Outsourcing financial services and financial processes offers economic opportunities, but also entails challenges. Among other things, outsourcing situations pose the risk that the outsourcing institution will also lose a part of its core expertise with every outsourcing. However, this is precisely what is needed in order to be able to supervise the services performed by the external service provider – a task that has to be performed by the outsourcing enterprise. As BaFin President Felix Hufeld has repeatedly made clear, ultimate responsibility rests in all cases with the management board of the outsourcing enterprise.

Most external service providers are multi-client service providers that perform standardised services such as securities settlement and payment transaction processing for a large number of institutions. If multiple institutions were to want to exercise their contractual rights of audit at their service provider at one and the same time, this could tie up capacity at the multi-client service provider to such an extent that the contractually agreed service could suffer.

In order to avoid such situations, BaFin’s Minimum Requirements for Risk Management at banks (MaRisk, AT 9 - only available in German) grant certain waivers relating to the business relationship between the multi-client service provider and the outsourcing institution, a practice that dates back to 2007.

Safeguarding against service provider failure

The MaRisk (AT 9 number 6) require that “In the case of material outsourced activities and processes, the institution, in the event of an intended or expected termination of the outsourcing arrangement, shall take safeguards to ensure the continuity and quality of the outsourced activities and processes also after the termination of the outsourcing arrangement”. But what about if such a termination wasn’t intended or occurs unexpectedly? In this case, the outsourcing institution is required to examine the feasibility of, and adopt, possible courses of action. Where appropriate and possible, exit processes should also be established. In the case of time-critical processes, such measures must already have been set out in the contingency plan (MaRisk AT 7.3). The courses of action shall include an analysis setting out safeguards for the case that outsourcing ends unexpectedly. However, BaFin explicitly does not expect an institution that has completely outsourced its IT operations to a service provider to be able to resume all IT functions immediately in case of the latter's failure.

Exit process must ensure continuity

Exit processes shall be defined with a view to ensuring that the necessary continuity and quality of the outsourced activities and processes can be maintained or restored within an appropriate period of time. However, the establishment of such processes may be waived in the case of outsourcings within a group or within a network of affiliated financial institutions – if, for example, services are provided by a subsidiary (MaRisk AT 9 number 6, explanations). The same applies if an institution cannot practicably develop any course of action in the short term where an unexpected or unintended termination of the outsourcing arrangement by the service provider occurs. However, this conclusion should be reached on the basis of a documented analysis. For example, the lack of a short-term alternative can be assumed to exist where activities and processes have been outsourced to a multi-client service provider that has a relatively unique position on the market. If no courses of action have been specified, the issue must be taken into account in the contingency plan (MaRisk AT 9 number 6, explanations). der Auslagerung von Tätigkeiten und Prozessen auf einen Mehrmandantendienstleister angenommen werden, der eine gewisse Alleinstellung innehat. Existieren keine Handlungsoptionen, muss diese Problematik im Notfallkonzept zwingend berücksichtigt werden (AT 9 Tz.6, Erläuterungen der MaRisk).

Insights from service providers’ contingency planning may be included

Small institutions that outsource activities and processes to a multi-client service provider may not have the expertise needed for coherent contingency planning. This applies in particular to the requirement set out in AT 7.3 number 1 of the MaRisk, according to which the outsourcing institution and the external service provider have to develop mutually coordinated contingency plans for time-critical activities and processes. Here, too, it becomes clear that contingency planning by the multi-client service provider cannot replace such planning by the outsourcing institution.

However, the outsourcing institution can obtain valuable insights from the multi-client service provider’s contingency planning and can also take over elements from this. What remains crucial here is that there is an interface between the outsourcing institution and the multi-client service provider. In addition, BaFin expects the outsourcing institution to have already considered the quality of the external service provider’s contingency management as part of its risk analysis.

Specifying certain items in the outsourcing contract

In the case of material outsourced activities and processes, the outsourcing institution’s powers to give instructions shall be specifically set out in the contract to the extent necessary (AT 9 number 7 letter d of the MaRisk). The MaRisk (AT 9 number 7, explanations) do not require an explicit agreement granting the institution the power to give instructions if the service to be performed by the external service provider or multi-client service provider is specified clearly in the outsourcing contract. The more frequently multi-client service providers can act on the basis of a clear outsourcing contract, the less often specific instructions by individual institutions will make their work more difficult.

The MaRisk (AT 9 number 7 letter g) specify that, in the case of material outsourced activities and processes, the outsourcing contract must include rules covering the possibility and modalities of subcontracting services to a third party. In the case of subcontracting, the outsourcing contract must ensure that the institution continues to comply with the prudential supervisory requirements. Hence the outsourcing institution and the multi-client service provider can agree in the outsourcing contract that certain activities and processes can be outsourced to a third party without express consent, provided that compliance with the prudential supervisory requirements is ensured at all times.

However, in the case of subcontracting, where possible, either the outsourcing institution shall be given the right to reserve approval or concrete provisions for subcontracting shall be agreed in the outsourcing agreement (AT 9 number 8 of the MaRisk). Since, in the case of multi-client service providers, obtaining the consent of all institutions for which services are provided is likely to entail increased effort, the concrete provisions for subcontracting should be agreed up front in the outsourcing contracts.

One such provision is that the multi-client service provider must ensure that its (future) agreements with subcontractors are consistent with the contractual terms of the original outsourcing agreement. In the case of subcontracting, the outsourcing agreement must also include an obligation on the part of the external service provider to provide information to the outsourcing institution. This makes the work of the multi-client service provider easier, since it does not have to make contact with, and obtain the consent of, all institutions in the case of every situation in which it proposes subcontracting to a third party.

Pooled audits make the work of multi-client service providers easier

The MaRisk (AT 9 number 7 letter b) require the outsourcing contract to set out appropriate rights of information and review for the internal audit function at the outsourcing institution and for external auditors in the case of material outsourced activities and processes. However, if certain conditions are met, the outsourcing institution’s internal audit function can waive performance of its own audit activities (MaRisk AT 9 number 7, explanations and BT 2.1 number 3). The following alternatives may replace the institution’s internal audit function:

• the external service provider’s internal audit function,
• the internal audit function of one or more of the outsourcing institutions on behalf of the outsourcing institutions,
• a third party commissioned by the external service provider, or
• a third party commissioned by the outsourcing institutions.

In the case of all four alternatives, the internal audit function of the outsourcing institution must regularly verify that the enterprise, institution or third party commissioned to perform the internal audit complies with the relevant requirements (MaRisk AT 4.4 and BT 2). To this end, for example, the findings of the auditor of the annual accounts of the third party commissioned to perform the internal audit may be drawn upon as a source of information. BT 2.1 number 3 of the MaRisk requires that the relevant audit findings be passed on to the internal audit function of the outsourcing institution.

A waiver by the internal audit functions of the outsourcing institutions of the performance of their own audits substantially reduces the workload on their multi-client service providers. For example, multiple institutions with identical or similar outsourced processes can join forces to perform a pooled audit. This avoids the multi-client service provider concerned having to undergo multiple individual audits. In addition, multiple institutions can agree among themselves to commission a third party to perform the audit. This option must be treated as a case of outsourcing.

In the case of a large number of institutions sourcing standardised services, it may make sense to conduct uniform audits on the basis of an audit plan that has been agreed with all the institutions concerned. This also reduces the workload for the multi-client service provider, allowing it to focus on providing its services.