MaRisk 6.0: What changes in outsourcing management?
MaRisk 6.0: What changes in outsourcing management? Detailed requirements are implemented from the Outsourcing Guidelines in section AT 9. The changes affect the entire outsourcing cycle.
For example, requirements for risk analysis and determining materiality, for structuring the outsourcing agreement and for managing and monitoring the risks of outsourcing agreements have been expanded and specified.
In the case of material outsourcing in the outsourcing agreement, access rights are to be considered in addition to information and audit rights.
#1 MaRisk 6.0: What changes in outsourcing management?
In order to bundle the central management and monitoring of the risks of outsourcing arrangements, each institution that outsources is to appoint a central outsourcing officer itself.
The central outsourcing management, which an institution must set up depending on the type, scope and complexity of the outsourcing activities, serves to support the outsourcing officer.
With regard to the new requirement from AT 9 point 12 to appoint an outsourcing officer, the consultation questioned in particular the direct subordination and reporting duty of the outsourcing officer to the management. According to the final version, it is now considered sufficient for the organisational requirements that the outsourcing officer is located in a unit that reports directly to the management. The outsourcing officer can also be the head of (supporting) outsourcing management at the same time.
#2 Central outsourcing management at group level
With the 6th MaRisk amendment, the possibility is now also granted to set up central outsourcing management at group or association level.
The regulations for simplifications at group level only apply in full to those groups where the group as well as the institutions where functions are to be centralised fall under the application of the CRR and thus also the Outsourcing Guidelines.
In addition, the possibilities with regard to the complete outsourcing of the special functions risk controlling function, compliance function and internal audit are expanded to the effect that the complete outsourcing is now also possible under certain circumstances to sister institutions within a group of institutions.
Great importance continues to be attached to these functions as management and control instruments for the management.
#3 Requirements for the outsourcing register + MaRisk 6.0: What changes in outsourcing management?
In the consultation process, the lack of a list of (contractual) parameters to be entered in the outsourcing register was also addressed.
In order to remedy this and at the same time avoid deviations from the Outsourcing Guidelines in the implementation of this new legal requirement of 25 b para. 1 of the German Banking Act (according to the Financial Market Integrity Strengthening Act – FISG -E), the final version of AT 9 para. 14 MaRisk refers directly to paras. 54 and 55 of these guidelines.
This is intended to make it easier for European banking groups to set up a central outsourcing register, as permitted in point 53 of the Outsourcing Guidelines.
Among the mandatory parameters listed in paragraphs 54 and 55 of the Outsourcing Guidelines, the meeting of the MaRisk expert committee on 4 March 2021 focused in particular on the field of coverage under paragraph 55 lit. a. The aim is to facilitate the establishment of a central outsourcing register for European banking groups, as permitted in paragraph 53 of the Outsourcing Guidelines.
Institutions that are affiliated to central protection schemes should also list the other contractual partners of the outsourcing company from the association. The supervisory authority recognises that this can only be considered proportionate where such a recording can be assumed, in particular when a central outsourcing management is set up at association level.
The requirement to record the costs of outsourcing in the outsourcing register was also viewed critically. However, this is also a requirement of the Guidelines on Outsourcing, point 55 lit. k. Therefore, also according to MaRisk, which implements these guidelines, an annual entry must be made regarding the estimated costs or budget.
Outsourcing can hardly be compared if there is no cost framework. However, an intra-year entry of cost adjustments is not required for this purpose.
#4 Outsourcing: Consideration of political risks in the risk analysis
With regard to the requirements for the risk analysis, BaFin has included a wording proposal of DK for the implementation of the EBA Outsourcing Guidelines compared to the consultation version and now state in AT 9 para. 2 that the risk analysis must take into account the extent to which an activity or process to be outsourced is of material importance.
MaRisk 6.0: What changes in outsourcing management? The industry has identified the assessment of political risks as a problematic aspect of risk analysis. According to point 68 lit. d of the Guidelines on Outsourcing, this means the assessment of political stability with regard to the security situation of the jurisdiction in question, which is not likely to refer to EEA countries as a rule.
The analysis of political risks is therefore of particular importance for the possible enforcement of contractually agreed rights in third countries. Since country-specific risks have already had to be taken into account in the risk analysis, BaFin does not see any increased requirements in this respect and does not expect a change in the previous practice.
#5 Outsourcing: Consideration of a scenario analysis in the risk analysis
The addition of a scenario analysis to the risk analysis tends to appear disproportionate to the industry and also only partially sensible.
Accordingly, it is clarified in the explanations of the final version of MaRisk that the risk analysis is only to be supplemented by a scenario analysis if this is reasonable and proportionate.
However, in line with the explanations in point 65 of the Guidelines on Outsourcing, it is to be assumed that in many cases it may well be reasonable and, taking into account the principle of proportionality, also necessary to assess the possible effects of omitted or even inadequate services by means of a scenario analysis (even before the conclusion of the contract), as they could result, among other things, from external events (to be simulated).