All Posts

“Good to know” in outsourcing management

Von
Veröffentlicht am
June 18, 2025

Answers to the 10 most common questions in outsourcing management

1. What is outsourcing?
Under Outsourcing In accordance with Section 25 b in conjunction with Section 25 a of the Banking Act (KWG) in conjunction with the minimum risk management requirements (MaRisk) to understand such outsourced activities, processes, and functions necessary for the implementation of banking transactions, financial services or other typical institutional services are relevant. This includes activities and services that are attributable to both core and support processes of a bank.

According to the EBA guidelines on outsourcing (EBA/GL/2019/02) Outsourcing is defined as follows: “Outsourcing means an agreement, whatever form, between an institution and a service provider, within the framework of which the service provider carries out a process, provides a service or performs an activity that the institution would otherwise take on itself. ”

For example, the disposal of confidential documents is considered a typical institutional service, although it is not a primary banking service. By contrast, mere advice on banking transactions (without decision-making authority) is not considered an outsourcing.

Gem. MaRisk AT 9 and EBA guidelines for outsourcing, the following services are not outsourcing:

- A feature that due to legislation is to be carried out by a service provider, e.g. financial statements
- the use of Central bank functions (within financial associations) or Clearing houses as part of payment transactions between clearing houses, central counterparties and settlement agencies and their members and securities settlement
- the use of Liquidity lines
- use of correspondence services
- the use of Custody of assets according to the Depot Act
- the use of publicly available (including paid) Data from market information service providers (e.g. public data from rating companies that have not been generated or processed specifically for the institution, such as Bloomberg, Moody's, Standard & Poor's, Fitch, etc.)
- the use of global Payment infrastructure (e.g. card payment method or Visa, Mastercard)
- the use of global Messaging infrastructures for the transmission of payment transaction data subject to supervision by competent authorities and the purchase of services such as the provision of a legal opinion, representation before court and administrative authorities as well as pension services
- the purchase of services that otherwise not provided by the institution or payment institution would (e.g. advice from an architect, provision of legal opinion and representation before court and administrative authorities, cleaning, gardening and maintenance of the institution or payment institution premises, medical services, maintenance of company cars, catering services, vending machine services, office services, travel services, mailroom services, receptionists, secretarial staff and telephone operators), of goods (e.g. plastic cards, card readers, office supplies materials, computers, furniture) or utility services (e.g. (e.g. electricity, gas, water, telephone).

2. When is outsourcing essential?
Gem. EBA guidelines on outsourcing, ESMA guidelines on outsourcing to cloud providers (ESMA50-164-4285) and DORA (Digital Operational Resilience Act — 2022/2554) are considered outsourcing as quintessentialif their failure or poor performance is financial capacity of a financial company or would significantly impair the soundness or continuation of its operations and services, or their interrupted, faulty or failure to perform would significantly impair the continued compliance of a financial entity with the licensing conditions and obligations of a financial entity or its other obligations under applicable financial services law significantly impair would.

The (partial) outsourcing of control functions (risk management, compliance, audit) is considered essential if the failure of the outsourced services or their poor performance results in negative impact has on this function. In addition, the Outsourcing of core business areas generally considered essential.

Gem. MaRisk AT 9 is the essence of outsourcing as part of a Risk analysis to determine.

3. What is an outsourcing contract?
The rights and obligations of the outsourcing institution and the Outsourcers (also as Service providers, providers or outsourcing companies known) must be in a Outsourcing agreement be defined. Both MaRisk and the EBA guidelines on outsourcing, ESMA guidelines on outsourcing to cloud providers and DORA contain specific requirements for the minimum content of outsourcing contracts. The contract for outsourcing and other external procurement of IT services (also known as “other external IT procurement”) takes place risk-oriented. For example, contracts for significant outsourcing are more extensive than those for non-significant outsourcing or other external IT contracts.

When drafting contracts, it is important to include key functions such as Data Protection, Information Security, Business Continuity Management, and Compliance because outsourcing contracts include far-reaching requirements for these topics and must be in line with the internal requirements of the outsourcing institution.

4. What falls under “IT services”?
Gem. MaRisk AT 9 and BAIT chapter 9 IT services include all forms of IT procurement, such as:
- Adapting the software to the requirements of the credit institution
- Development implementation of change requests (programming)
- Testing, approval and implementation of the software in production processes when used for the first time and when significant changes occur, in particular in programming requirements
- Bug fixes (maintenance) in accordance with the request/fault description of the client or manufacturer
- other support services that go beyond mere advice
- Operating a software
- Provision of IT systems, projects/trades or staffing
- cloud services.

Gem. DORA are”ICT services“digital services and data services that are permanently provided via ICT systems to one or more internal or external users, including hardware as a service and hardware services, including technical assistance from the hardware provider through software or firmware updates, with the exception of traditional analog telephone services.

5. When is an IT service an outsourcing?
Gem. MaRisk AT 9 and BAIT Are IT services considered outsourcing, provided that they are provided for software that is Identify, assess, manage, monitor and communicate risks are used or for carrying out banking tasks are essential are.

For example, as software for outsourcing management, LENO is an outsourcing, provided that LeanMind's software is operated and hosted in the cloud as a SaaS solution (Software as a Service). On the other hand, an application for marketing should be classified as another external IT source.

6. Is the use of cloud services always outsourced?
Gem. MaRisk AT 9 and BAIT chapter 9 Cloud services are considered an IT support service and must therefore be treated analogously. They are considered to be Outsourcing, provided that it is used to identify, assess, manage, monitor and communicate risks or are used to carry out banking tasks of essential importance.

7. When do I need to create an exit strategy?
In accordance with MaRisk and the EBA guidelines on outsourcing, an exit strategy is significant outsourcing mandatory (see the simplifications for intra-group and network outsourcing under MaRisk item 15.d.). However, when purchasing services from outside sources, institutions should assess the possibility of reintegrating or transferring the services to third parties (alternative providers) and, if necessary, define measures to enable a smooth exit from the business relationship with the service provider.

8. How often does the risk analysis need to be updated?
The risk analyses of outsourcing and other external IT procurement are regularly and on a case-by-case basis to check and update if necessary.

The reason for reviewing the risk analysis is, for example, changes in the scope of outsourced services or regulatory requirements.

Each institution must define for itself how often the risk analysis should be updated. In the case of significant outsourcing, the risk analysis should at least annually be updated.

9. Which risks must be considered in the risk analysis?
Risk analysis typically covers the following aspects:

- Security of outsourced information
- Protection of outsourced personal data
- Aggregation risk
- concentration risk
- Conflicts of interest
- Risks from further relocations
- Suitability of the outsourcing company
- Measures to manage and mitigate risks
- Costs, for example, in the event of an exit or change of service provider
- Reputational risks
- Compliance & legal risks
- Complexity of the outsourcing or outsourcing area
- Criticality with regard to restructuring and settlement planning
- Compliance with regulatory, legal and ESG requirements
- Business continuity and operational resilience.

10. Do I have to carry out a risk analysis for further relocations?
Further relocations also pose a risk for the outsourcing institution. Therefore, the following applies to Further transfers the same standards as for outsourcing. Further relocations must therefore be identified, subjected to a risk analysis (and materiality analysis) and, if necessary, initiated measures to mitigate risks.

In addition, the service provider must be obliged in the outsourcing contract to contractually anchor and control the agreed regulations with its service provider (sub-service provider from the point of view of the outsourcing institution).

Do you have any questions or do you need our assistance? Then we look forward to hearing from you.

United Governance, Risk & Compliance

About usCareerBlog
Contact us
visit our Trust Center
© 2025 LeanMind. All rights reserved.
Privacy PolicyInformation SecurityImprint