is sche­du­led for July 1, 2017.

The data pro­tec­tion pro­vi­si­ons in mar­gi­nals 31 – 33, mar­gi­nals 36 and mar­gi­nals 37 – 39 of the RS 2008/7 “Out­sour­cing Banks were dele­ted. The Expl­ana­to­ry report on the revi­sed RS points out that the hand­ling of per­so­nal data is alre­a­dy com­pre­hen­si­ve­ly regu­la­ted by data pro­tec­tion legislation.

In order to avo­id dupli­ca­ti­ons and pos­si­ble diver­gen­ces with the deve­lo­p­ments in data pro­tec­tion law and at the same time to ensu­re a clear demar­ca­ti­on bet­ween super­vi­so­ry requi­re­ments of finan­cial mar­ket super­vi­si­on and the obli­ga­ti­ons under pri­va­te law pur­su­ant to the Data Pro­tec­tion Act, the pre­vious state­ments in FIN­MA-Circ. 08/07 with refe­rence to data pro­tec­tion (…) will be deleted.

Accor­ding to para. 37 of the revi­sed RS, FINMA must also be infor­med in advan­ce of any out­sour­cing of bulk cli­ent iden­ti­fy­ing data abroad.

The expl­ana­to­ry report fur­ther empha­si­zes that the gua­ran­tee of the inspec­tion rights of bank and insu­rance cus­to­mers must also be main­tai­ned with regard to out­sour­ced data.