Cloud Compliance Center

Germany

Select a Topic
Quick Links
Start Comparison
Regulatory notifications
5. Does the outsourcing need to be notified to the regulator?

As of 1 January 2022, the Financial Market Integrity Strengthening Act (Finanzmarktintegritätsstärkungsgesetz ("FISG")) amended the German Banking Act (Kreditwesengesetz ("KWG")), the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz ("ZAG")), the Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG")) and the Capital Investment Code (Kapitalanlagegesetzbuch ("KAGB")), which oblige institutions in the financial sector to notify the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) of significant outsourcing. For insurance undertakings, such a requirement existed before the FISG was adopted.

Under the KWG (Section 24 (1) No. 19 of the KWG), banks and financial services providers must notify the BaFin of their planned outsourcing of material functions that have a material effect on the business activities of their business, the actual implementation, material changes and severe incidents. The notification needs to be provided to the BaFin before the outsourcing agreement comes into effect. There is no fixed deadline, but in practice the notification is often provided much earlier and preceded by even earlier informal exchanges with the BaFin.

The notification requirement also applies to the subsequent implementation of the outsourcing, to material changes and to material incidents in the framework of an outsourcing.

The same requirement of prior notification exists for the following:

  • Payment institutions and e-money institutions under Section 26 (2) of the ZAG
  • Investment firms under Section 64 (1) No. 13 of WpIG
  • Alternative investment fund managers ("AIFMs") and UCITS managers under Section 36 (2) of the KAGB
  • Payment services providers under Section 26 (2) of the ZAG
  • Insurance undertakings under Section 47 No. 8 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz ("VAG"))

The requirement to notify BaFin of outsourcing, to material changes and to material incidents in the framework of an outsourcing applies under the WpIG, but not under the KAGB, the ZAG or the VAG, although under the KAGB, the BaFin must be notified of material changes to the outsourcing arrangement.

Subject to certain special cases (outsourcing of internal security measures in connection with money laundering; outsourcing of portfolio or risk management by fund managers), no approval from the BaFin is required. However, the BaFin can prohibit outsourcing if regulatory requirements are not complied with. If the BaFin's ability to audit and control the outsourced activities is impaired, it may give special instructions to remove these impediments. For insurance undertakings, it is customary to wait for a declaration of no objection from the BaFin before proceeding with the outsourcing.

The outsourcing institution must have an outsourcing register.

Under the FISG, the following applies:

  • Non-EU outsourcing providers must contractually agree to appoint a local agent to receive service of BaFin communications.
  • The BaFin has the power to issue direct instructions to outsourcing providers, to which material activities have been outsourced, to prevent violations of regulatory provisions, and to prevent endangering the security of the assets entrusted to the outsourcing institution or that could impair the proper operation of the outsourcing institution's business.

These powers apply to credit institutions, financial services providers, investment firms, UCITS managers and AIFMs and insurance undertakings.

In relation to outsourcing of internal security measures under the German Money Laundering Act (Geldwäschegesetz ("GWG")) the former approval requirement has been replaced by an obligation to notify BaFin beforehand (Section 6 (7) of the GWG). Internal security measures include IT measures pursuant to Section 25 h (2) of the KWG that monitor business relationships and payment transactions for signs of unusual transactions or transactions without apparent commercial purpose in order to detect money laundering, terrorism finance or fraud. Any use of the cloud services for that purpose would also need to be notified to the BaFin.

Section 3 of the Notification Ordinance (Anzeigenverordnung ("AnzV")) details the notification requirements. For example, this includes the following:

  • A reference number assigned by the institution for each outsourcing contract
  • Information on the beginning and end of the contract term and, if applicable, on the date of the next contract renewal and on the notice periods
  • The designation of the essential activities and processes to be outsourced or outsourced including an indication of the categories of data affected by the outsourcing, as well as whether personal data will be transferred and whether the outsourcing company will be entrusted with the processing of personal data
  • The result of an assessment of any of the following:
    • The substitutability of the outsourcing entity by assigning it to the categories of "easy," "difficult" or "impossible"
    • An indication of the possibility of reintegration of the essential activity or process into the institution
    • The effect of any discontinuance of the essential activity or process; or essential process
  • A determination over the existence of alternative outsourcing entities pursuant to the assessment in paragraph 17(a)
  • An indication of whether the essential activity or process to be outsourced supports business operations that are time critical
  • The annual budget estimated for the outsourcing or the associated costs

On request of the BaFin, the draft outsourcing agreement will be submitted.

All filings must be made electronically.

Quick Links
{{ $store.state.loadingScreen.message }} ...