Answers to the 10 Most Common Questions in Outsourcing Management

‍

What is outsourcing?

‍The EBA Guidelines on Outsourcing (EBA/GL/2019/02) define outsourcing as “an arrangement of any form between an institution and a service provider whereby the service provider performs a process, provides a service or conducts an activity which would otherwise be undertaken by the institution itself.”

For example, the disposal of confidential documents is considered a service typical for institutions, even though it is not a primary banking service. Advisory services on banking transactions (without decision-making authority), on the other hand, do not qualify as outsourcing. According to EBA eba guildelines on outsourcing arrangements, the following services are not considered outsourcing:

- A function that has to be performed by a service provider due to legal regulations, e.g., audits,
- The use of central bank functions (within financial groups) or clearing houses in payment transactions between clearing houses, central counterparties, and settlement agents as well as their members, and securities settlement,
- The utilization of liquidity lines,
- Use of correspondent services,
- The use of custody of assets according to the Custody Act
- The use of publicly accessible (also chargeable) data from market information providers (e.g., public data from rating agencies that is not specifically generated/processed for the institution like Bloomberg, Moody’s, Standard & Poor’s, Fitch, etc.),
- The use of global payment infrastructures (e.g., card payment procedures or Visa, Mastercard),
- The use of global messaging infrastructures for transmitting payment data, which are under the supervision of competent authorities, and the acquisition of services such as the provision of legal opinions, representation before courts and administrative authorities, and supply services.
- The acquisition of services that would otherwise not be provided by the institution or payment institution (e.g., consultation by an architect, provision of legal opinions and representation before courts and administrative authorities, cleaning, gardening and maintenance of the premises of the institution or payment institution, medical services, maintenance of company cars, catering services, vending machine services, office services, travel services, postal services, reception staff, secretarial staff, and telephonists), of goods (e.g., plastic cards, card readers, office supplies, computers, furniture) or supply services (e.g., electricity, gas, water, telephone).

When is outsourcing considered material?

‍According to the EBA Guidelines on Outsourcing, ESMA Guidelines on Outsourcing to Cloud Providers (ESMA50-164-4285), and DORA (Digital Operational Resilience Act – 2022/2554), outsourcings are considered material if their failure or poor performance would significantly impair the financial capability of a financial company or the solidity or continuation of its business activities and services, or if their interrupted, incorrect, or omitted performance would significantly impair the ongoing compliance with the licensing conditions and obligations of a financial company or its other obligations under the applicable financial services law.

The (partial) outsourcing of control functions (risk management, compliance, audit) is considered material if the failure of the outsourced services or their poor performance has a negative impact on these functions. Furthermore, the outsourcing of core business areas is generally considered material.

According to MaRisk AT 9, the materiality of an outsourcing must be determined within the framework of a risk analysis.

What is an outsourcing contract?

‍The rights and obligations of the outsourcing institution and the outsourced service provider (also known as the provider, supplier, or outsourcing company) must be defined in an outsourcing contract. Both the MaRisk and the EBA Guidelines on Outsourcing, ESMA Guidelines on Outsourcing to Cloud Providers, and DORA contain specific requirements for the minimum content of outsourcing contracts. The contract design for outsourcings and other external procurement of IT services (also known as "other IT external procurement") is risk-oriented. Thus, contracts for material outsourcings are more comprehensive than those for non-material outsourcings or other IT external procurements.

When designing contracts, it is important to involve key functions such as data protection, information security, business continuity management, and compliance, as outsourcing contracts have far-reaching requirements for these topics and must be in line with the internal guidelines of the outsourcing institution.‍

What is an ICT Services?

‍According to MaRisk AT 9 and BAIT Chapter 9, IT services include all forms of IT procurement such as:

• Customizing software to the requirements of the credit institution,
• Developmental implementation of change requests (programming),
• Testing, approval, and implementation of the software into the production processes upon first use and during significant changes, especially from programming technical specifications,
• Error corrections (maintenance) according to the requirement/error description of the client or manufacturer,
• Other support services that go beyond mere consulting,
• Operation of software, provision of IT systems, projects/works or personnel assignment,
• Cloud services,
• Provision of IT systems, projects/works, or personnel assignment.

According to DORA, "ICT services" are digital services and data services that are provided permanently to one or more internal or external users via ICT systems, including hardware as a service and hardware services. This also includes technical support by the hardware provider through software or firmware updates, excluding conventional analog telephone services.

When is an IT Service Considered Outsourcing?

‍According to MaRisk AT 9 and BAIT, IT services are considered outsourcing if they are provided for software used to identify, assess, control, monitor, and communicate risks or that are essential for performing banking tasks.

For example, the use of software by LeanMind as a SaaS solution (Software as a Service) hosted in the cloud is considered outsourcing. In contrast, an application for employee training is classified as other external IT procurement.

Is the Use of Cloud Services Always Considered Outsourcing?

‍According to MaRisk AT 9 and BAIT Chapter 9, cloud services are treated as IT support services and are therefore treated analogously. They are considered outsourcing if used for identifying, assessing, controlling, monitoring, and communicating risks or for performing essential banking tasks.

When Must I Create an Exit Strategy?

‍According to MaRisk and the EBA guidelines on outsourcing, an exit strategy is mandatory for material outsourcing (see the facilitations for group- and consortium-internal outsourcing under MaRisk Tz. 15.d.). However, institutions should evaluate the possibility of reintegration or transferring the services to third parties (alternative providers) for any type of external procurement of services and, if necessary, define measures to enable a smooth exit from the business relationship with the service provider.

How Often Should the Risk Analysis Be Updated?T

he risk analyses for outsourcing and other external IT procurements must be reviewed and updated regularly and as needed.

A change in the scope of the outsourced services or regulatory requirements serves as a reason to review the risk analysis.

Each institution must define how often the risk analysis should be updated. For material outsourcing, the risk analysis should be updated at least annually.

What Risks Must Be Considered in the Risk Analysis?The risk analysis typically addresses the following aspects:

• Security of outsourced information,
• Protection of outsourced personal data,
• Aggregation risk,
• Concentration risk,
• Conflicts of interest,
• Risks from further outsourcing,
• Suitability of the outsourcing company,
• Measures for controlling and mitigating risks,
• Costs, e.g., for an exit or change of service provider,
• Reputational risks,
• Compliance & legal risks,
• Complexity of the outsourcing or the outsourced area,
• Criticality regarding recovery and resolution planning,
• Compliance with regulatory, legal, and ESG requirements,
• Business continuity and operational resilience.

Do I Need to Conduct a Risk Analysis for Sub-Outsourcings?

‍Sub-contracting also poses a risk to the outsourcing institution. Therefore, the same standards apply to further outsourcing as to initial outsourcing. Thus, further outsourcing must be identified, subjected to a risk analysis (and materiality analysis), and, if necessary, measures to mitigate risks must be initiated.

Furthermore, the service provider must be obligated in the outsourcing contract to incorporate and monitor the agreed regulations with their service provider (sub-service provider from the perspective of the outsourcing institution) contractually.

If you have any more questions or need further assistance, feel free to ask!