On request from the German Ministry of Finance, ECB delivered an opinion, containing its observations, on a draft law that concerns the supervision of outsourcing arrangements by BaFin. ECB notes that it understands that the new powers for the supervision of external service providers are granted to BaFin without prejudice to the supervisory responsibilities established under the EU Regulation 1024/201321; this EU regulation assigns, to ECB, responsibilities as competent authority for the supervision of significant credit institutions, including the supervision of the outsourcing arrangements entered into by credit institutions with third parties. ECB also notes that once the Digital Operational Resilience Act (DORA) is adopted at the EU level, the German legislator will need to review this draft law.
In specific, the ECB opinion was requested on Article 5 of the draft German law, which introduces changes to the Law on banking, and on Article 8 of the draft law, which introduces changes to the Law on capital investment. ECB has confined its opinion to Article 5 of the draft law, which introduces changes to the Law on banking concerning BaFin’s supervision of outsourcing arrangements entered into by credit institutions. The draft law introduces a wide definition of what is regarded as an "external service provider," a term that includes any company to which a credit institution has outsourced activities or processes to execute its ordinary services. In general, ECB notes that enhancing the digital operational resilience of credit institutions by extending supervisory powers directly to external service providers is a topical issue that needs to be addressed. Thus, it is understood that the German legislator will review the draft law once the DORA proposal of EC is adopted to ensure full consistency with the EU legislation. However, once EU legislation is adopted, the draft law will require additional adaptation, not just by the legislator but also on the part of credit institutions and their external service providers.
Additionally, ECB observes that certain aspects of the draft law go beyond the scope of the EBA guidelines on outsourcing arrangements (EBA/GL/2019/02), such as the obligation on credit institutions to ensure contractually that the external service provider appoints an authorized agent in Germany to whom BaFin may serve documents and notifications. Some of these requirements, such as the new power granted to BaFin to issue orders directly to external service providers to which material activities and processes have been outsourced, combined with the power to impose sanctions if such orders are not complied with, go beyond the traditional construct of the Capital Requirements Directive, where the role of the competent authorities is articulated exclusively vis-à-vis the credit institution, which is the addressee of potential decisions or supervisory measures aimed at reducing the risk posed by a particular outsourcing arrangement.
Related Link: Opinion (PDF)
Keywords: Europe, EU, Germany, Banking, Opinion, Outsourcing Arrangements, DORA, Cloud Computing, Operational Resilience, CRD, ECB
Previous ArticleEBA Publishes Single Rulebook Q&A Updates in February 2021
The three European Supervisory Authorities (ESAs) issued a letter to inform about delay in the Sustainable Finance Disclosure Regulation (SFDR) mandate, along with a Call for Evidence on greenwashing practices.
The International Sustainability Standards Board (ISSB) of the IFRS Foundations made several announcements at COP27 and with respect to its work on the sustainability standards.
The International Organization for Securities Commissions (IOSCO), at COP27, outlined the regulatory priorities for sustainability disclosures, mitigation of greenwashing, and promotion of integrity in carbon markets.
The European Banking Authority (EBA) issued a statement in the context of COP27, clarified the operationalization of intermediate EU parent undertakings (IPUs) of third-country groups
The Office of the Superintendent of Financial Institutions (OSFI) published an annual report on its activities, a report on forward-looking work.
The Australian Prudential Regulation Authority (APRA) finalized amendments to the capital framework, announced a review of the prudential framework for groups.
The Bank for International Settlements (BIS) Innovation Hubs and several central banks are working together on various central bank digital currency (CBDC) pilots.
The European Central Bank (ECB) published the results of its thematic review, which shows that banks are still far from adequately managing climate and environmental risks.
Among its recent publications, the European Banking Authority (EBA) published the final standards and guidelines on interest rate risk arising from non-trading book activities (IRRBB)
The European Commission (EC) recently adopted regulations with respect to the calculation of own funds requirements for market risk, the prudential treatment of global systemically important institutions (G-SIIs)