The term outsourcing appears in several laws, e.g. in section 26 ZAG, section 25b KWG and section 17 Abs. 5 GwG. We want to concentrate on outsourcing in the sense of the ZAG or KWG. Specifications for this can be found in the Minimum Requirements for Risk Management (“MaRisk“), in the EBA-Guidelines on outsourcing (“EBA-Guidelines“) and the banking supervisory requirements for IT (“BAIT“).
What is outsourcing?
Outsourcing is the commissioning of another enterprise to provide activities and processes relating to the execution of banking business, financial services or any of an institution’s other usual services that would otherwise be provided by the institution itself. This definition can be found in AT 9 para. 1 MaRisk. For example, an institution may outsource the function of the data protection officer. However, general services or support services for the institution, such as mail delivery, building cleaning or waste disposal, are not covered by the outsourcing term.
What may be outsourced?
Not all activities may be outsourced. Outsourcing shall impair neither the proper execution of such business and services nor the business organisation (section 26 para. 1 s. 2 ZAG, section 25b para 1 s. 2 KWG). Furthermore, outsourcing shall not entail the delegation of the management board’s responsibility to the external service provider. Thus, the management board’s management tasks cannot be outsourced (AT 9 para. 4 MaRisk).
Requirements for outsourcing
If outsourcing exists and the activities and processes can be outsourced, the institution must follow certain requirements. Based on a risk analysis, the institution shall determine on its own responsibility which outsourcing of activities and processes it regards as material in terms of risk (AT 9 para. 2 MaRisk). Decisive parameters for this can be, for example, the risk content and complexity of the activities and processes to be outsourced and the need for prompt availability of the service as well as the reputation risks in the event of poor performance. The result of the risk analysis must be substantiated and documented to an appropriate extent and in a manner that is readily comprehensible for expert third parties.
In case of non-material as well as material outsourcing, the general requirements for proper business organisation pursuant to (AT 9 para. 4 MaRisk) must be met. These stipulate, among other things, that an appropriate contingency plan must be defined, especially for IT systems (cf. section 27 para. 1 no. 3 ZAG, section 25a para. no. 5 KWG). In addition, the institution shall remain responsible for compliance with the legal provisions to be observed by the institution.
In addition, the requirements of the EBA guidelines must be observed, e.g. the rights and obligations of the institution and the service provider should be clearly allocated and set out in a written agreement (para. 74).
In addition, the outsourcing agreement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, e.g. if the service provider of the outsourced functions violates applicable law, legal provisions or contractual provisions or if impediments capable of altering the performance of the outsourced function are identified (EBA-Guidelines para. 98).
Further specifications in the case of material outsourcing
In the case of material outsourcing, further specifications are added. For example, according to MaRisk AT 9 para. 6, in the event of an intended or expected termination of the outsourcing arrangement, the institution shall take safeguards to ensure the continuity and quality of the outsourced activities and processes also after the termination. The institution must manage the risks associated with material outsourcing appropriately. The execution of the outsourced activities and processes must be properly monitored by the institution and the institution shall clearly specify the responsibilities for managing and monitoring material outsourced activities and processes (MaRisk At 9 Point 9, 10).
In addition, special attention must be paid to the design of the outsourcing agreement in the case of material outsourcing. Special provisions can be found in MaRisk AT 9 para. 7, according to which, among other things, agreements must be made with regard to the definition of appropriate internal and external auditors’ rights of information and review. In addition the competent authority´s unrestricted rights of information and review and the ability to supervise with regard to the outsourced activities and processes must be contractually guaranteed.
The EBA guidelines set out the requirements for outsourcing agreements in detail. The outsourcing agreement for critical and essential functions must contain the following provisions, among others:
- the location(s) (i.e. regions or countries) where the function will be provided,
- the right of the outsourcing institution to monitor the performance of the service provider on an ongoing basis,
- the agreed service levels,
- the reporting obligations of the service provider to the institution,
- the requirements for the implementation and testing of contingency plans, and
- information on whether sub-outsourcing is permitted.
Further specifications for IT outsourcing
For the outsourcing of IT, the BAIT applies in addition to the above-mentioned specifications. Under II.8. para. 52 BAIT, it is stated that the requirements of AT 9 of MaRisk must be met when outsourcing IT services. This also applies to the outsourcing of IT services which are provided to the institution by a service provider via a network (e.g. computing power, storage space, platforms or software) and which are offered, used and invoiced dynamically and adapted to requirements via defined technical interfaces and protocols (cloud services).
Cover picture: Copyright © Adobe/ sutthinon602