Outsourcing and other external procurement of IT services are the focus of the current supervisory regulations concerning banks. Following the publication of the MaRisk amendment of 27 October 2017 (circular 09/2017 (BA) – Minimum Requirements for Risk Management – MaRisk), BaFin has published a further central regulation in its “Banking Supervision Requirements for IT (BAIT)” (circular 10/2017 (BA)) dated 3 November 2017.
Delineation of outsourcing and external procurement
In accordance with the current MaRisk General Part 9 No. 1, outsourcing is defined as an assignment of another company to carry out such activities and processes in connection with the execution of banking transactions, financial services or other typical services that would otherwise be provided by the institution itself. The application of the relevant provisions of section 25b of the German Banking Act (KWG) is not appropriate in view of the specific risks associated with such conditions.
Other external procurement of services
Other external procurement of services is not to be considered outsourcing within the meaning of this circular. This includes first of all the non-recurring or occasional external procurement of goods and services, as well as the external procurement of services which typically cannot be provided by the institution itself (e. g. the use of central bank functions, clearing offices for payment transactions and securities handling). The appropriate risk treatment as well as ensuring the regularity of the business organization also applies equally to other external procurement of services in accordance with section 25a (1) of the German Banking Act (KWG). The outsourcing of IT services must meet the requirements of the General Part 9 of MaRisk. This also applies to outsourcing of IT services which are provided to the institution by a service provider via a network (e. g. computing power, storage space, platforms or software) and whose offer, use and billing are dynamic and adapted to the demand via defined technical interfaces and protocols (cloud services). According to MaRisk, BaFin now classifies support services for software which are used to identify, assess, control, monitor and communicate risks or which are essential for the performance of banking business tasks as outsourcing. Furthermore, the operation of the software by an external third party is deemed to be outsourcing. The isolated purchase of software is usually to be classified as other external procurement. This includes, among other things, the following support services:
adapting the software to the requirements of the institution
implementing change requests (programming)
testing, approving and implementing the software in the production processes (first-time use as well as for significant changes)
troubleshooting (maintenance) according to the request/error description
other support services that go beyond mere consultation
Risk analysis – assessment of material risks
The classification of materiality is to be carried out on the basis of the risk analysis (e. g. material risks, risk concentration, suitability of the outsourcing company), as well as uniform framework specifications both on a regular basis and in relation to specific events by including the relevant organizational units. The principle of proportionality continues to apply. The integration of the outsourced activities and processes into risk management is mandatory. The intensity of the analysis depends on the type, scope, complexity and risk content of the outsourced activities and processes. This also applies to the outsourcing of special functions such as risk controlling functions, compliance functions, internal auditing or core banking areas. Insofar as special functions are completely outsourced, the management must appoint one (audit) representative each time, who must ensure that the respective tasks are carried out properly. Accordingly, the risks associated with each purchase of software must also be appropriately assessed (see General Part 7.2 Note 4, Sentence 2 MaRisk). Given the fundamental importance of IT for the institution, a risk assessment must also be carried out in advance for any other external procurement of IT services (cf. number 8). Note 53 BAIT).
In the event of intended or expected termination of the outsourcing agreement
If significant outsourcing occurs and in the event of an unintended or unexpected termination of such outsourcing, which could have a significant adverse effect on business activities, the institution is required to examine and approve any options for action with regard to their feasibility. This also includes, as far as reasonable and possible, the definition of appropriate phase-out processes. The options for action must be reviewed regularly on a needs-related basis. The phase-out processes must be defined with the objective of maintaining or restoring the necessary continuity and quality of the outsourced activities and processes within a reasonable time. This is not necessary in the case of outsourcing within a particular group or network. If no options for action exist, at least adequate consideration is required for contingency planning.
The contents of the outsourcing contract must continue to comply with the requirements for the content of the outsourcing contract in the case of significant outsourcing. With regard to further outsourcing, it must at least be contractually ensured that the agreements of the outsourcing company with subcontractors are in accordance with the contractual agreements of the original outsourcing contract. Furthermore, the contractual requirements for further outsourcing must also include a duty of information on the part of the outsourcing company to the outsourcing institution. In the event of a further outsourcing to a subcontractor, the outsourcing company will continue to be obliged to report to the outsourcing institution.
Risk management and performance monitoring
The institution must adequately manage the risks associated with (significant) outsourcing and properly monitor the execution of the outsourced activities and processes. This also includes a regular assessment of the performance of the outsourcing company on the basis of the criteria to be observed. The institution must define clear responsibilities for managing and monitoring of significant outsourcing.
Central outsourcing management
Depending on the type, scope and complexity of the outsourcing activities, the institution must set up a central outsourcing management system. Its tasks include in particular:
implementation and further development of appropriate outsourcing management and corresponding control and monitoring processes,
creation and maintenance of comprehensive documentation of outsourcing (including further outsourcing),
support of the business units with regard to internal and legal requirements for outsourcing,
coordination and review of the risk analysis carried out by the responsible business units.
The central outsourcing management unit must prepare a report on the main outsourcing activities at least once a year and make it available to management. The report must state whether the services provided by the outsourcing companies correspond to the contractual agreements, whether the outsourced activities and processes can be adequately controlled and monitored, and whether further risk mitigation measures should be taken.
Q_PERIOR supports you in analyzing which outsourcing activities are carried out by your institution within a supervisory context. We support you in the implementation of adequate processes and the establishment of the necessary organizational structures. You can find out more about our risk management and compliance services here!