Insurers and institutions for occupational retirement provision (IORPs) are already long familiar with the requirement to report to BaFin on the outsourcing of key functions or insurance activities. For banks and investment firms, however, this requirement is new. Since the beginning of January, all companies supervised by BaFin have been subject to a cross-sectoral and largely uniform requirement to report material outsourced activities and processes to the supervisor. This was set out by the legislature, in particular in the Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität – FISG). However, if we look at the details of this new requirement, we see there are also new rules for insurers and IORPs.

To put this in context: BaFin has observed that companies across all sectors are outsourcing an increasing number of activities and processes to service providers. This development creates particular risks for the outsourcing institutions. Institutions risk becoming dependent on the third-party service providers if these service providers cannot be replaced where necessary by another company or by the institution itself (lock-in effect). In addition, many service providers offer their services to numerous companies throughout the financial market at the same time. Such multi-client service providers can create concentration risks that can threaten the stability of the financial market as a whole.

The new reporting requirement provides BaFin with an overview of outsourcing and sub-outsourcing arrangements. This allows BaFin to identify multi-client service providers and to monitor them on the basis of its own risk assessment. One area of focus is multi-client IT service providers, which includes cloud service providers. These companies are monitored by BaFin Division GIT 2, which was established last year and forms part of BaFin’s IT Supervision Directorate. Division GIT 2 is responsible for incident reporting, monitoring of multi-client IT service providers and crisis prevention. Dr Sibel Kocatepe has been involved from the start.

“We quickly realised that we needed a more stable data basis in order to identify concentration risks, since such risks extend beyond the boundaries of individual sectors,” she explained at the event. The problem was that requirements to report material outsourced activities and processes to the supervisor did not apply in all sectors. While reporting was stipulated under the Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) and the German Investment Code (Kapitalanlagegesetzbuch – KAG), until recently, no such requirements were contained in the German Banking Act (Kreditwesengesetz – KWG) or in the German Investment Firm Act (Wertpapierinstitutsgesetz – WpIG).

Now, all companies under BaFin’s supervision are subject to a reporting requirement. The requirements for reporting are broadly consistent across the different sectors. In future, these requirements will be set out and specified in the individual reporting regulations. For insurers and pension funds, the requirements can be found in the Regulation on Reporting of Outsourcing by Insurers (Versicherungs-Ausgliederungsanzeigenverordnung – VersAusgl-AnzV).

Same old rules for insurers and pensions funds?

“The principle of uniformity might help insurers and pension funds to understand why we are issuing new requirements for something that they are already familiar with,” explained Kocatepe at the beginning of her presentation. Insurers and pension funds have been subject to a requirement to report on their outsourcing for years – and these companies already submit to BaFin a lot of the information BaFin is now requesting from the financial companies under its supervision.

“You have an advantage here,” said Kocatepe, addressing the expert audience. “As part of outsourcing management within your companies, you have already established processes to generate the data needed. To a large extent, you can continue to use these data.” There are, however, two key regulatory changes for the insurance industry. Firstly, there will be a change in the way supervised companies in the insurance industry communicate with BaFin. Barring a few exceptions, BaFin will in future only accept data on outsourcing via its electronic reporting and publishing platform (Melde- und Veröffentlichungsplattform – MVP). And secondly, in future, the reporting requirement will not only play a role in insurance supervision, it will also form part of a comprehensive, cross-sectoral monitoring concept for external service providers.

New requirement for insurers and IORPs: all levels of outsourcing are relevant

“We receive structured reports on significant outsourcing arrangements from all financial sector entities via the electronic reporting platform,” explained BaFin expert Kocatepe. A lot of the fields to be filled in on the electronic reporting platform – like BaFin’s work on the Reports Regulation in general – are aligned with the EBA Guidelines on outsourcing arrangements: for example, banks and payment institutions are required to keep an outsourcing register containing a range of information on their outsourcing arrangements.

What is new is that insurers and IORPs will in future not only be required to provide information about their direct outsourcing partners, but will have to provide information regarding the entire chain of outsourcing providers, provided the insurer or IORP is aware of this information when the contract is concluded or later becomes aware of this information. This will allow networks of outsourcing relationships within individual branches and in the entire financial market to be identified, strengthening the resilience of the financial market as a whole.

BaFin recommends that supervised entities also submit via the MVP platform information on outsourcing that they have already reported in the past and that is still relevant. This is because, in the past, these data were received by the individual supervisors and not systematically entered into electronic records. “Given the number of companies, we need standardised records of all information, meaning information should be stored in the same format and with the same level of detail. That is the only way to ensure we can analyse outsourcing relationships across different sectors, taking a bird's eye view of the market as a whole,” said Kocatepe.

“It is in the companies’ own interest to report all existing outsourcing arrangements via the MVP,” she continued. Here BaFin is relying on the cooperation of the industry, which will also benefit from these analyses. This is because the information BaFin receives via the MVP can be used to proactively warn companies. This could be particularly relevant where financial entities use a service provider that has been the subject of numerous incident reports by other financial entities. It also benefits financial entities planning to outsource services: “If entities are considering a service provider that BaFin has received numerous reports about, we can draw the outsourcing entity’s attention to this,” said Kocatepe.

Submitting reports via the MVP for the first time

BaFin offers three options for submitting data: an electronic form, file upload, or a technical interface. All financial entities have to register with the platform and have their accounts activated before they can submit outsourcing reports electronically. Electronic reports will have legal effect as soon as the reports regulations have entered into force and the new MVP procedure has gone live. BaFin will publish guidance to assist companies reporting outsourcing via the MVP.

Since December 2021, around 200 companies have had an account activated for the test version. These companies have already had the opportunity to get to grips with the new specialised procedure and the corresponding reporting form. The day after the event “IT Supervision of Insurers and Pension Funds”, BaFin held a workshop with around 300 industry participants. BaFin explained to the companies how the MVP works in technical terms. At the end of 2021, BaFin launched a consultation on its website regarding the Regulation on Reporting of Outsourcing by Insurers (VersAusgl-AnzV), alongside the four regulations for the other industries.

Legal basis for the Regulation on Reporting of Outsourcing by Insurers: current version and amendments

Once the Regulation on Reporting of Outsourcing by Insurers, alongside the other four regulations, have been reviewed by the Federal Ministry of Justice and the Federal Ministry of Finance, BaFin has to agree with the Bundesbank on both Regulations for the banking sector. Regulations affecting the insurance industry do not have to be agreed with the Bundesbank. “However, in this case, we will wait for this step to be completed,” explained Kocatepe. “This is because the electronic reporting platform will only go live when the various regulations for the respective sectors have entered into force. The Bundesbank has to approve the rules for the banking sector and is therefore involved in the process as a whole.” Finally, the Regulation will be submitted to the National Regulatory Control Council (Nationaler Normenkontrollrat).

Kocatepe and her team expect the Regulation on Reporting of Outsourcing by Insurers to enter into force in autumn 2022. Until then, the administrative practice with regard to the reporting requirement under section 47 no. 8 and 9 of the VAG will continue to be applied. This means that companies will still be required to report key outsourcing arrangements to BaFin following the old procedure.

Reporting outsourcing: new requirements for insurers and IORPs

The requirement under the VAG to report outsourcing arrangements has not changed. The only changes were to the contents of the reporting requirement, which will in future be found in the individual standards under the Regulation on Reporting of Outsourcing by Insurers as set out in the table below:

“Around 80 percent of the data we collect is consistent across the various sectors,” explained BaFin expert Kocatepe at the event. “The remaining 20 percent are specific to the sector – after all, we want to accommodate the specific structures of each industry.” For instance, in contrast to other sectors, insurers and IORPs have to submit a report if activities and processes are not outsourced as reported to BaFin. Banks, investment service providers and payment service providers, on the other hand, have to report when they outsource material activities and processes. This requirement does not apply to insurers and IORPs.

In contrast to intention, outsourcing not carried out and material changes, for the time being, serious incidents do not have to be reported via the electronic reporting platform. This is because BaFin is currently developing a uniform digital reporting form for incident reporting. When developing this form, BaFin will take into account its initial experience with incident reports it receives in future, which are expected to be very diverse.

When the reporting regulations have entered into force, BaFin will provide information on its website about the address for reporting serious incidents and the details required. In the long term, it is planned that companies will also use the MVP to report such incidents.

Map provides supervisors with an overview

What happens with the data BaFin receives via the MVP? Firstly, BaFin assesses reports as soon as they are received as part of its ongoing supervision and, where necessary, orders direct measures against the external service provider. In addition, the data are saved in a database for all relevant BaFin sectors. Dr Sibel Kocatepe and her colleagues regularly use this database and derive from it findings relevant across BaFin’s supervisory areas.

Map

© BaFin

And how does that work exactly? Firstly, BaFin’s experts create a graphic representation of the data in the form of outsourcing maps. These maps show red and grey points with lines of different sizes, alongside lots of numbers. For the uninitiated, they may look like constellations in the night sky, but specialists understand them instantly: they can identify concentration risks, even if these risks arise at the fourth or fifth service provider in an outsourcing chain. Sometimes it is only at this level that it becomes apparent that the same service provider is contracted by numerous companies and provides services to a variety of companies. Supervisors need this knowledge in order to adequately monitor service providers. This also shows which multiple client service providers BaFin should focus its attention on.