The leaflet of the Federal Financial Supervisory Authority BaFin shows which regulations must be included in outsourcing contracts and which preparatory actions must be carried out before the outsourcing takes place. By means of its "Leaflet - Guidance on outsourcing to cloud providers" published on 8 November , the Federal Financial Supervisory Authority BaFin and German Central Bank Deutsche Bundesbank provide their understanding and interpretation of cloud services as well as their views on what banks and other supervised financial services institutions hereinafter referred to as "supervised institutions" must bear in mind when engaging in outsourcing to cloud providers. This leaflet is directed to all supervised institutions wishing to make use of a cloud service, whereby the specific information on contract drafting must only be observed in the case of material outsourcing section 25 b of the German Banking Act KWG in conjunction with MaRisk or non-differentiated outsourcing in accordance with German Capital Investment Code KAGB. In 9 chapters, the BaFin elaborateson what regulations must be included in an outsourcing contract with a cloud services provider. Irrespective of the fact that the content of the leaflet is characterized as providing guidance, only and in itself does not change or amend applicable laws, but only describes current practice of the supervisor, it would be strongly recommendable for financial services institutions to abide by the recommendations when it comes to outsourcing. Only by doing so, it can be ensured that BAFin and the Deutsche Bundesbank would not raise objections with respect to corresponding contractual regimes.
|Published (Last):||25 September 2016|
|PDF File Size:||5.32 Mb|
|ePub File Size:||13.40 Mb|
|Price:||Free* [*Free Regsitration Required]|
Outsourcing and other external procurement of IT services are the focus of the current supervisory regulations concerning banks. The application of the relevant provisions of section 25b of the German Banking Act KWG is not appropriate in view of the specific risks associated with such conditions.
Other external procurement of services is not to be considered outsourcing within the meaning of this circular. This includes first of all the non-recurring or occasional external procurement of goods and services, as well as the external procurement of services which typically cannot be provided by the institution itself e. The appropriate risk treatment as well as ensuring the regularity of the business organization also applies equally to other external procurement of services in accordance with section 25a 1 of the German Banking Act KWG.
This also applies to outsourcing of IT services which are provided to the institution by a service provider via a network e. According to MaRisk, BaFin now classifies support services for software which are used to identify, assess, control, monitor and communicate risks or which are essential for the performance of banking business tasks as outsourcing. Furthermore, the operation of the software by an external third party is deemed to be outsourcing.
The isolated purchase of software is usually to be classified as other external procurement. This includes, among other things, the following support services:. The classification of materiality is to be carried out on the basis of the risk analysis e. The principle of proportionality continues to apply. The integration of the outsourced activities and processes into risk management is mandatory. The intensity of the analysis depends on the type, scope, complexity and risk content of the outsourced activities and processes.
This also applies to the outsourcing of special functions such as risk controlling functions, compliance functions, internal auditing or core banking areas. Insofar as special functions are completely outsourced, the management must appoint one audit representative each time, who must ensure that the respective tasks are carried out properly.
Accordingly, the risks associated with each purchase of software must also be appropriately assessed see General Part 7. Given the fundamental importance of IT for the institution, a risk assessment must also be carried out in advance for any other external procurement of IT services cf. Note 53 BAIT. If significant outsourcing occurs and in the event of an unintended or unexpected termination of such outsourcing, which could have a significant adverse effect on business activities, the institution is required to examine and approve any options for action with regard to their feasibility.
This also includes, as far as reasonable and possible, the definition of appropriate phase-out processes. The options for action must be reviewed regularly on a needs-related basis.
The phase-out processes must be defined with the objective of maintaining or restoring the necessary continuity and quality of the outsourced activities and processes within a reasonable time.
This is not necessary in the case of outsourcing within a particular group or network. If no options for action exist, at least adequate consideration is required for contingency planning. The contents of the outsourcing contract must continue to comply with the requirements for the content of the outsourcing contract in the case of significant outsourcing.
With regard to further outsourcing, it must at least be contractually ensured that the agreements of the outsourcing company with subcontractors are in accordance with the contractual agreements of the original outsourcing contract. Furthermore, the contractual requirements for further outsourcing must also include a duty of information on the part of the outsourcing company to the outsourcing institution.
In the event of a further outsourcing to a subcontractor, the outsourcing company will continue to be obliged to report to the outsourcing institution. The institution must adequately manage the risks associated with significant outsourcing and properly monitor the execution of the outsourced activities and processes.
This also includes a regular assessment of the performance of the outsourcing company on the basis of the criteria to be observed. The institution must define clear responsibilities for managing and monitoring of significant outsourcing. Depending on the type, scope and complexity of the outsourcing activities, the institution must set up a central outsourcing management system.
Its tasks include in particular:. The central outsourcing management unit must prepare a report on the main outsourcing activities at least once a year and make it available to management.
The report must state whether the services provided by the outsourcing companies correspond to the contractual agreements, whether the outsourced activities and processes can be adequately controlled and monitored, and whether further risk mitigation measures should be taken. We support you in the implementation of adequate processes and the establishment of the necessary organizational structures.
You can find out more about our risk management and compliance services here! We look forward to your challenge! Delineation of outsourcing and external procurement.
Other external procurement of services. Risk analysis — assessment of material risks. In the event of intended or expected termination of the outsourcing agreement. Outsourcing contract.
Risk management and performance monitoring. Central outsourcing management. Read more. Risk Management. MaRisk at 8. IFRS 17 — Pragmatic solutions are not always the best. Risk Management Regulation. This consent may be revoked at any time. January
BaFin includes pension funds in its MaRisk
Banks and financial service providers are exposed to a whole range of risks which they must control in order to be able to operate successfully in the market and secure their survival on a sustainable basis. In view of the rapid developments on the financial markets, modern regulation cannot rely on compliance with quantitative indicators alone, but must focus in particular on institutions' risk management. The MaRisk provide a comprehensive framework for the management of all significant risks based on section 25a of the German Banking Act Kreditwesengesetz — KWG , which governs the organisational requirements for institutions with regard to their internal risk management. The MaRisk , which were developed in collaboration with industry professionals, provide a principles-based framework that gives institutions the flexibility to implement solutions individually. Moreover, the MaRisk contain numerous opening clauses which ensure that smaller institutions can also comply with the requirements in a flexible way.
BaFin's new leaflet on outsourcing to cloud providers
Outsourcing and other external procurement of IT services are the focus of the current supervisory regulations concerning banks. The application of the relevant provisions of section 25b of the German Banking Act KWG is not appropriate in view of the specific risks associated with such conditions. Other external procurement of services is not to be considered outsourcing within the meaning of this circular. This includes first of all the non-recurring or occasional external procurement of goods and services, as well as the external procurement of services which typically cannot be provided by the institution itself e. The appropriate risk treatment as well as ensuring the regularity of the business organization also applies equally to other external procurement of services in accordance with section 25a 1 of the German Banking Act KWG.
The German BaFin's changes to MaRisk and the impact on market participants