On request from the German Ministry of Finance, ECB delivered an opinion, containing its observations, on a draft law that concerns the supervision of outsourcing arrangements by BaFin. ECB notes that it understands that the new powers for the supervision of external service providers are granted to BaFin without prejudice to the supervisory responsibilities established under the EU Regulation 1024/201321; this EU regulation assigns, to ECB, responsibilities as competent authority for the supervision of significant credit institutions, including the supervision of the outsourcing arrangements entered into by credit institutions with third parties. ECB also notes that once the Digital Operational Resilience Act (DORA) is adopted at the EU level, the German legislator will need to review this draft law.
In specific, the ECB opinion was requested on Article 5 of the draft German law, which introduces changes to the Law on banking, and on Article 8 of the draft law, which introduces changes to the Law on capital investment. ECB has confined its opinion to Article 5 of the draft law, which introduces changes to the Law on banking concerning BaFin’s supervision of outsourcing arrangements entered into by credit institutions. The draft law introduces a wide definition of what is regarded as an "external service provider," a term that includes any company to which a credit institution has outsourced activities or processes to execute its ordinary services. In general, ECB notes that enhancing the digital operational resilience of credit institutions by extending supervisory powers directly to external service providers is a topical issue that needs to be addressed. Thus, it is understood that the German legislator will review the draft law once the DORA proposal of EC is adopted to ensure full consistency with the EU legislation. However, once EU legislation is adopted, the draft law will require additional adaptation, not just by the legislator but also on the part of credit institutions and their external service providers.
Additionally, ECB observes that certain aspects of the draft law go beyond the scope of the EBA guidelines on outsourcing arrangements (EBA/GL/2019/02), such as the obligation on credit institutions to ensure contractually that the external service provider appoints an authorized agent in Germany to whom BaFin may serve documents and notifications. Some of these requirements, such as the new power granted to BaFin to issue orders directly to external service providers to which material activities and processes have been outsourced, combined with the power to impose sanctions if such orders are not complied with, go beyond the traditional construct of the Capital Requirements Directive, where the role of the competent authorities is articulated exclusively vis-à-vis the credit institution, which is the addressee of potential decisions or supervisory measures aimed at reducing the risk posed by a particular outsourcing arrangement.
Related Link: Opinion (PDF)
Keywords: Europe, EU, Germany, Banking, Opinion, Outsourcing Arrangements, DORA, Cloud Computing, Operational Resilience, CRD, ECB
Previous ArticleEBA Publishes Single Rulebook Q&A Updates in February 2021
The European Commission (EC) published a report summarizing responses to the targeted consultation on the supervisory convergence and the single rulebook in the European Union (EU).
The Office of the Superintendent of Financial Institutions (OSFI) published an update on the discussion paper that intended to engage federally regulated financial institutions and other interested stakeholders in a dialog with OSFI, to proactively enhance and align assurance expectations over key regulatory returns.
The European Central Bank (ECB) published its opinion on a proposal for a regulation on European green bonds, following a request from the European Parliament.
The Advisory Scientific Committee (ASC) of the European Systemic Risk Board (ESRB) published a report that explores the expected impact of digitalization on provision of financial and banking services, and proposes policy measures to address the risks stemming from digitalization.
The European Banking Authority (EBA) announced that the guidelines on the reporting and disclosure of exposures subject to measures COVID-relief measures shall continue to apply until further notice.
The Swedish Financial Supervisory Authority (FI) announced that the capital adequacy reporting as at December 31, 2021 must be done by February 11, 2022.
The Central Bank of the Philippines (BSP) issued communications covering developments related to online lending platforms, open finance framework and roadmap, and on the expected regulations in the area sustainable finance.
The Board of Governors of the Federal Reserve System (FED) published the final rule that amends Regulation I to reduce the quarterly reporting burden for member banks by automating the application process for adjusting their subscriptions to the Federal Reserve Bank capital stock, except in the context of mergers.
The European Banking Authority (EBA) published its assessment of risks through the quarterly Risk Dashboard and the results of the Autumn edition of the Risk Assessment Questionnaire (RAQ).
The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0.