After more than three years since the last MaRisk [Mindestanforderungen an das Risikomanagement (minimum risk management requirements)] amendment, the BaFin [Bundesan­ stalt für Finanzdienstleistungsauf­ sicht (Federal Financial Supervisory Authority)] has presented a consultation draft for the 2016 MaRisk amendment. BaFin’s letter and the (marked-up) draft version  of the MaRisk can be found under Veroeffentlichungen/DE/ Konsultation/2016/kon_0216_ marisk-novelle_2016.html.

With the consultation draft, the BaFin is reacting to – among other things – the increasingly more prominent issues of risk data aggregation / risk reporting and requirements for an appropriate risk culture in institutions. Along with these issues, important changes have arisen, primarily with regard to outsourcing.

Risk culture and risk appetite

Executive management must ensure that an appropriate risk culture is developed and supported in the institution. This is to be understood as the manner in which employees deal with risk, whereby executive management must define and communicate a so-called risk appetite, which, however, is not yet defined in greater detail. But this will likely be synonymous with a kind of tolerance threshold for risk.

Implementation  steps:  definition and communication of risk appetite, presumably as part of the institution’s risk strategy, and a risk culture derived from this

Risk data aggregation and risk reporting

The new regulations in AT [General Section] 4.3.4 regarding data management, data quality, and the aggregation of risk data management are supposed to ensure that at large and complex institutions (at both group level and institution level),  the IT infrastructure allows for a comprehensive, accurate and prompt aggregation of an institution’s risk positions and the ability to swiftly provide this information to the bank’s reporting system. Affected in any case are institutions with balance sheet totals of more than 30 billion euros. In this case, corresponding mandatory principles for data management, data quality and aggregation, thus a “risk data policy”, must be determined. In the process, in terms of content it must be ensured that the corresponding data can be unequivocally identified, aggregated and evaluated. Another requirement is that the data must have a standard architecture with regard to classifications.

Implementation steps: review of whether IT systems can fulfil the requirements; determination of a corresponding mandatory internal “risk data policy”

External procurement of core banking system software and services = outsourcing / further requirements with regard to the outsourcing of core banking areas and important control areas

The BaFin makes it clear that the external procurement of core banking system software and corresponding specialized support services must be considered outsourcing if the core banking systems are adapted to the institution’s individual needs or combined with corresponding services from third parties.

Also important is the planned new regulation in AT 9 no. 5, according to which outsourcing in core banking areas and important control areas will be permissible only if the knowledge and experience required to ensure effective control and, if necessary, insourcing of the outsourced areas is available within the institution itself. A complete outsourcing of the risk control function will in future no longer be possible at all. A complete outsourcing of internal auditing or the compliance function will be possible, if at all, only for small institutions.

In AT 9 no. 9, the consultation draft also dictates that for the complete outsourcing of control areas (insofar as this is even possible, according  to the aforementioned) or core banking areas, an outsourcing commissioner is to be appointed for each outsourced area. Previously, this was stipulated only for the outsourcing of internal auditing.

Implementation steps: review of whether existing contracts have the necessary wording in light of these requirements for outsourcing contracts; if necessary, adjustment of risk analysis

Regular and event-driven risk analysis

According to the consultation draft, it is explicitly insufficient to adjust the outsourcing risk analysis solely in cases of change. Rather, the BaFin makes it clear that risk analysis must not only be event- driven but must also (independently of events) be regularly reviewed and, if necessary, adjusted (see AT 9 no. 2).

Implementation steps: adjustment of the internal requirements of the written rules of procedure regarding the regular review of risk analysis

Establishment of a central outsourcing management department

The planned requirement for a central outsourcing management department is also to be viewed in connection with the aforementioned changes. The central management department is primarily supposed  to ensure compliance with internal and statutory requirements for out-sourcing (on the individual responsibilities, see AT 9 no. 11)  and coordinate and review the performance of the outsourcing risk analysis by the responsible divisions. Building on these obligations, BT [Special Section] 3.5 provides for a regular reporting obligation of the central outsourcing management department to the executive management. Accordingly, a report must be prepared at least once a year on important outsourcings and the associated findings.

Implementation steps: establishment of a corresponding outsourcing management function; securing the centralization of information / contracts

Specifications with regard to terminations of outsourcing

With regard to intended or expected terminations of outsourcing, the consultation draft explicitly dictates in AT 9 no. 6 that specific exit strategies subject to regular and event-driven reviews must be determined.

Implementation steps: review and, if necessary, adjustment of the corresponding contracts; if necessary, the creation of sample requirements

Specification of requirements for outsourcing contracts; in particular: sub-outsourcing

Decisive changes and specifications should also be expected with regard to the list of (minimum) requirements for outsourcing contracts under AT 9 no. 7. This includes the clarification that outsourcing contracts must provide for the BaFin’s “unrestricted” information and auditing rights. In addition, regulations in outsourcing agreements should ensure not only compliance with the provisions of data protection laws, but also “other security requirements” (above all access regulations with respect to premises and buildings as well as software access authorizations for the protection of important data and information). Further, outsourcing contracts in cases of the procurement of software for identifying, assessing, controlling, monitoring, and communicating risks should provide for a duty to release meaningful information about fundamental assumptions and parameters and about changes to these assumptions and parameters.

With regard to sub-outsourcing, either approval provisos or specific preconditions are required in outsourcing contracts, defining when the sub-outsourcing of individual work and process stages is feasible. In addition, an obligation of the sub-outsourcing enterprise  to provide information to the outsourcing institution must be established, which also applies to the reporting obligation vis-à-vis  the outsourcing institution.

With regard to termination rights agreed in outsourcing contracts, the BaFin also wants to ensure that institutions determine what degree of poor performance by the external company is still or no longer acceptable; (special) termination rights are to be established for the case of continuously falling short of established limits.

Implementation steps: review and, if necessary, adjustment of the corresponding contracts; if necessary, the creation of sample requirements.