BaFin - Navigation & Service

Erscheinung:15.08.2013 11:10 AM Thomas Konschalla, BaFin

Outsourcing: BaFin compares outsourcing by institutions

BaFin has analysed banks' outsourcing activities as part of a comparative study. This examined, among other things, the number of outsourcing activities, their geographical distribution, their integration into the business strategy, the risk analysis to be carried out by institutions prior to outsourcing, and monitoring and management of outsourcing by the institutions.

The study was confined to large institutions. Smaller institutions such as savings banks and cooperative banks were not included. BaFin analysed the reports on the audit of the annual accounts and corresponding data overviews (annex 5 to section 60 of the Audit Report Regulation (PrüfungsberichtsverordnungPrüfbV)). The supervisory authority for example also assessed the dependency of credit institutions on a single service provider and the appropriateness of their outsourcing-specific risk management. Outsourcing activities by institutions were evaluated using the requirements under section 25a (2) of the Banking Act (KreditwesengesetzKWG) and the corresponding provisions of the Minimum Requirements for Risk Management for Banks (MaRisk, AT 9).

Number of outsourcing activities

The information on institutions’ outsourcing activities is inconsistent and in some cases incomplete. This made the analysis considerably more difficult. In some cases, the auditors did not state the total number of outsourcing activities in their audit reports, did not distinguish between material and non-material outsourcings, and failed to indicate the locations of outsourcing. BaFin believes consistent and complete data to be essential to supervision and is therefore pursuing considerable improvements in this area. Specifically, an amendment to the Audit Report Regulation may be considered to this end.

All institutions included in the cross-comparison use outsourcing. The number of outsourcing activities per institution varies considerably. The same applies to the proportion of intra-group outsourcing, which ranges from 8 to 46 percent.1 Most outsourcing was within Germany. Only a small number of institutions outsource to emerging market countries.

Limits to and focus of outsourcing

The MaRisk (AT 9 item 4, notes) do not permit management functions of the management board to be outsourced. These include corporate planning, coordination, controlling and managerial appointments. They also include functions that are explicitly assigned to the management board by legislation or other regulation, for example decisions regarding large exposures pursuant to sections 13, 13a and 13b of the KWG, or the specification of strategies. The supervisory authority discovered that only one institution had outsourced management functions. BaFin insists that this situation be resolved.

Functions or organisational units that the management board uses when performing its management functions are to be distinguished from management functions in the narrow sense. They may be delegated either internally or externally by outsourcing.

IT was a key area for outsourcing in all institutions examined. BaFin also identified high levels of concentration on particular service providers, which is generally problematic as the failure of one of these service providers would affect several institutions at once. BaFin will therefore place greater emphasis on reviewing this concentration and aims to focus especially on emergency planning and exit strategies taking account of the importance of the IT functions. A further key area of outsourcing activities identified by BaFin was securities settlement. Here, institutions actually outsource to one single service provider.

Business strategies, motives and trends

The outsourced areas are often relatively important. Nevertheless, BaFin discovered in its analysis that outsourcing was not addressed appropriately in the business strategies institutions are required to define under the MaRisk. This is surprising in BaFin's view, particularly given the motives for outsourcing that institutions clearly described.

All institutions examined stated similar motives: cost savings, process optimisation and – especially in the case of IT – quality improvement, as well as access to specialist knowledge, use of synergy effects and saving of resources. Cost savings are the primary motive for all institutions. One bank also specified its special business model as a reason for outsourcing certain processes.

BaFin was unable to identify any clear trends with respect to the future development of outsourcing activities. As institutions aim to reduce their costs through outsourcing, however, outsourcing activities should not be expected to decline.

No clear trend towards outsourcing of further business areas was identified. IT services and securities settlement processes will certainly continue to be outsourced most frequently.

Observing the regulatory definition of outsourcing

The MaRisk define outsourcing as the commissioning of another company to carry out activities and processes related to the conducting of banking business, the provision of financial services or any of an institution’s other typical services that would otherwise be performed by the institution itself.2 The audit reports and assessments by BaFin give very little indication that institutions interpret this definition particularly narrowly.

Only three of the institutions examined defined outsourcing more narrowly than the supervisor and therefore did not apply the requirements for outsourcing activities. BaFin responded to this with supervisory measures.

Risk analysis

The MaRisk stipulate that institutions must carry out a risk analysis before any outsourcing. This was standard practice in all the institutions examined. However, risk analyses differed greatly from one another in their form, scope and methodology, which institutions are allowed to choose freely. This applied to the criteria determining whether outsourcing was material or non-material and to the other business areas that were included in the risk analysis.
In addition to the area being outsourced, all institutions include the risk management and legal departments in the risk analysis. In some cases the institutions even use outsourcing-specific bodies. However, according to the information available, only few institutions involve the internal auditing function in the risk analysis as required by the MaRisk. BaFin would like to remedy this.

Monitoring and management

An institution must manage the risks associated with material outsourcings in an appropriate manner and properly monitor the execution of the outsourced activities and processes (AT 9 item 7 of the MaRisk). This also includes a regular assessment of the service of the outsourcing provider on the basis of specific criteria. Visits to service providers also play an important role in the monitoring process.

The institution must assign clear responsibilities for management and monitoring. Almost all institutions meet this requirement and name responsible offices or departments, usually contact partners or departments from the unit that initiated the outsourcing or from which outsourcing took place (retained organisation). A centralised outsourcing management capable of ensuring consistent coordination and monitoring of outsourcings does not exist in many institutions, but is explicitly welcomed by BaFin. A lack of centralised outsourcing management could result in outsourcing to be managed, treated and assessed inconsistently within a single company.

No general statement can be made as to how frequently outsourcing activities are assessed. This varies from institution to institution, depending primarily on how material the outsourcings are deemed to be by the institutions. For material outsourcings, a risk assessment is carried out at least once a year, often including visits to the service provider. Particularly important outsourcing relationships are sometimes even assessed on a daily basis using reports by the service provider. In addition, ad hoc reports are often requested and evaluated in certain circumstances. BaFin regards most risk management for existing outsourcing activities as appropriate.

Exit strategies

As a rule, all banks have emergency plans for the outsourced business areas. These should take effect if the service provider is no longer able to provide the level of service required. However, the special audits commissioned by BaFin revealed deficiencies in some of the emergency plans. In one case, BaFin has already requested that the institution correct the defect immediately.

It is impossible to give across-the-board figures for the costs and time frame required to reintegrate outsourced areas or find a new service provider. Particularly in the case of outsourcing to emerging market countries, a rapid reintegration is unlikely to be possible in BaFin's view.

Conclusion

The comparative analysis of the issue of outsourcing has shown that optimisation is required in a number of areas. BaFin will therefore address this issue more strongly in future. It particularly seeks to improve the quality and completeness of the data provided in reports on the audit of the annual accounts.

BaFin would also like to tackle the issue of introducing central outsourcing units in consultation with the institutions. Moreover, BaFin plans to give special attention to emergency plans and exit strategies in IT given the major dependency on central service providers.

Footnotes

1 Based on institutions for which the total number of outsourcing activities is known.

2 “Other external procurement of services” is not considered to be outsourcing. This includes, for example, the use of central bank functions within cooperative networks by savings and cooperative banks (Finanzverbünde), such as in payment transactions.

Additional information

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field