Outsourcing in the financial sector
BaFin publishes amendments to MaRisk (BA) and BAIT as well as a new Circular on ZAIT
On 16 August, the German Federal Financial Supervisory Authority (BaFin) published its amended Circular 10/2021 (Supervisory Requirements for Financial Institutions) – Minimum Requirements for Risk Management (MaRisk) and, based on this, a revised version of its Supervisory Requirements for IT in Financial Institutions (BAIT). Simultaneously, BaFin released a new Circular 11/2021 (Supervisory Requirements for Financial Institutions) – Payment Services Supervisory Requirements for IT in Payment and E-Money Institutions (ZAIT). The amendments primarily serve to implement requirements that were established at EU level. In this respect, they contain both specifications of existing requirements and new regulations for institutions in the financial services sector. However, they do not specifically address outsourcing to the cloud, which is particularly relevant in practice.
6th Amendment of MaRisk (Minimum Requirements for Risk Management)
The MaRisk requirements are aimed at credit institutions and financial services institutions in Germany. They do not actually apply to the newly created category of small and medium-sized investment firms established by the German Investment Firms Act (Wertpapierinstitutsgesetz, WpIG) in June 2021. Nevertheless, according to the Q&A on the WpIG published by BaFin, the MaRisk requirements shall apply analogously to these institutions, paying particular attention to the principle of proportionality, until specific pronouncements are published for these institutions. With the 6th Amendment of MaRisk, BaFin is in particular implementing various guidelines of the European Banking Authority (EBA) into its published administrative practice, namely the EBA Guidelines on management of non-performing and forborne exposures (EBA/GL/2018/06), the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and the requirements of the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04).
Essentially, the amended MaRisk requirements contain the following key changes:
- Requirements for institutions with a high level of non-performing loans (NPL) – the threshold is generally set at 5% – to develop strategies for non-performing exposures to reduce them to a certain target of non-performing exposures (NPE) (No. 3 AT 4.2).
- Revision and specification of the requirements for emergency management (including conducting risk analyses, having substitute solutions in place, plan for return to normal operations) (AT 7.3).
- Additional requirements for the entire outsourcing process (AT 9, see below).
- Revised regulations for processes in the credit business (BTO 1.2).
- Additional requirements for the treatment of problem loans (BTO 1.2.5) and risk prevention (BTO 1.2.6).
- New requirements on the procedure for measures with which institutions make concessions to borrowers due to emerging or already occurred financial difficulties (forbearance) (BTO 1.3.2).
Outsourcing at credit and financial services institutions according to MaRisk – no clarifications for outsourcing to the cloud
The particularly practice-relevant area of outsourcing (e.g. use of cloud applications as well as IT outsourcing) is addressed by AT 9 of the new MaRisk which provides for numerous changes to the entire outsourcing process. These changes are the result of an intensive consultation process with market participants in which the appropriate implementation of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) was discussed. The amendments were preceded by a number of adjustments to the legal requirements for outsourcing had already been preceded through the German Financial Markets Integrity Strengthening Act (Finanzmarktintegritätsstärkungsgesetz, FISG). This was intended to provide the supervisory authorities with additional powers in respect to outsourcing companies. Compared to the draft version of MaRisk, on which consultations last took place on 26 October 2020, there have been no significant further developments in the area of outsourcing. Therefore, there are no additions to the increasingly important area of outsourcing to the cloud, for example with regard to audit rights for multi-client service providers. The changes to the previously applicable version of MaRisk concern in particular to risk analysis, the structure of the outsourcing agreement, intra-group or intra-network outsourcing and the management and monitoring of outsourcing risks:
- For example, there is a new requirement to provide an up-to-date outsourcing register with information on all outsourcing agreements (i.e. not only the outsourcing of critical or important functions) (AT 9 No. 14), which will probably require some adjustment effort by the institutions. This also includes outsourcing agreements with outsourcing companies within a group of institutions or a financial network. Furthermore, where the outsourcing of critical or important functions is sub-outsourced, it must now be determined by the outsourcing institution whether the part of the function to be sub-outsourced is critical or important and whether this critical or important part of the function must be recorded in the outsourcing register (AT 9 No. 14). As reference is made to the relevant passages in the EBA Guidelines on outsourcing arrangements with regard to the minimum content requirements in MaRisk, this implies that, for example, the costs of the outsourcing must also be included in the outsourcing register.
- In addition, stricter requirements apply to the initial risk analysis including a scenario analysis, whereby the latter should only be required if it is reasonable and proportionate. From now on, the results of the risk analysis must be expressly taken into account in outsourcing and risk management (AT 9 No. 2).
- The regulations also provide for increased obligations to continuously monitor the performance of the outsourcing company in the case of the outsourcing of critical or important functions based on certain criteria (e.g. key performance indicators, key risk indicators). Such elevated requirements also relate to contractually agreed information from the outsourcing company. The quality of the services provided must be regularly assessed in future (AT 9 No. 9).
- Any institution that outsources must now appoint a central outsourcing officer in the institution itself as part of outsourcing management (AT 9 No. 12). The outsourcing officer or the central outsourcing management must prepare a report on the outsourcing of critical or important functions at least annually and make it available to the management. In addition, AT 9 No. 12 stipulates ad hoc reporting.
Where critical or important functions are outsourced, the following minimum content in particular must be included in future; this must be agreed in text form in the outsourcing agreement:
- Date on which the outsourcing agreement begins and, if applicable, ends,
- the law applicable to the outsourcing agreement, if not German law,
- locations (i.e. regions or countries) where the service is performed and/or the relevant data is stored and processed, as well as the provision that the institution will be notified if the outsourcing company changes its location,
- agreed service level with clearly defined performance targets,
- where applicable, that the outsourcing company must provide evidence of insurance for certain risks,
- requirements for the implementation and review of contingency plans.
AT 9 No. 15 of the new MaRisk provides certain facilitations in the case of intra-group and intra-network outsourcing:
- When the risk analysis is prepared and adapted, effective precautions at the group or network level, in particular uniform and comprehensive risk management as well as rights of recourse, may be deemed to reduce risk.
- For outsourcing by several institutions in a group or network to one or more joint outsourcing companies, it is now possible to set up central outsourcing management at group or network level in certain circumstances.
- For the risk reporting on outsourcing companies used within a group/network, there is the option of a central pre-evaluation, which facilitates further use by the outsourcing institutions.
- There is a new option to outsource the risk controlling function completely, not only to a higher institution, but within the group of institutions, provided that the outsourcing institution is not deemed essential.
- However, even for outsourcing within a group of institutions or a financial network to a central outsourcing company within the group or network, the conditions, including the financial conditions, must be contractually defined, e.g. through group-internal SLAs.
Alongside the revision of MaRisk, BaFin has also updated the Supervisory Requirements for IT in Financial Institutions (BAIT), which also apply to credit institutions and financial services institutions. The update serves to implement the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). Although the content of the amended BAIT does not dictate any fundamental changes, it has been expanded, adapted and includes more details in certain parts. Institutions will therefore have to address the new BAIT requirements thoroughly and consider whether they need to adapt their internal procedures as a result. The following three new chapters to the BAIT are especially relevant in practice:
- Operational information security (II.5.): Requirements for the technical implementation of information security management and designation of instruments for monitoring the effectiveness of information security measures.
- IT contingency management (II.10.): Specifications for time-critical processes and activities regarding the establishment of restart, emergency operation and recovery plans.
- Management of relationships with payment services users (II.11.): Specification of requirements for customer relationship management.
Additionally, BaFin has paid particular attention in the amendment to promoting information security – i.e. the protection of relevant information in any form. The term “information security” goes beyond the scope of conventional “IT security”. Thus, BaFin clarifies that the relevant processes cover the entire area of entrepreneurial activity and not just IT operations. For example, BAIT requires institutions to provide training on information security.
The new ZAIT – Clarification of German Payment Services Supervision Act
Entirely new are the Payment Services Supervisory Requirements for IT in Payment and E-Money Institutions (ZAIT) published by BaFin, with which BaFin is implementing the requirements of the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04) and the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02). The ZAIT requirements specify for the first time the IT requirements, including IT outsourcing, for these institutions.
Further, the stipulations are intended to provide a flexible and practical framework for the technical and organisational facilities of the institutions concerned, in particular for the management of IT resources, information risk management and information security management (section 27(1) of the German Payment Services Supervision Act (Gesetz über die Beaufsichtigung von Zahlungsdiensten, ZAG)). The ZAIT rules also specify the requirements for outsourcing activities and processes (section 26 ZAG) and the regulations for managing operational and security risks in the provision of payment services (section 53(1) ZAG). Conceptually, ZAIT represents a combination of the BAIT rules, which are extremely similar to those in the ZAIT both in structure and content, and certain requirements of MaRisk. Therefore there are virtually no regulatory innovations in ZAIT in terms of content. However, since neither MaRisk nor BAIT is directly applicable to payment and e-money institutions (even though their analogous application was often required in administrative practice), the ZAIT requirements are certainly very important in practice. The central provisions of ZAIT concern the following:
- IT strategy (II.1.) and IT governance (II.2.),
- information risk management (II.3.) and information security management (II.4.),
- operational information security (II.5.) and identification and rights management (II.6.),
- IT projects and application development (II.7.) and IT operations (II.8.),
- outsourcing and other external procurement of IT services (II.9.) – in this respect, the MaRisk requirements for outsourcing essentially apply accordingly,
- contingency management (II.10.) and management of relationships with payment services users (II.11.) and
- critical infrastructure (II.12.).
With the new requirements, BaFin aims to counter the growing threat of cyberattacks in particular and continue to provide regulatory support for the outsourcing of IT processes.
Timeline and implementation
The amended MaRisk requirements came into force upon publication on 16 August 2021. The further specifications must be implemented immediately. In contrast, there is a transitional period until 31 December 2021 for the implementation of the new requirements. Outsourcing agreements that already exist or are being negotiated must be adapted by 31 December 2022.
No transitional periods are provided for the BAIT requirements, as BaFin is of the opinion that no new requirements are being imposed, but only further specifications are being made.
The ZAIT requirements have also been in force since their publication on 16 August 2021. Here, too, BaFin does not consider transitional periods to be necessary in principle because existing supervisory requirements are only being interpreted or further specified. Nevertheless, BaFin’s cover letter on ZAIT refers to the transitional periods in the EBA Guidelines, although it remains unclear what this will mean for the affected institutions. Especially as BaFin has announced that it will conduct supervisory reviews of payment and e-money institutions in order to monitor the implementation of ZAIT.
With the new regulations, BaFin has fine-tuned the regulatory requirements for a proper business organisation applicable to institutions in the financial sector. The newly introduced requirements relate in particular to information security and outsourcing, with the content being essentially based on the corresponding EBA Guidelines. As is so often the case with announcements by supervisory authorities specifying legal regulations, the amendments to MaRisk and BAIT as well as the publication of ZAIT are a double-edged sword. On the one hand, the fact that the institutions receive somewhat greater legal certainty with regard to supervisory expectations is welcome. On the other hand, the new requirements are in some cases very detailed, which begs the question whether and how the proportionality principle should be applied in this respect in future. In addition, the new provisions only take limited account of the institutions’ need for legal certainty if the subject of outsourcing to the cloud, which is particularly important in practice (and specifically addressed at EU level) is not dealt with separately. Credit institutions, financial services institutions as well as payment and e-money institutions would in any case be well advised to examine their technical and legal processes promptly and to make the necessary organisational and contractual adjustments. It is also recommendable for cloud providers and other IT providers to deal with the new regulatory content, as they are likely to face additional demands from BaFin-regulated clients in contract negotiations in the future.
Any questions? Please contact: Dr Jens H. Kunz, Dr David Bomhard or Dr Max von Schönfeld
Practice Groups: Financial Services Regulation, Banking & Finance, Digital Business