A Dutch investment management firm operating under both UCITS (Undertakings for Collective Investment in Transferable Securities and AIFMD (Alternative Investment Fund Managers Directive) frameworks relied extensively on third parties for core functions, including portfolio management, fund administration, benchmarking data, and IT services. While this operating model supported efficiency and scalability, it also increased regulatory complexity and supervisory exposure within the Dutch financial sector.
RiskSphere was engaged to perform an independent assessment and strengthen the outsourcing model in line with evolving Dutch and European supervisory expectations.
In recent years, the regulatory environment has evolved rapidly. Developments under AIFMD I & II, UCITS V & VI, DORA (Digital Operational Resilience Act), expanded ESMA guidance, and strengthened Dutch implementation through the Wft (Wet op het financieel toezicht) and BGfo (Besluit Gedragstoezicht financiële ondernemingen) have significantly raised expectations around delegation, ICT risk management, governance, and oversight. Against this backdrop, the organisation’s existing outsourcing framework required a thorough reassessment to ensure continued compliance and readiness for supervisory review by the Autoriteit Financiële Markten (AFM).
While many controls were already in place, the outsourcing framework had not been fully aligned with the latest regulatory developments. Key areas required reassessment:
Delegation and letter-box risk under UCITS and AIFMD
Materiality and criticality classification of outsourced services
Performance fee governance and remuneration alignment
Indirect outsourcing and subcontracting risk
Board-level accountability and documentation standards
The organisation therefore needed a structured, defensible outsourcing model that could withstand regulatory scrutiny and future supervisory developments.
RiskSphere approached the engagement with in-depth expertise in both EU financial regulation and Dutch supervisory practice. The project began with a comprehensive gap analysis, assessing the outsourcing policy and each outsourced function against applicable EU directives, Dutch legislation, and relevant ESMA guidance.
A structured materiality and criticality methodology was introduced to classify all third-party arrangements based on regulatory significance, operational dependency, and ICT risk exposure. To enhance consistency and transparency, RiskSphere developed a clear outsourcing decision tree, enabling the organisation to systematically determine whether a service qualifies as outsourcing, assess its materiality, and identify the applicable regulatory framework in a defensible and repeatable manner.
Intra-group outsourcing arrangements were subject to specific scrutiny. Despite being within the same corporate structure, such arrangements remain fully subject to delegation, substance, and oversight requirements under UCITS, AIFMD, and Dutch law. Governance structures, reporting lines, potential conflicts of interest, and oversight mechanisms were assessed to mitigate letter-box risk and ensure demonstrable independence and accountability.
Building on these findings, RiskSphere supported the complete redesign of the outsourcing policy. The revised framework embedded regulatory requirements directly into the policy structure, strengthened due diligence and contractual standards, clarified governance responsibilities, and integrated ICT third-party risk management into the broader outsourcing model.
The result was a future-ready outsourcing framework aligned with AIFMD, UCITS, DORA, Wft, BGfo, and relevant ESMA guidance. The updated policy not only ensured regulatory compliance but also improved internal clarity, operational resilience, and strategic readiness for continued regulatory evolution.