Government bill to strengthen financial market integrity

Strengthening of financial supervision in the area of outsourcing

As a result of the events in the Wirecard case, the government felt compelled to revise the existing regulations on balance sheet control, auditing and financial market supervision and to strengthen the rights of the financial market supervisory authority towards a balance sheet control procedure that is more strongly characterized by state sovereignty. The government bill should also regulate a side aspect, namely outsourcing in the area of financial supervision.

The existing two-tier balance sheet control procedure has reached its limits with regard to fraudulent structures with international dimensions and could  be fundamentally revised by a law to strengthen financial market stability ("FISG"). The speaker's draft has been published and will be commented on. As a result, a system that is more strongly influenced by state sovereignty with direct sovereign powers of BaFin is to ensure a higher level of security and integrity in the future.

Strengthening BaFin's own examination rights

In order to achieve improved balance sheet control, the BaFin is to be granted stronger auditing and information rights. These include a separate right of examination vis-à-vis all capital market-oriented companies, including the right to information vis-à-vis third parties, the possibility of forensic examinations and the right to inform the public earlier than hitherto about the balance sheet control procedure. This core area of the FISG-E will be enhanced by new regulations for auditors, criminal law relating to balance sheets and money laundering law.

The present article ties in with the recently published article "Overview of the central contents from the point of view of listed companies and their organs" and continues this with the change of the outsourcing law provided for in the FISG.

The aspect of supervision of outsourcing relationships in particular was seen as a regulatory gap in connection with the events surrounding Wirecard AG, as BaFin was unable to supervise and audit Wirecard AG as an outsourcing company of Wirecard Bank AG on the basis of existing law, apart from special audits pursuant to Section 44 of the German Banking Act (KWG), to a sufficient extent. The FISG-E now provides for the supervision of outsourcing companies to be regulated more closely and for BaFin to be granted more extensive auditing rights than before.

Immediate intervention options and tightening of fines

The FISG-E provides for changes to the regulations on outsourcing for the KWG, the ZAG, the KAGB and the WpHG, which are largely identical. No changes to the VAG are planned; BaFin, according to the reasoning, already has all necessary powers of intervention in the insurance sector.

In the future, BaFin will have direct powers of intervention with respect to external service providers that are not themselves supervised, not only in the context of special audits, but in principle. In addition, new notification obligations will be created and fine regulations will be expanded and tightened. In order to further improve supervision, an obligation to appoint authorised representatives for the service of documents in cases where outsourcing companies have their registered office outside the EEA is also planned. Of particular practical relevance here are the USA, China, India, Russia, Japan and Switzerland.

Extension of the definition of outsourcing company 

The change in the law redefines the term outsourcing company - in each case by inserting a new legal definition in Section 1 para. 10 KWG and Section 1 para. 10a ZAG. Up to now, Section 44 para. 1 sentence 2 Hs. 2 KWG contains a rudimentary legal definition of the outsourcing company, which would be replaced by the planned new legal definition and the content would be significantly deepened and extended. So far, the ZAG does not contain any legal definition, even a rudimentary one. The introduction of the legal definitions in Section 1 (10) KWG and Section 1 (10a) ZAG will expressly unify the definition by law and thus create the basis for more far-reaching audit and control rights than before. In terms of substantive law, this aspect is expressed in particular by the fact that the term - in contrast to Section 44 (1) sentence 2 Hs. 2 KWG and the previous administrative practice - is also extended to include companies that carry out non-substantial outsourcing for a supervised company as well as sub outsourcing companies that take over essential activities and processes within the scope of an outsourcing.

According to the justification of the FISG-E, this is to ensure that service providers are also included as outsourcing companies if they do not provide their services directly for an institute, but for other outsourcing companies, which in turn "pass on" the services. The respective legal definition also serves as a clarification of the scope of the powers of BaFin. According to the new regulation, it is irrelevant with regard to the powers of intervention of BaFin whether the company is a supervised or non-supervised company. As a result, a large number of previously unsupervised companies are now included in the supervisory radar of BaFin. These include companies that belong to the group of the supervised company and provide outsourcing services within the group, or companies that are themselves supervised by BaFin but, in addition, provide activities and processes for other supervised companies as outsourcing companies. Finally, this also affects the large number of group-independent companies that are to be classified as outsourcing companies under the new law.

Notification requirements and outsourcing register

New disclosure requirements, such as those relating to the intention of significant outsourcing, the completion of significant and non-material outsourcing and any change in the assessment of the materiality of an outsourcing, are intended to prevent concentration risks. They should also help BaFin to improve the overview of existing outsourcing and outsourcing companies. In addition, in the future, the institutions will have to set up a detailed outsourcing register from which all material and non-material outsourcing can be identified.

With regard to the new regulation of the notification obligations, it should be noted that these go back to the legal situation in 1998. The first-time regulation of outsourcing as a result of the implementation of the Investment Services Directive by the 6th Amendment to the German Banking Act (KWG) provided in Section 25a (2) sentence 3 KWG old version for an obligation to give notice of intent and execution with regard to significant outsourcing. At the request of the associations, however, these notification obligations were abolished as too costly and replaced by an explicit regulation of information rights by BaFin with effect from November 1, 2007. If requested by BaFin, these could still include corresponding notification obligations of individual companies in individual cases. Nevertheless, the abolition of the general obligations to notify intentions and execution resulted in a change towards a self-responsible, principle-oriented approach to (particularly significant) outsourcing, which is now likely to be reversed against the background of the Wirecard incidents.  

Special consideration of third countries

In the context of outsourcing to companies based in a third country, the draft stipulates that in future institutions must contractually ensure that a domestic  uthorized recipient is appointed for these companies, to whom the BaFin can make announcements and notifications. In this case, it can certainly be considered to have the authorized recipient located at the outsourcing company.

Direct instruction, examination and information rights

Furthermore, BaFin is to be granted the authority to issue instructions directly to outsourcing companies. Furthermore, the authority should be able to intervene with companies in Germany and abroad. The supervisory starting point for these powers of intervention would be that activities and processes are affected which are performed for a supervised company. Powers of intervention abroad, in particular vis-à-vis companies that do not belong to the group of the outsourcing company, are likely to have to be discussed on a case-by-case basis under aspects of administrative conflict of laws and international law. It is not to be expected that third countries will easily allow foreign administrative actions in their own country.  

The envisaged powers vis-à-vis outsourcing companies are far-reaching and are intended to ensure compliance with regulatory requirements along an increasingly fragmented value chain. For example, the BaFin could order the outsourcing company to take certain measures to remedy specific violations, but also - independently of a specific violation - order, for example, the development of sufficient expertise in the management or changes in the business organization of the outsourcing company.

In an extreme case, it would thus be conceivable that BaFin could now also demand changes in the management of purely technical service companies, if they were responsible for serious supervisory violations. Of course, such powers of intervention - at the latest under the German constitution - have their limits. It is obvious that this will lead to conflicts with the rights of participation and co-determination under company law. The principle of proportionality, which must be considered with each national intervention action, is surely again tested here again.  

In addition, the BaFin is to be given extensive rights of examination and information vis-à-vis outsourcing companies if an institution or superordinate company has outsourced essential activities and processes within the meaning of § 25b or if it is an outsourcing pursuant to Section 25h (4) or Section 6 (7) GwG.

Possible paradigm shift

Particularly with regard to direct rights of instruction, examination and information, the draft law goes considerably beyond the powers of intervention to which the BaFin is entitled under the current legal situation, in particular with regard to the relevant EBA guidelines for outsourcing. So far, supervision - also in outsourcing constellations - has mainly focused on the supervised outsourcing company. The latter has to ensure through the contractual arrangement with the outsourcing company that the BaFin can also exercise its auditing and information rights along the outsourcing chain.

BaFin does not currently have any direct supervisory powers outside of the special audit rights under Section 44 KWG. This would change radically. In addition, the planned changes in the law would also bring non-substantial outsourcing much more into focus than before. This must be taken into account and also corrected when drafting the corresponding contracts.

One can perhaps even speak of a paradigm shift in the supervision of outsourcing, from which a number of follow-up questions arise:

  • Will the ultimate responsibility for the activity to be performed still remain with the outsourcing company?
  • What level of detail in the service descriptions and instruction rights will be required in the future if BaFin can or should also exercise direct powers of intervention?
  • What differences will exist in the future between significant and non-essential outsourcing with regard to regulatory requirements - and what practical significance will this distinction, which can be designed by the institutions, still have in the future?

Answers to these and other questions will only be legally certain when a new administrative practice of BaFin and ECB will be developed with regard to the future legal situation. The next but one amendment to MaRisk is expected to provide additional information in this respect.  

Need for Action

In view of the foreseeable changes, however, it is already necessary to take into account the anticipated need for adjustment when planning and designing existing and new outsourcing relationships. Even companies that have so far only been linked to their outsourcing company as service providers must be prepared for changes in supervisory practice and must be prepared to be directly subject to supervision by BaFin and the ECB in the future.

Did you find this useful?