FISG new obligations. The supervisory structures and the powers of BaFin in the examination of outsourcing are improved. The Financial Market Integrity Strengthening Act (FISG) creates new obligations for outsourcing. In future, the following notification obligations pursuant to Section 24 (1) No. 18 KWG must be observed:
These regulations come into force on 01.01.2022.
The provisions envisaged here are intended to give BaFin direct influence also on external service providers in the area of outsourcing tasks and processes under the German Banking Act (KWG), the Payment Services Supervision Act (ZAG), the German Investment Code (KAGB) and the German Securities Trading Act (WpHG).
They become liable to BaFin because they want to conclude or have concluded an outsourcing agreement with a supervised entity or actually perform or have performed tasks and processes.
It is no longer possible to imagine modern financial markets without compliance service providers. Their importance in the provision of financial services is constantly growing.
At the same time, the boundaries between regulated financial institutions and non-regulated entities are becoming increasingly blurred. Even in cases of outsourcing, the supervised institution remains primarily the contact person for BaFin.
The BaFin’s authority to issue orders can take effect vis-à-vis the outsourcing company, for example, if the outsourcing company violates obligations under the outsourcing agreement by disregarding mandatory supervisory requirements when providing the service to the institution. In cases where, for example, money laundering law requires the provision of information to staff and the outsourcing company does not properly carry out this information, BaFin may in future order that such information be properly carried out.
As a further example, an outsourcing company may be ordered to build up sufficient expertise in the management to properly provide the outsourced service to the institution; the measure may include a change in the business organisation if, for example, insufficient independence of individual persons is maintained for certain activities in the provision of the service to the supervised institution.
In addition, the outsourcing company may be required to submit regular reports, for example, in order to track the elimination of deficiencies discovered in the provision of the outsourced service to the institution.
§ Section 1(10) shall read as follows:
“(10) Outsourcing companies are companies to which an institution or superordinate company has outsourced activities and processes for the performance of banking transactions, financial services or other institution-typical services, as well as their subcontractors in the case of further outsourcing of activities and processes that are essential for the performance of banking transactions, financial services or other institution-typical services”.
The previous legal definition of an outsourcing company in Section 44 (1) sentence 2 KWG is transferred to the definitions of Section 1 KWG and its content is expanded, as the KWG will in future also speak of outsourcing companies in such provisions that do not exclusively refer to material outsourcing.
In the case of further outsourcing under the KWG, all subcontractors to which material activities and processes are outsourced within the meaning of § 25b KWG are to be covered. This is to ensure that service providers are also included as outsourcing companies, which do not provide their services directly to an institution, but to another outsourcing company.
According to the description, it is irrelevant for BaFin’s powers of intervention whether it is a supervised or a non-supervised company. A large number of companies can be considered, such as companies that belong to the group of the supervised company or companies that are themselves supervised by BaFin, but nevertheless provide activities and processes as outsourcing companies for other supervised companies.
§ Section 24 (1) KWG shall be amended. The following number 18 is added:
“18. The intention of a material outsourcing, the execution of a material and non-material outsourcing, any change in the assessment of the materiality of an outsourcing as well as material changes and serious incidents under existing outsourcing arrangements that may have a material impact on the business of the institution.
The notification requirements are supplemented by regulations on the notification of outsourcing. It is envisaged that institutions must notify the intention of a material outsourcing, the execution of a material and non-material outsourcing as well as any change in the assessment of the materiality of an outsourcing.
Furthermore, material changes and serious incidents within the framework of existing outsourcing agreements that may have a material impact on the business activity of the institution must be reported.
On the basis of the regulation, BaFin is to obtain as comprehensive a picture as possible of the outsourced activities and processes in the performance of banking transactions, financial services and other services typical of the institution.
Due to increased outsourcing, an overarching view is important to identify concentrations and especially concentration risks. These can also result from increased outsourcing of activities and processes that are not considered material in themselves.
The outsourcings to be newly notified by the regulation and thus recorded at BaFin are to be recorded both at the level of the outsourcing company and summarised for the company to which the activities and processes are outsourced, in order to be able to detect concentration risks arising there at an early stage and take any necessary measures.
FISG creates a legal obligation to keep an outsourcing register. § Section 25b KWG is amended. The following sentence is added to paragraph 1:
“An institution must keep an outsourcing register as part of its risk management; all material and non-material outsourcing must be recorded in it; it must be kept up to date.”
The following sentence is added to paragraph 3:
“In the case of outsourcing to an enterprise in a third country, it must be contractually ensured that the outsourcing enterprise must appoint a domestic authorised recipient to whom notifications and notifications by the supervisory authority can be effected.”
The following paragraph 4a is inserted after paragraph 4:
“(4a) The Federal Financial Supervisory Authority may also issue orders directly to outsourcing undertakings to which significant activities and processes within the meaning of paragraph 1 sentence 1 have been outsourced, in individual cases, which are suitable and necessary to prevent or stop breaches of supervisory provisions or to prevent or remedy irregularities at the institution which may jeopardise the security of the assets entrusted to the institution or impair the proper conduct of banking business or financial services.
The regulation provides that institutions must set up an internal outsourcing register and ensure the appointment of a domestic delivery agent through contractual agreements. Furthermore, the regulation contains extended powers of intervention also directly against outsourcing companies.
The establishment of an internal outsourcing register is based on the risk management of the institution. The institution must keep an outsourcing register and keep it up to date. All material and non-material outsourcing must be recorded in this register.
The obligation to appoint an authorised service agent serves to eliminate challenges in the notification of administrative acts in third countries. In supervisory practice, there have sometimes been significant difficulties in the past that have made it difficult or even impossible for BaFin to exercise its supervisory powers.
These challenges could also arise if an institution under the KWG has outsourced activities and processes to a company based in the third country. Overall, the notification of regulatory orders in third countries often involves considerable cost and time; the reliability of delivery is sometimes low.