Obligation to notify outsourcing at securities institutions: What is to be observed? The auditor must report separately on outsourcing of material activities and processes, taking into account the requirements set out in section 40 of the Securities Institutions Act. In doing so, a statement must be made as to whether the classification of outsourcing as material or immaterial is comprehensible from the point of view of risk, type, scope and complexity.
Obligation to notify outsourcing: BaFin requirements for securities institutions
§Section 64 regulates the notification requirements for all securities institutions.
(1) A securities institution shall notify the Bundesanstalt and the Deutsche Bundesbank without delay:
The intention of a material outsourcing, the execution of the outsourcing as well as material changes and serious incidents in the context of existing material outsourcing.
Obligation to notify outsourcing at securities institutions + The following regulations apply to the outsourcing notification pursuant to § 64 paragraph 1 number 13 of the Securities Institutions Act:
Notifications of outsourcing pursuant to section 64(1) number 13 of the Securities Institutions Act shall be submitted for the first time as of the date on which the Bundesanstalt makes available the electronic submission procedure provided for such submission.
The list of outsourcing matters specified by the Federal Financial Supervisory Authority in the electronic submission procedure shall be deemed to be a material outsourcing for which the intention, execution, material changes and the occurrence of serious incidents must be reported.
Provisions of § 40 WpIG on outsourcing at securities institutions
§40 WpIG regulates the outsourcing of activities and processes.
Depending on the type, scope, complexity and risk level of an outsourcing of critical and important operational tasks within the meaning of Article 30(1) of Delegated Regulation (EU) 2017/565 (material outsourcing), a securities institution must take adequate precautions to avoid excessive additional risks.
Outsourcing shall not impair the regularity of those transactions and services or the business organisation. In particular, the investment institution shall maintain adequate and effective risk management.
An investment institution shall keep an outsourcing register as part of its risk management. All material and non-material outsourcing must be recorded in this register.
The Ordinance on the Audit of the Annual Financial Statements of Securities Institutions and on the Reports to be Prepared (Wertpapierinstituts-Prüfungsberichtsverordnung – WpI-PrüfbV) regulates the following in this regard:
Outsourced material activities and processes shall be specified and delimited in a comprehensible manner, also in connection with the designations made in Annex 2. The data overview for small and medium-sized securities institutions that have outsourced areas to another company must include the following information:
# Outsourcing company including address
# CN ident number
# Outsourced activities and processes
# Status (planned on/ carried out on/ completed on)
# date of outsourcing
# Remarks in particular on further outsourcing
Articles 30 to 32 lead to further obligations for outsourcing of investment institutions
Articles 30 to 32 of Delegated Regulation (EU) 2017/565 contain more detailed provisions on material outsourcing. If, in the case of material outsourcing, an outsourcing company has its registered office in a third country, it must be contractually ensured that the outsourcing company designates a domestic authorised representative to whom notifications and notifications can be effected by the Bundesanstalt.
The Federal Financial Supervisory Authority may, in individual cases, issue orders to a securities institution and also directly to an outsourcing company to which material outsourcing has taken place, which are appropriate and necessary,
1. to prevent or stop breaches of supervisory regulations,
2.to eliminate any impairment of the Federal Financial Supervisory Authority’s auditing rights or control possibilities, or
3.to prevent or remedy malpractices at the securities institution or outsourcing company which may jeopardise the security of the assets entrusted to the securities institution or impair the orderly performance of the securities services, ancillary securities services or ancillary transactions.
Further regulations of the IFD to be observed pursuant to Section 40 WpIG + Obligation to notify outsourcing at securities institutions
The IFD regulate in Section 2 decisive and important operational tasks in Article 30 as follows:
For the purposes of the first subparagraph of Article 16(5) of Directive 2014/65/EU, an operational task shall be considered crucial or important if its insufficient performance or non-performance would materially affect the investment firm’s continuous compliance with the conditions and obligations of authorisation or other obligations under Directive 2014/65/EU, its financial performance or the soundness or continuity of its investment services and activities.
Without affecting the status of other duties, the following duties shall not be considered crucial or important for the purposes of paragraph 1:
(a) advisory and other services provided to the investment firm which are not part of its investment business, including legal advice, staff training, billing and security of premises and staff;
(b) the purchase of standardised services, including market information services and price data.
Further provisions are made in Articles 31 and 32.
Article 31 provides for the outsourcing of critical or important operational functions.
Investment firms that outsource key or important operational functions shall remain fully responsible for the performance of all their obligations under Directive 2014/64/EU and shall comply with the following conditions:
(a) the outsourcing does not involve a delegation of senior management tasks;
(b) the relationship and obligations of the investment firm towards its clients under Directive 2014/65/EU remain unchanged;
(c) the conditions with which an investment firm must comply in order to be authorised in accordance with Article 5 of Directive 2014/65/EU and to maintain that authorisation remain fulfilled; and
(d) the other conditions under which the investment firm was granted authorisation have not lapsed and have not changed.
Professional onboarding and offboarding upon conclusion, execution or termination of the outsourcing agreement
Investment firms shall exercise due professionalism and care when entering into, executing or terminating an agreement to outsource critical or important operational functions to a service provider and shall take all necessary measures to ensure that:
(a) the service provider has the suitability, capacity, sufficient resources and appropriate organisational structures to perform the outsourced functions, as well as all licences required by law, to perform the outsourced functions in a reliable and professional manner;
(b) the service provider performs the outsourced services effectively and in accordance with applicable laws, regulations and administrative provisions and, to that end, the investment firm has established methods and procedures for evaluating the performance of the service provider and for the ongoing review of the services provided by the service provider;
(c) the service provider shall properly monitor the performance of the outsourced functions and adequately manage the risks associated with the outsourcing; and
(d) appropriate measures are taken where there is doubt that the service provider may not be performing its functions effectively and in compliance with applicable laws, regulations and administrative provisions;
(e) the investment firm shall effectively monitor the outsourced functions or services and manage the risks associated with the outsourcing and, to that end, it shall continue to have the necessary expertise and resources to effectively monitor the outsourced functions and manage those risks;
(f) the service provider has brought to the attention of the investment firm any development that could materially affect its ability to perform the outsourced functions effectively and in compliance with applicable laws, regulations and administrative provisions;
(g) the investment firm is able to terminate the outsourcing arrangement with immediate effect, if necessary, when this is in the interest of its clients, without affecting the continuity and quality of the services provided to its clients;
(h) the service provider cooperates with the competent authorities of the investment firm in relation to the outsourced functions;
(i) the investment firm, its auditors and the relevant competent authorities have effective access to data related to the outsourced functions and to the premises of the service provider where necessary for the purposes of effective supervision in accordance with this Article, and the competent authorities may make use of those access rights;
(j) the service provider shall protect all confidential information concerning the investment firm and its clients
(k) the investment firm and the service provider have established and implemented on a permanent basis a contingency plan that ensures the retention of data in the event of a system failure and provides for regular testing of backup systems, should this be necessary in view of the outsourced function, service or activity
(l) the investment firm has ensured that the continuity and quality of the outsourced functions or services are maintained in the event of termination of the outsourcing by transferring the performance of the outsourced functions or services to another third party or by the investment firm itself performing those outsourced functions or services.
Minimum requirements for the written outsourcing agreement + Obligation to notify outsourcing in the case of investment institutions
The relevant rights and obligations of the investment firm and the service provider shall be clearly allocated in a written agreement. In particular, the investment firm shall retain its rights of instruction and termination, its rights to information and its rights of inspection and access to books and business premises. The agreement shall ensure that any outsourcing by the service provider may only take place with the written consent of the investment firm.
Where the investment firm and the service provider belong to the same group, the investment firm may take into account the extent to which it controls or can influence the actions of the service provider for the purposes of complying with this Article and Article 32.
The investment firm shall provide the competent authorities, at their request, with all the information necessary to monitor compliance of the performance of the delegated functions with the requirements of Directive 2014/65/EU and its implementing measures.
Article 32 sets out requirements when using service providers established in a third country
#1 Investment firms that outsource functions related to the management of client portfolios to a third country service provider shall, in addition to the requirements of Article 31, ensure that the following conditions are met:
(a) the service provider is authorised or registered to provide that service in its home country and is effectively supervised by a competent authority in that third country;
(b) there is an appropriate cooperation agreement between the competent authority of the investment firm and the supervisory authority of the service provider.
#2 The cooperation arrangement referred to in point (b) of paragraph 1 shall ensure that the competent authorities responsible for the investment firm are at least able to:
(a) obtain, on request, the information necessary for the performance of their supervisory duties under Directive 2014/65/EU and Regulation (EU) No 600/2014;
(b) have access to documents held in the third country which are relevant for the exercise of their supervisory duties;
(c) obtain information from the supervisory authority in the third country as soon as possible in order to investigate apparent breaches of the requirements of Directive 2014/65/EU and its implementing measures and Regulation (EU) No 600/2014;
(d) in the event of a breach of the requirements of Directive 2014/65/EU and its implementing measures and relevant national law, to address enforcement in cooperation in accordance with national and international laws applicable to the third country supervisory authority and the competent authorities in the EU.
#3 Competent authorities shall publish on their website a list of supervisory authorities in third countries with which they have concluded a cooperation arrangement referred to in point (b) of paragraph 1.
Competent authorities shall update cooperation agreements concluded before the date of entry into force of this Regulation within six months of the date of entry into force of this Regulation.
This seminar might also interest you as an update seminar for securities institutions
You have been newly appointed as an outsourcing controller? With the seminar Outsourcing Controlling according to AT 9 MaRisk you will learn the following skills for this new task:
#1 Requirements of the new EBA guidelines, MaRisk, German Banking Act (KWG) and the Securities Institutions Act (WpIG) for the outsourcing officer
#2 New requirements for the outsourcing of important control areas
#3 Obligation to notify outsourcing according to FISG and WpIG
#4 Risk Assessment Performing Outsourcing Management in an Audit-Proof Manner
#5 Limiting Liability Risks – New Reporting Duties of the Outsourcing Agent
#6 Knowing monitoring and control obligations as an outsourcing officer
#7 Implementation of the EBA guidelines on outsourcing and ITC
#8 Obligation to notify outsourcing at securities institutions: What must be observed?
Target Group – Seminar Outsourcing Controlling
- Board members and managing directors at banks, financial service providers, investment and fund companies, leasing and factoring companies
- Managers and specialists from the areas of outsourcing management, risk controlling, IT compliance, compliance officers and internal auditors
Your benefits – seminar on outsourcing controlling
- Tasks and duties of the outsourcing officer
- Risk analysis for outsourcing: Knowing the „red lines
- Ongoing monitoring duties of the outsourcing manager
- Obligation to notify outsourcing according to FISG and WpIG
Each participant receives the following S+P products with the seminar:
- S+P Checklist „Implementation of MaRisk + EBA Directive + FISG „.
- Guidelines for central outsourcing management (approx. 30 pages)
- Sample reporting for outsourcing officers
- S+P tool risk assessment outsourcing management for more audit security
Tasks and duties of the outsourcing representative
- The range of tasks of the outsourcing representative
- Efficient communication between outsourcer and insourcer:
- Definition of escalation processes
- Meaningful management reporting
- New requirements of the EBA and the FISG:
- Differentiation between outsourcing and third-party procurement according to MaRisk
- New rules on the KWG notification requirements
- Ordering and intervention powers of the BaFin
Risk analysis in outsourcing: Knowing the „red lines
- Risk analysis in the outsourcing process
- Carrying out qualitatively tightened risk analysis on the basis of uniform scoring criteria:
- Assessment of risk content and risk concentration when outsourcing several activities to one service provider
- Benchmarks for management and control activities and their implementation
- Audit-proof assessment of exit strategies and contingency plans
- Definition of a maximum bad performance of an external service provider
Ongoing monitoring duties of the outsourcing officer
- MaRisk requirements for monitoring and control activities
- Evaluation of contract design, performance controls and organisational requirements
- New specification of consent requirements and far-reaching information rights
- New requirements for monitoring and reporting obligations of the service provider and the outsourcing agent
- Exit strategy AT9 para 6 in conjunction with §25b KWG
- Optimisation of key figures for risk and performance measurement
- To Do’s for outsourcers from findings of special audits
- SREP and EBA requirements for risk management