IT outsourcing for financial service providers: more requirements to be expected from the 6th MaRisk amendment

IT outsourcing for financial service providers: more requirements to be expected from the 6th MaRisk amendment

The Minimum Supervisory Requirements for Risk Management (MaRisk) of banks and financial service providers will soon be further updated. BaFin presented its consultation draft for the new version of MaRisk at the end of October 2020 and ended the consultation phase (BaFin Consultation 14/2020). It is expected that the new version will be adopted shortly.

The 6th MaRisk amendment introduces a large number of new regulations and specifications in risk management for credit and financial services institutions. Most of the changes result from the fact that the EBA guidelines on outsourcing are being incorporated into national regulation. The detailed and very specifically formulated EBA guidelines also make the consultation draft more comprehensive in some places.

The EBA guidelines introduce numerous new requirements and specifications for outsourcing. They cover the entire outsourcing process: risk analysis, outsourcing arrangements, and the monitoring and control of outsourcing risks by institutions. In addition, institutions are required to review the risks associated with outsourcing and the quality of service provision using clear criteria such as key performance and key risk indicators.

There are simplifications for group and financial associations. Opportunities for centralization, standardization and simplification are promoted. In addition, the consultation paper provides for the establishment of a central outsourcing officer who reports directly to the management board and thus places responsibility for outsourcing as high as possible within the institution.

In the following, I present the most important innovations in outsourcing:

Other external procurement of services is expanded

In the future, there will be more processes that do not constitute an outsourcing. In the future, this will also include the use of global payment infrastructures (e.g. card payment processes). The regulations on Section 25b KWG do not apply to the procurement of such services and goods. However, banks are still required to comply with the general requirements for the proper organization of business (Section 25a (1) KWG).

Risk analysis with new specifications

In its consultation draft, BaFin has expanded its assessment criteria to be taken into account in the risk analysis. It has also made existing criteria more specific. Data protection and political risks are now explicitly mentioned.

To the extent that it makes sense, the risk analysis should be supplemented by a scenario analysis. The effects of risks should be played out by the outsourcing company. In particular, the risks associated with long and complex outsourcing chains should be evaluated.

Uniform risk management for groups

Institutions can positively influence risk assessment through uniform and comprehensive risk management for intra-group and intra-association outsourcing. If several institutions in a group or association outsource to a joint outsourcing company, they can set up a central outsourcing management. The consultation draft thus creates some facilitations for financial conglomerates and groups of institutions in terms of risk analysis and management.

Outsourcing of critical areas

BaFin is maintaining its ban on outsourcing management tasks. In particular, BaFin now requires that outsourcing must not result in the institution existing only as an empty shell.

Risk controlling, compliance or internal audit may still only be outsourced internally within the group if the outsourcing institution is not classified as material in terms of size, complexity and the risk content of its business activities for the national financial sector and in terms of its importance within the group. Within the group of institutions, outsourcing to affiliates is now also permitted.

Permits for outsourcing providers

The MaRisk amendment leaves open which criteria should apply to the licensing requirement of the outsourcing company. The draft requires the outsourcing institution to clarify the licensing situation of the outsourcing company if banking transactions are outsourced to an extent that would require licensing or registration by the competent supervisory authorities within the EEA.

If the outsourcing company has its registered office in the European Economic Area (EEA), the authority is governed by the law of that member state. If, on the other hand, the company has its registered office in a third country, the following applies according to the EBA guidelines and the new MaRisk:
• The EEA standards apply to the question of whether the material threshold for the outsourcing company's obligation to obtain a license has been exceeded.
• A license of the outsourcing company from the third country is only acceptable if there is a cooperation agreement between BaFin and the supervisory authorities of the third country. In the case of outsourcing to the UK, for example, this is only the case for individual financial services lines.

More audit rights for immaterial outsourcing

If possible, information and audit rights should also be agreed for immaterial outsourcing if it is foreseeable that it could be classified as material in the near or medium future. The agreements must also grant access rights to relevant premises of the outsourcing company.

Termination rights specified

The outsourcing agreement must contain termination rights and appropriate notice periods. BaFin adds that the outsourcing provider should be required to assist the institution in transferring the outsourced processes to another supplier.

Data protection strengthened

Data protection regulations are now also to be included in agreements for immaterial outsourcing. This strengthens data protection.

Need for action by banks and IT service providers

We support banks and IT service providers in obtaining an overview of the need for action as a result of the MaRisk amendment and in checking the extent to which they comply with the new requirements. In addition, we advise on risks and opportunities arising from the new requirements, especially with regard to the possibility of central outsourcing management at group or association level.

Michaela Witzel, LL.M. (Fordham University School of Law), Certified Expert for IT Law