IT security & outsourced activities and processes according to MaRisk AT 9
In the MaRisk (Minimum Requirements for Risk Management) regulations, the Federal Financial Supervisory Authority (BaFin) has set out a strict set of rules that banks and financial service providers must comply with when outsourcing processes. Special requirements apply specifically to outsourced activities and processes.
Reading Time: .
Learn more about Myra Security solutions for the financial industry
- The BaFin definition of outsourced activities and processes according to MaRisk ➔
- Based on risk analysis ➔
- Outsourcing management for complex outsourcing ➔
- Despite outsourcing: Responsibility remains with the institute ➔
- The highest demands on service providers ➔
- Contractual requirements for material outsourced activities and processes (MaRisk AT 9, No. 7) ➔
- Compliance with MaRisk AT 9 & section 25a KWG: Myra Security is ready ➔
The BaFin definition of outsourced activities and processes according to MaRisk
Companies in the financial industry must comply with strict guidelines when outsourcing IT. In BaFin’s Minimum Requirement for Risk Management (MaRisk), outsourced activities and processes are “activities and processes relating to the execution of banking business, financial services or any of an institution’s other usual services that would otherwise be provided by the institution itself.” According to section 25b of the Banking Act (KWG), institutions are required to make appropriate arrangements in order to avoid incurring excessive additional risks, regardless of the type of outsourcing. “Outsourcing shall impair neither the proper execution of such business and services nor the business organisation within the meaning of section 25a (1).”
Based on risk analysis
Based on risk analysis, the institution must determine whether each service outsourced constitutes “material outsourced activities and processes.” Material outsourced activities and processes are of those services defined by the institution itself as material in terms of risk. Risk analysis must take place prior to outsourcing and be repeated on an ongoing basis. However, MaRisk does not lay out what specifically this involves. BaFin recommends a reanalysis of material outsourced activities and processes be made once per year and every three years for non-material outsourced activities and processes.
Once the institution classifies individual activities and processes as material in the risk analysis, they must be handled in compliance with the (minimum) requirements of MaRisk. Outsourced activities and processes that are not regarded as material in terms of risk are subject to the general requirements relating to a proper business organization pursuant to section 25a (1) of the Banking Act (KWG).
Outsourcing management for complex outsourcing
In the case of larger institutions, which have to manage many types of outsourcing, this is done via central outsourcing management, which prepares an annual report on all material outsourced services and processes for the supervisory authority. BaFin also stipulates that institutions must ensure the implementation and further development of outsourcing management and corresponding control and monitoring processes. Ongoing documentation of outsourced activities and processes as well as coordination and review of risk management must also be ensured.
Despite outsourcing: Responsibility remains with the institute
Despite the outsourcing of processes, responsibility always remains with the management of the client, i.e. with the management of the company engaged in outsourcing. For this reason, MaRisk also takes safeguards to ensure the continuity and quality of the outsourced activities and processes after termination of the service provider. The same applies to the exit process, such as when changing service providers. According to MaRisk, however, the management board’s management tasks cannot be outsourced.
The highest demands on service providers
To comply with the regulatory requirements for material outsourced activities and processes, financial institutions always take great care in choosing their service providers. The strict requirements for the services being provided are also continuously reviewed by the companies. The Interpretation guidelines for MaRisk (PDF) written by the DSGV (German Savings Banks and Giro Association) and the MaRisk experts of the Sparkassen-Finanzgruppe define the criteria for selecting external service providers as follows:
- The business processes of the outsourcing company are organized to be efficient and effective.
- The staff meets the qualitative requirements for the provision of services.
- The remuneration system complies with the statutory requirements.
- By outsourcing, processes can be handled at the same or higher level of quality compared to the in-house solution.
- The service company is also able to take the institution’s individual concerns and specific processes into account.
- There must be measurable quality criteria based on Service Level Agreements (SLAs).
- To ensure that outsourcing is being monitored, the outsourcing company must provide detailed reports.
- The outsourcing company conducts itself in compliance with the legal requirements.
Contractual requirements for material outsourced activities and processes (MaRisk AT 9, No. 7)
The services to be provided, auditing rights, powers to give instructions, and notice periods must be specified in a comprehensive outsourcing contract to formally ensure the continuity and quality of the outsourced processes. Furthermore, the contractual relationship must also include rules covering subcontracting, which is when the service provider in turn hires a subcontractor to perform the services. Particular attention is paid to the possible right to reserve approval and the obligation to provide information along the entire supply chain up to the institution.
Compliance with MaRisk AT 9 & section 25a KWG: Myra Security is ready
Myra unconditionally meets all of the requirements for outsourced activities and processes set out in MaRisk AT 9 & section 25a KWG. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years, covering both their cybersecurity and compliance needs.