BaFin - Navigation & Service

Go to:

The picture shows the cover of the first BaFin Perspectives in 2019. © BaFin / www.freepik.com

Erscheinung:21.03.2019 | Topic Fintechs When banks outsource IT services

Content

Outsourcing activities and processes allows banks to focus on their core competencies and to improve their services. However, outsourcing can only work if institutions can ensure that risks are kept under control. In the age of digitalisation, banks and supervisors are facing new challenges.

Introduction

For companies, outsourcing activities and processes has always been an efficient way to benefit from the division of labour. As early as 1776, Adam Smith stated that the greatest improvement in the productive powers of labour seems to have been the division of labour.1 Banks are also taking advantage of outsourcing for many different reasons: in a comparative study conducted by BaFin in 2013, all of the institutions examined stated similar motives: cost savings, process optimisation and – especially in the case of IT – quality improvement, access to specialist knowledge, using synergies and saving resources. Saving costs was the primary motive for all of the banks.2

Over the last few decades, institutions have been increasingly relying on IT systems to support their processes and activities. Digitalisation is therefore nothing new for these institutions – but it has so far mainly taken place internally.3 As IT infrastructures are becoming increasingly interconnected, the opportunities for a division of labour between market players have multiplied in the area of information processing. This has allowed banks to outsource IT services, meaning that parts of the value creation process are no longer covered exclusively by the institutions but sourced from third parties as IT services. Value chains are therefore becoming increasingly split and decentralised.4

Standardisation of IT services

Standardised IT services allow companies to achieve economies of scale and thus save costs as described above. IT service providers, such as data centre operators offering standardised services to many different clients and customers (multi-client service providers), have been meeting the demand for such standardised services for a few years already. Banks predominantly outsource activities and processes in the area of IT, which is a trend BaFin analysed as early as 2013 and that can still be seen today.5 As digitalisation progresses and the importance of information technology and financial technology (fintech) grows, institutions are adjusting their business models, processes and systems to make use of these technologies. IT has now become one of the most outsourced activities for this reason.6 This goes hand in hand with the fact that outsourcing – in addition to seeking cost savings exclusively – is increasingly gaining a strategic dimension as credit institutions are seeking to focus on their core competencies and thus improve their services by outsourcing activities and processes.7

Outsourcing to the cloud

A current example of outsourcing where both costs and strategy play an important role is the noticeable increase in the use of cloud services.8 Cloud service providers offer a wide range of services, from providing storage space or computing power (Infrastructure as a Service – IaaS) and making developer platforms available (Platform as a Service – PaaS) to set up websites, for instance, to providing software applications and web applications (Software as a Service – SaaS)9 that run on the cloud service provider’s systems. The use of such cloud services allows institutions to find new ways to make parts of their business processes more efficient in terms of IT and, as described above, to focus on their core competencies and pursue new data-driven big data business strategies.

Risks of outsourcing

However, outsourcing does not only offer advantages; it entails risks for the outsourcing institutions, too. If risks are no longer within the organisational structure of institutions, there is a risk that they can no longer be fully identified or managed.10 This has prompted German legislators and supervisors to develop specific requirements for risk management in the context of outsourcing. These requirements are generally technology-neutral and can therefore be applied to cloud service providers as well.

Requirements for outsourcing to cloud service providers

Firstly, all forms of outsourcing are subject to the requirements under sections 25a and 25b of the German Banking Act (Kreditwesengesetz - KWG) in conjunction with AT 9 of the Minimum Requirements for Risk Management (Mindestanforderungen an das RisikomanagementMaRisk).11 In addition, material outsourced activities and processes that are identified by the institution itself as part of a risk analysis are subject to special requirements concerning, for instance, the drafting of contracts and the termination of the outsourcing arrangement. Furthermore, material outsourced activities and processes must be managed and monitored and clear responsibilities must be defined. These provisions – sections 25a and 25b of the KWG in conjunction with AT 9 of the MaRisk – were, however, specifically developed for certain outsourcing arrangements where contracts may be drawn up individually to include the corresponding powers to give instructions and conduct audits.

Given the considerable importance of IT, BaFin published its Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die ITBAIT)12 in November 2017, which includes specific requirements for outsourcing and the procurement of other external IT services in Module 8. One of the primary objectives of the BAIT is to raise awareness of IT risks in institutions, especially at management levels.

Guidance on outsourcing to cloud service providers

Outsourcing to cloud service providers comes with new challenges for both institutions and supervisors. For this reason, BaFin published a guidance notice on outsourcing to cloud service providers (Merkblatt “Orientierungshilfe zu Auslagerungen an Cloud-Anbieter” – only available in German) in November 2018.13

With this guidance notice, BaFin and the Deutsche Bundesbank sought to clarify how they assess this form of division of labour and various contract clauses in particular. Another objective was to make supervised institutions aware of the issues relating to cloud services and the associated supervisory requirements. To achieve this, the guidance notice refers to key aspects that supervised companies should observe when outsourcing to cloud service providers, e.g. when analysing risks and drawing up contracts. However, BaFin has not set out any new requirements in the guidance notice and has only provided information on current supervisory practice.

Discussions on the power to give instructions

In its guidance notice, BaFin addressed current discussions regarding the extent to which the requirements under AT 9 of the MaRisk are to be complied with when drawing up outsourcing arrangements for standardised IT services, for instance in relation to agreements on the power to give instructions. When outsourcing activities and processes, institutions must be able to give service providers individual instructions on outsourced activities and processes and the underlying controls accordingly. However, it may be difficult to issue instructions when using standardised services as these can also have an impact on the services that cloud service providers perform for other customers. This is why institutions may refer to the note on AT 9 number 7 of the MaRisk in cases like these, which allows them to waive explicit agreements granting institutions the power to give instructions if the service to be performed by the service provider is specified sufficiently clearly in the outsourcing contract. These waivers may also be applied when outsourcing to cloud service providers.

To what extent can audit rights apply?

Another key question is currently under discussion: to what extent can the stipulated unrestricted audit rights apply to cloud service providers? Firstly, the guidance notice makes it clear that it is necessary to ensure that institutions receive the information they need to appropriately manage and monitor the risks associated with outsourcing.14 In order to be able to manage and monitor these risks appropriately, institutions must be able to inspect not only the outsourced activities and processes but also the underlying control processes. Cloud service providers must therefore grant them unrestricted audit rights.

Cloud service providers consider that that the exercise of audit rights by institutions entails risks for operations (e.g. for data centres) if multiple audits are conducted at the same time. The guidance notice therefore sets out various simplifications that institutions can use. For instance, in cases where material activities and processes are outsourced, the internal audit function of a bank may, under certain circumstances, waive conducting its own audit activities in accordance with BT 2.1. number 3 of the MaRisk. Audit activities can then be performed by the cloud service provider’s internal audit function, the internal audit function of one or more outsourcing companies supervised by BaFin on behalf of the outsourcing bank (pooled audits), a third party appointed by the cloud service provider or a third party appointed by the outsourcing institutions.15

Another simplification: institutions may, as a rule, rely on evidence or certifications based on current standards,16 the audit reports of recognised third parties or the internal audit reports of the cloud service provider; however, they should take into account the scope, level of detail, up-to-dateness and suitability of the certification body or auditor of the evidence, certifications and audit reports. If the internal audit function uses such evidence, certifications or audit reports for its activities, they should be able to verify any evidence underlying the above.17

Limits to outsourcing

Institutions can make use of the simplifications described above in order to outsource to cloud service providers as efficiently as possible and maximise economies of scale in this way. However, outsourcing to cloud service providers has its limits, too. BaFin President Felix Hufeld has repeatedly pointed out that the management bodies of outsourcing companies remain ultimately responsible.18 The European Banking Authority (EBA) has also made it clear that the responsibilities of an outsourcing institution’s management body can never be outsourced. Outsourcing must not lead to a situation where an institution becomes an “empty shell” that lacks the substance to remain authorised. To this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of its responsibilities, including overseeing the risks and managing the outsourcing arrangements.19

Outlook

Irrespective of the guidance notice, which shows the current status of supervisory requirements and administrative practice, there is the question of whether other or more detailed provisions will be needed to manage risks when outsourcing IT services. International standard-setters, such as the G7, the Basel Committee on Banking Supervision (BCBS) and the EBA, are currently looking at third-party and outsourcing risks. BaFin will examine on an ongoing basis whether supervisory provisions and administrative practice are appropriate and will adjust them if necessary. Guidelines such as the G-7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector, published in October 2018, and the EBA’s guidelines on outsourcing agreements, published on 25th February 2019, will play an important role in this context.

There is also the question of whether and to what extent it is useful and expedient to set specific requirements for multi-client service providers in general and cloud service providers in particular in order to take into account their potentially systemic importance for the financial sector. An initial step for future regulatory considerations could be conduct of business obligations or a code of practice, which is already planned in the area of data protection for cloud service providers, for instance.20

In order to find out how supervisory requirements will evolve in the future, it is important to observe the application of existing provisions in practice in particular. For instance, pooled audits which are authorised for certain participating institutions are likely to require greater coordination efforts, which ultimately has an impact on the number of institutions that can conduct audits together. A number of institutions have already conducted their first pooled audits in recent months.

BaFin is therefore observing the implementation of pooled audits, also in terms of feasibility and the potential consequences for administrative practice and regulation. The same applies to the question of to what extent using audit reports and certifications based on current standards is enough to manage risks effectively.

The risks that may be associated with outsourcing to multi-client service providers are of particular interest from a supervisory and regulatory point of view. This type of outsourcing leads to greater interconnectedness between the financial sector and IT service providers and greater complexity in the market. This can result in new risks, for instance at the interfaces between market participants. As these risks do not arise within the organisational structure of supervised banks, institutions might not be able to fully identify and manage these risks. This is why it is important, from a regulatory and supervisory point of view, to assess and, if necessary, prudentially mitigate the structure of this dynamic market and the resulting risks.21

Risks can also arise when a large number of institutions outsource to a limited number of service providers. The EBA has noted that concentration of outsourcing arrangements at a few service providers may in extreme cases lead to disruptions where multiple institutions fail or are not any longer able to provide their services. If service providers, e.g. in the area of information technology or financial technology, are no longer able to provide their services, this may cause systemic risks.22 In other words: the entire financial market may suffer the consequences. The need to monitor and manage concentration risk is particularly relevant to certain forms of IT outsourcing which are dominated by a small number of service providers.23

BaFin is currently examining how the risks described above can be monitored appropriately in the context of outsourcing to multi-client service providers. BaFin does not, as a rule, supervise service providers – including multi-client service providers and IT service providers. In order to gain a better understanding of such multi-client service providers, BaFin would have to be authorised to request information from them directly and order inspections to be conducted. BaFin’s current practice is to exercise these rights at supervised institutions only; it is to be examined whether this approach is sustainable in the long run.

But what can be done if multi-client service providers are not only specialised in the companies that BaFin supervises? Cases like these do not only entail risks for the German financial services sector; they can lead to risks for the economy as a whole – beyond Germany’s borders. Monitoring such service providers should therefore not be limited to national financial supervision. More than ever, regulation and supervision must take place on a multilateral level – in order to create a genuine level playing field.24

Authors

Raimund Röseler
Chief Executive Director of Banking Supervision at BaFin

Ira Steinbrecher
BaFin Division for Policy Issues relating to IT Supervision and Inspections

Footnotes

  1. 1 Smith, The Wealth of Nations: Books I-III, Penguin Classics: 1982, page 109.
  2. 2 See BaFinJournal expert article “Outsourcing: BaFin compares outsourcing by institutions” dated 15 August 2013.
  3. 3 Gampe, Digitalisation and information security in the financial and insurance sectors as a focus of regulatory requirements, in: BaFinPerspectives, Issue 1/2018, page 70.
  4. 4 See also Felix Hufeld’s speech on 28 May 2018, Digitalisierung – Chancen und Risiken in der Kredit- und Versicherungswirtschaft (Digitalisation – risks and opportunities in the banking and insurance sectors), www.bafin.de/dok/10976554, retrieved on 4 January 2019..
  5. 5 loc. cit. (footnote 2).
  6. 6 EBA/GL/2019/02, page 6.
  7. 7 See also PricewaterhouseCoopers (PwC), Fit für die Zukunft – Wie sich bankfachliche Dienstleister erfolgreich für den Business Process Outsourcing Markt 2020 aufstellen (Fit for the future – how banking service providers are successfully preparing for the 2020 business process outsourcing market), Business Process Outsourcing Study, Frankfurt am Main, page 27.
  8. 8 See EBA/GL/2019/02, page 6.
  9. 9 BaFin Merkblatt, Orientierungshilfe zu Auslagerungen an Cloud-Anbieter (BaFin’s guidance notice on outsourcing to cloud service providers), page 4, www.bafin.de/dok/11681598, retrieved on 4 January 2019.
  10. 10 Hufeld, “Supervision and regulation in the age of big data and artificial intelligence”, in: BaFinPerspectives, Issue 1/2018, page 16.
  11. 11 Circular 09/2017 (BA) – Minimum Requirements for Risk Management (Mindestanforderungen an das RisikomanagementMaRisk).
  12. 12 See also Gampe, Digitalisation and information security in the financial and insurance sectors as a focus of regulatory requirements, in: BaFinPerspectives 1/2018, page 68 et seq.
  13. 13 The guidance notice is aimed at companies in the financial sector that are supervised by BaFin (credit institutions, financial services institutions, insurance undertakings, Pensionsfonds, investment services enterprises, asset management companies, payment institutions and e-money institutions). This article focuses on institutions such as those listed under section 1 (1b) of the KWG (credit institutions and financial services institutions).
  14. 14 BaFin Merkblatt, Orientierungshilfe zu Auslagerungen an Cloud-Anbieter (BaFin’s guidance notice on outsourcing to cloud service providers), page 8, www.bafin.de/dok/11681598, retrieved on 4 January 2019.
  15. 15 BaFin Merkblatt, Orientierungshilfe zu Auslagerungen an Cloud-Anbieter (BaFin’s guidance notice on outsourcing to cloud service providers), page 9, www.bafin.de/dok/11681598, retrieved on 4 January 2019.
  16. 16 Such as the International Organization for Standardization’s International Information Security Standard ISO/IEC 2700X and the Cloud Computing Compliance Controls Catalogue (C5 Anforderungskatalog Cloud Computing) of the Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI).
  17. 17 BaFin Merkblatt, Orientierungshilfe zu Auslagerungen an Cloud-Anbieter (BaFin’s guidance notice on outsourcing to cloud service providers), page 9 et seq., www.bafin.de/dok/11681598, retrieved on 4 January 2019.
  18. 18 See also Felix Hufeld’s speech on 28 May 2018, loc. cit. (footnote 3); Mußler, FAZ, 8 December 2018, page 26.
  19. 19 EBA/GL/2019/02, page 7.
  20. 20 Data Protection Code of Conduct for Cloud Service Providers Revised v1.0 of 22 June 2016; the Code was prepared by the Cloud Select Industry (C-SIG), which was convened by the European Commission (DG Connect and DG JUST). The Code consists of a set of requirements for cloud service providers.
  21. 21 BaFin, Big data meets artificial intelligence – Challenges and implications for the supervision and regulation of financial services, page 14 et seq., https://www.bafin.de/SharedDocs/Downloads/EN/dl_bdai_studie_en.html, retrieved on 4 January 2019.
  22. 22 EBA/GL/2019/02, page 14.
  23. 23 loc. cit. (footnote 21).
  24. 24 loc. cit. (footnote 3).

Additional information

Note

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field