There has been significant growth in the outsourcing of financial services in recent years. In some segments of the financial sector, the majority of supervised companies are dependent on a small number of specialised IT service providers, giving rise to significant risks for the financial market. BaFin is therefore increasing its focus on this topic.

If there is a failure at a multi-client service provider, it can result in problems for a large number of companies in the financial sector simultaneously and thus impact an individual financial segment or even the financial market as a whole. BaFin is monitoring these developments and has singled out the potential effects of concentration in the area of IT services outsourcing as one of its risk areas of particular focus this year.

20,800 reports since November 2022

BaFin closely monitors the outsourcing market in order to detect such risks at an early stage. As part of these efforts, it also examines market interconnectedness and concentration. For more than a year, companies in the financial sector have been notifying BaFin about their (material) outsourced activities and processes (see info box) via the MVP Portal – BaFin’s reporting and publishing platform.

Since November 2022, approximately 1,900 supervised companies have notified BaFin about around 20,800 (material) outsourced activities and processes. This equates to around 11 instances of material outsourcing per company.

In general, notifications are only submitted for newly outsourced activities and processes. In the case of existing outsourcing arrangements, notification is only necessary if material changes within the meaning of the respective notification regulation take place. As the notifications only started being submitted to BaFin via the MVP on 29 November 2022, its outsourcing database is not yet complete.

The number of notifications varies significantly across segments due to the various underlying laws. The lowest number comes from investment firms, which submit an average of three outsourcing notifications. This is closely followed by insurers and institutions for occupational retirement provision (IORPs) as well as financial services institutions, which submit an average of approximately four outsourcing notifications.

Credit institutions are in the middle of the table with an average of approximately nine notifications. They are just ahead of payment and e-money institutions, which submit an average of around 13 outsourcing notifications per company. There is a large gap between these numbers and the figure for German asset managers (Kapitalverwaltungsgesellschaften), which submit an average of approximately 42 notifications.

This high number is due to the fact that, unlike the other supervisory laws concerned, the German Investment Code (Kapitalanlagegesetzbuch – KAGB) does not differentiate between material and non-material outsourcing. Such companies must therefore notify BaFin about all of their outsourced activities and processes, thus increasing their share of the total number of outsourcing notifications (see Figure 1).

Figure 1: Share of outsourcing notifications (%)

(c) BaFin

Network graphs reveal connections across the financial market

BaFin uses the data about outsourcing to analyse the relationships between outsourced services throughout the German financial market. Network graphs are one way to present this complex web of connections across segments in a comprehensible and transparent manner. Such transparency is very important because some individual external service providers perform services of systemic importance for a large number of companies in the financial market.

Network graphs make it possible, for example, to identify where services are concentrated among certain multi-client service providers. It may be the case that the activity or process outsourced by the supervised entity is actually performed directly by these providers themselves, or the service providers may just be one link in a chain of further outsourcing to subcontractors.

Banking groups are heavily networked

Figure 2 is a network graph that provides an overview of the outsourcing relationships across the German financial market. The “nodes” represent the supervised entities, the service providers and the subcontractors. The “links” between the nodes represent business relationships between the companies and are coloured according to the type of supervised entity.

This makes it possible to see, for instance, that supervised companies and service providers that are part of banking groups have tightly intermeshed business relationships with each other. Apart from such groups, it is also possible to single out service providers that perform services to various types of financial undertakings, e.g. for German asset managers, insurers and credit institutions.

Figure 2: Network graph visualising outsourcing relationships across the entire German financial market.

(c) BaFin

Outsourcing structures within complex contractual relationships are a point of particular interest, especially in connection with sub-outsourcing by IT service providers. Such structures result in dependencies and risks that are complex and lack transparency. They are often difficult to understand for the financial companies that outsource activities and processes. This can be problematic because difficulties at one subcontractor can have knock-on effects and disrupt entire value chains across the financial sector.

In addition to analysing outsourcing relationships, BaFin can use the outsourcing data to determine how often which categories of activities and processes are outsourced within a given segment of the financial sector – e.g. how often supervised companies submit notifications for the categories of IT, risk management or human resources – and take this as the basis for more detailed analyses.

In addition, BaFin can analyse the locations where the outsourced activities and processes are performed. Such information is particularly relevant for ensuring adherence to regulatory requirements, especially in relation to third countries or countries experiencing crises.

Every second outsourced activity cannot be reintegrate

BaFin can also use the data to examine companies’ assessments of how replaceable external service providers are and what the effects would be if outsourcing was discontinued. If a provider’s services fail, companies must retain their ability to operate.

At present, just under half of companies believe that they would be able to perform their outsourced activities and processes again themselves. This is shown by BaFin’s outsourcing database with companies classifying approximately half of the outsourced activities and processes in their notifications as non-reintegratable.

Even where companies believe that reintegration could potentially take place, approximately one third of such services are difficult or impossible for other providers to perform. Even where it is possible, changing service providers can sometimes be a lengthy process. This is particularly acute in the case of services from highly specialised providers, such as certain cloud services.

BaFin sharpens focus on cloud providers

BaFin has therefore been monitoring the resilience of large cloud service providers for some time now. It has recently updated its supervisory statement on outsourcing to cloud service providers (Aufsichtsmitteilung zu Auslagerungen an Cloud-Anbieter). As part of its monitoring of systemically important external service providers at national level, BaFin maintains ongoing communication with the largest cloud providers.

The EU’s Digital Operational Resilience Act (DORA) will establish a European monitoring framework under which critical service providers at European level will be subject to a form of “light supervision”. This will dovetail smoothly with existing national regulations on the monitoring of external service providers.

Incident reporting prevents further damages

The outsourcing database has also acted as a form of early warning system for BaFin and has thus proved to be a valuable tool for monitoring security and cyber incidents. In 2023, for example, an insurance company notified BaFin about a serious IT security incident at an outsourcing provider.

BaFin’s analysis of the outsourcing database soon revealed that the outsourcing provider not only performed services for other insurers, but for credit institutions as well. The information from the incident report and from the outsourcing database enabled BaFin to identify companies within the financial sector that could potentially be affected and to inform them about the situation.

This example underscores how incident reporting is not just important for the affected company alone, but for the financial market as a whole. Every individual company within the financial sector benefits from notifications about material outsourced activities and processes – regardless of its segment. The prerequisites here, however, are that BaFin is informed about any incident as early as possible and that financial companies submit notifications about all of their (material) outsourced activities and processes via the MVP portal.

When is an incident considered serious?

Companies that are subject to BaFin’s supervision must notify it about serious incidents relating to outsourcing arrangements without undue delay. The relevant notification regulations provide non-exhaustive examples of situations in which supervised companies should assume that a serious incident has taken place. These include interruptions in the provision of services at the outsourcing company that are attributable to its outsourcing arrangements, or security incidents at the outsourcing company.

If a company fails to report a serious incident without undue delay, BaFin imposes administrative fines. Companies in the financial sector should therefore submit an initial notification to BaFin as soon as they detect a serious incident and then continuously update the supervisory authority as the situation develops.

Potential improvements: data quality and completeness

Just over one year of supervisory practice in this area has shown that there is still room for improvement. The quality of outsourcing data must improve so that BaFin can use it even more effectively. It is very important, for example, that the company name of the external service provider is specified clearly and correctly. Only in this way is it possible for BaFin to examine the outsourcing relationships that are pivotal for detecting concentration risks.

In order to prevent mistakes here in future, BaFin recently expanded its guidance notes for submitting outsourcing notifications in the MVP specialised procedure in accordance with the German Investment Code (Kapitalanlagegesetzbuch – KAGB), German Banking Act (Kreditwesengesetz – KWG), German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), German Investment Firm Act (Wertpapierinstitutsgesetz – WpIG) and the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) in conjunction with the relevant notification regulations. Companies in the financial sector should use this additional guidance to avoid making mistakes when specifying external service providers and subcontractors.

BaFin improves data collection for outsourcing risks

BaFin is also optimising how outsourcing notifications are submitted via the MVP portal. This will make it easier for supervised companies to use the outsourcing notification form “Anzeige von Auslagerungen”. BaFin’s long-term goal is to further expand its outsourcing database. The notification requirement only applies to newly outsourced activities and processes as well as material changes to them. The data set is therefore incomplete.

In order to improve its data set, BaFin conducted a sample test of approximately 230 supervised companies in early 2023. It asked these companies to report all of their existing material outsourced activities and processes.

Almost all of the companies complied with the request and thus made a valuable contribution to the detection of outsourcing risks. The additional data here will enable BaFin to better monitor interconnectedness and dependencies on the financial markets and to provide warnings about any serious incidents that occur.

Greater oversight of third-party ICT services and ICT outsourcing

BaFin will continue to focus on improving its data in 2024. At the start of March, BaFin expanded its target group for data collection by 230 supervised companies. It also plans to expand its outsourcing database to include details about the use of information and communication technology (ICT) services. Companies within the financial sector will have to store such information in a register from 17 January 2025 and submit it to BaFin upon request. The relevant requirements are set out in DORA, which aims to bolster the digital operational resilience of the financial sector.

BaFin uses the outsourcing database to identify and monitor systemically important external service providers at national level. This year, BaFin’s IT Supervision Directorate plans to start examining external service providers that, in light of their multiple clients, play an important role for the financial market. The objective here is to assess the risks at these companies and to address them within the financial market.

BaFin’s pioneering role

The aim of the notification requirement, which is already established in German law, is to increase the resilience of the German financial market. The outsourcing database has already proved useful over the last year and has provided BaFin with an initial overview of the outsourcing situation on the financial market.

This enables BaFin not only to analyse the outsourcing relationships of individual companies in the financial sector, but also to detect and counteract risks to the entire financial market at an early stage. In the coming years, DORA will make this possible at European level as well. This means that BaFin is already a pioneer in comparison to its European and global counterparts and other national supervisory authorities are keenly following BaFin’s activities.