The MaRisk expert committee discussed fundamental questions of interpretation and application as well as audit-relevant issues. The expert committee consists of experts from institutes, auditors, association representatives and supervisors. The following article summarizes the exchange with BaFin on topics of IT governance. The topic of outsourcing is particularly in focus, as a large number of questions on this topic arose during the sessions.
The minutes of the meetings also give an outlook on the topics addressed as well as on the publication date of the 7. MaRisk Amendment.
Determination of an intention to outsource
- In order to determine when there is an intention to outsource, there is agreement in the supervisory authority. An intention to outsource exists if there is a decision of the institute’s internal committee to conclude a draft contract for the planned material outsourcing.
- The execution of the outsourcing begins from the time of use.
- An approval process by the supervisory authority for outsourcing is not planned, but a reasonable review time before enforcement would be desirable, according to the supervisory authority.
AT 9 Tz.7
The substitution possibilities offered by the BT 2.1 Tz. 3 (Tasks of Internal Audit) MaRisk with regard to auditing actions in outsourced activities and processes are also applicable to non-essential outsourcing.
Requirements for outsourcing activities and processes
AT 9 Tz. 11
With each outsourcing, the “risks from relocations” (AT 9 Tz. 2 MaRisk) has to be evaluated. This means that any analysis of the risks associated with outsourcing must always subject all relocations existing at that time to a risk analysis, otherwise a comprehensive risk assessment of the outsourcing is not possible.
AT 9 Tz. 12
- The outsourcing officer is defined by the internal documentation, e.g. in the business distribution plan (GVP).
- There is no obligation to notify BaFin
- The tasks according to AT 9 Tz.12 are to be assigned to the responsibility of the central outsourcing officer.
- The outsourcing officer can, for example.dem use central outsourcing management as well as other departments of the bank, as long as the responsibilities are clearly regulated.
Reporting and Publication Platform (MVP)
- The Expert Committee MaRisk has specified the topic of reporting and publication platforms in accordance with § 24 para. 1 no. 19 KWG in more detail and determined the submission method bindingly.
- The notification will be made electronically via the MVP of BaFin. The data is automatically forwarded to the Deutsche Bundesbank via an interface. To use the MVP, a registration of the institutes is required.
- The procedure of the MVP portal for the display of outsourcing will only go live when the advertising ordinance comes into force. New significant outsourcing of the institutions is to be reported from 01.01.2022 or the entry into force of the amended notification ordinance. Inventory reports are to be reported via the MVP by 31.12.2022 .
- At the present time, it is planned not to submit the serious incidents via the MVP for the time being, as there may be double reports. The problem of double reporting, in particular with regard to the ECB and PSD2 reporting, is already the focus of supervision.
Effectiveness and adequacy of the emergency approach
AT 7.3 Tz.3
BaFin clarifies that all activities and processes must be reviewed with every possible emergency scenario – taking into account all relevant damage scenarios at least annually.
However, companies have a margin of discretion in defining what their time-critical activities and processes are and which damage scenarios are relevant for each of them.
Outlook on the 7. MaRisk Amendment
BaFin informs that a publication of the revised MaRisk version is planned for Q4 2022
The following topics are addressed in more detail in the 7th amendment.
- Procedure for implementing the EBA Guidelines on Lending and Monitoring
- Direct investment in real estate
- Special Funds
- Business model analysis
- Trading in the home office
BaFin will make greater use of references to the EBA Guidelines on Risk Management in order to speed up the implementation of the 7th Amendment. The principle of proportionality and principle orientation is to be upheld through national opening clauses and facilitation for small and medium-sized institutions, as the detailed and prescriptive requirements of the EBA guidelines jeopardise the principle of proportionality.