Law on Strengthening the Financial Market Integrity

The existing two-tier balance sheet control procedure of supervised financial market participants such as banks, financial service providers and payment service providers reached its limits last year with regard to fraudulent structures with international dimensions. The control mechanisms are now fundamentally revised by a law on Strengthening Financial Market Integrity ("FISG"). The law was promulgated on 10 June 2021. Central changes to the supervisory mechanism are already in force since 1 July 2021 or will additionally come into force at the beginning of 2022. In result, a more state-sovereign system with directly sovereign competences of BaFin is intended to ensure a higher level of security and integrity for the future.

Strengthening BaFin's own examination rights

In order to achieve improved balance sheet control, BaFin is provided with stronger audit and information rights. This includes a separate audit right vis-à-vis all capital market-oriented companies, including information rights vis-à-vis third parties, the possibility of forensic audits as well as the right to inform the public earlier than before about procedures in balance sheet audits. This core area of the FISG is supplemented by new regulations for auditors, accounting criminal law and money laundering law.

This article follows on from the previously published article "Overview of the Central Contents from the Perspective of Listed Companies and their Boards" (“Überblick zu den zentralen Inhalten aus Sicht börsennotierter Unternehmen und ihrer Organe”) and continues with the changes regarding outsourcing law provided in the FISG.

In connection with the incidents surrounding Wirecard AG, the aspect of supervising outsourcing relationships in particular was seen as a supervisory vacuum. BaFin was only insufficiently able to supervise and examine Wirecard AG as outsourcing company of Wirecard Bank AG on the basis of existing law, except for special audits pursuant to Section 44 of the German Banking Act (Kreditwesengesetz – KWG). The FISG now provides for the supervision of outsourcing companies to be regulated more closely and for BaFin to have more far-reaching examination rights than before.

Direct intervention possibilities and tightening of administrative fines

The FISG foresees changes to the regulations on outsourcing for the KWG, the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG), the German Capital Investment Code (Kapitalanlagegesetzbuch – KAGB) and the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG), which are largely concurrent. In contrast, outsourcing-related amendments to the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) are not subject of the FISG. According to the grounds of the FISG, BaFin already has all the necessary intervention rights in the insurance sector.

BaFin is now provided with direct intervention powers vis-à-vis external service providers that are not subject to BaFin supervision itself – not only in the context of special audits, but independently. In addition, FISG intends to establish new notification obligations and to expand and tighten provisions on fines. To improve supervision further, an obligation to appoint authorized recipient is established for cases in which outsourcing companies have their registered office outside the EEA. Here, of particular practical relevance are outsourcing relationships to Switzerland and the USA as well as to China, India, Russia and Japan.

Extension of the Outsourcing Company Definition

The amendments to the supervisory laws provided in the FISG redefine the term "outsourcing company" - by inserting a new legal definition in Sect. 1 par. 10 KWG and Sect. 1 par. 10a ZAG. Sect. 44 par. 1 sentence 2 sub-sentence 2 KWG has so far contained a rudimentary legal definition of the outsourcing company, which would be replaced by the proposed new legal definition and significantly deepened and expanded in terms of content. The ZAG does not yet contain a legal definition, even not a rudimentary one. The implementation of the legal definitions in Sect. 1 par. 10 KWG and Sect. 1 par. 10a ZAG would explicitly harmonise the legal outsourcing company definitions and thus create the basis for more far-reaching audit and control rights. This aspect is expressed in a material-legal manner in particular by the fact that the outsourcing company definition is extended to such companies that carry out non-significant outsourcing for a supervised company, as well as to sub-outsourcing companies that carry out significant activities and processes within the scope of an outsourcing. These expansions contrast the current outsourcing company definition of Sect. 44 par. 1 sentence 2 sub-sentence 2 KWG and the previous administrative practice.

According to the grounds of the FISG, this is meant to ensure that service providers which do not provide their services directly for an institution but for other outsourcing companies, which in turn pass on the services to the institution (or further sub-outsourcing companies), are also included as outsourcing companies. The respective legal definition also serves to clarify the scope of BaFin's competences. According to the new regulation, it is irrelevant with regard to BaFin's intervention rights whether it is a supervised or a non-supervised company. As a result, a large number of previously unregulated companies will come under BaFin's supervisory radar. These include companies that belong to the group of the supervised company and provide internal outsourcing services, or companies that are supervised by BaFin themselves but, in addition, provide activities and processes as outsourcing companies for other supervised companies. Finally, especially in the IT sector, this also affects a large number of independent companies that are to be classified as outsourcing companies under the new law and become the subject of independent audit activities by BaFin.

Notification Obligations and Outsourcing Register

New notification requirements, such as with regard to the intention of significant outsourcing, the execution of significant and non-significant outsourcing as well as any change in the assessment of the significance of outsourcing, are intended to prevent concentration risks. They are also intended to improve BaFin's overview of existing outsourcing and outsourcing companies. In addition, the institutions will have to set up a detailed outsourcing register, from which all significant and non-significant outsourcings can be identified.

With regard to the new provisions on notification requirements, it should be noted that these go back to the legal situation in 1998. The first regulation of outsourcing through the implementation of the Investment Services Directive by the 6th amendment to the German Banking Act (KWG) provided in § 25a para. 2 sentence 3 KWG a.F. an obligation for notification of intent and execution concerning significant outsourcing. At the request of financial industry associations, however, these notification obligations were abolished with effect from 1 November 2007 as being too burdensome and replaced by explicit regulation of BaFin's information rights. If requested by the BaFin in individual cases, this could still include corresponding notification obligations of individual companies. The FISG now re-establishes generally comprehensive notification obligations.

Special Account for the Third Country Reference

In the context of outsourcing to companies domiciled in a third country, institutions have to ensure contractually that a domestic authorised representative is appointed to whom notifications and deliveries can be made by BaFin. Here, it can likely be considered that the authorised representative is located at the company, which is outsourcing services to the outsourcing company.

Direct Rights of Instruction, Examination and Information

In addition, BaFin is provided with the authority to issue instructions directly to outsourcing companies. Furthermore, the authority shall be able to intervene vis-à-vis companies in Germany and abroad. The connecting factor for these intervention rights under supervisory law is that activities and processes are affected which are provided to a supervised company. Intervention rights abroad, especially vis-à-vis companies that do not belong to the group of the outsourcing company, are likely to be discussed on a case-by-case basis under aspects of conflict of administrative and international law. It is not to be expected that third countries will allow foreign administrative action in their own country without further ado.

The competences vis-à-vis outsourcing companies are far-reaching and intend to ensure that supervisory requirements are met along an increasingly fragmented value chain. For example, BaFin could instruct the outsourcing company to take certain measures to remedy specific violations, but also - regardless of a specific violation - instruct, for example, the development of sufficient expertise in the management or changes to the business organisation in the outsourcing company. However, the restrictions of the principle of proportionality, which must be observed in any state intervention, must also be taken into account here.

Furthermore, BaFin is provided with far-reaching examination and information rights vis-à-vis outsourcing companies, insofar as an institution or superordinate company has outsourced significant activities and processes within the meaning of Sect. 25b KWG or it is an outsourcing of internal security measures according to Sect. 25h par. 4 KWG or Sect. 6 par. 7 of the German Money Laundering Act (Geldwäschegesetz - GwG).

Possible Paradigm Shift

Particularly with regard to direct instruction, examination and information rights, the FISG goes considerably beyond the intervention rights to which BaFin is entitled under the current legal situation, especially under consideration of the relevant EBA guidelines for outsourcing. Supervision - also in outsourcing constellations - has so far mainly focused on the supervised outsourcing company. Through the contractual arrangement with the outsourcing company, the supervised entity has to ensure that BaFin can also exercise its examination and information rights along the outsourcing chain.

BaFin currently has no direct supervisory powers outside of the special audit right under Sect. 44 KWG. The FISG fundamentally changes this. In addition, the legal amendments will also focus much more on non-significant outsourcing than in the past. This must be taken into account when drafting the relevant contracts and has to be corrected with regard to existing outsourcing contracts.

It can perhaps even be said that there is a paradigm shift in the supervision of outsourcing, which leads to a number of follow-up questions:

• Will the ultimate responsibility for the activity to be performed still remain with the supervised company?
• What level of detail in the service descriptions and instruction rights will be required in future if BaFin shall also be able to exercise direct intervention rights vis-à-vis the outsourcing company?
• What differences will there be in the future between significant and non-significant outsourcing with regard to supervisory requirements - and what practical significance will this distinction, which can be structured by the institutions, still have in the future?

These and further questions can only be answered with legal certainty when a new administrative practice of BaFin and ECB develops in relation to the future legal situation. The next but one amendment to the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement - MaRisk) is expected to include additions and concretisations in this regard.

Commencement

The commencement of the outsourcing-related amendments to KWG, ZAG, KAGB and WpHG is regulated in stages by the FISG. The new obligations of the outsourcing companies, in particular to keep an outsourcing register, to make contractual adjustments as well as to notify intent, execution and changes of material outsourcing also in the context of the KWG, will come into force at the beginning of 2022. In contrast, the expanded supervisory competences of BaFin have already been valid since 1 July 2021. In addition, it must be taken into account that investment firms that, since the end of June, are supervised under the newly introduced Investment Firms Act ("WpIG") instead of under the KWG as before, must already now comply with the extended outsourcing-related obligations.

Need for Action

In view of the legal amendments, it is already necessary to take into account the probable need for adjustments when planning and structuring existing and new outsourcing relationships. Further, companies that have so far only been connected to their outsourcing company as a service provider must take into account the changes in supervisory practice and prepare themselves to be now a direct subject of supervision by BaFin and ECB. In addition, the potential impact of the digitisation-related Digital Operational Resilience Act ("DORA") should be considered, which will cover a sub-area of outsourcing and is expected to amend the new provisions of the FISG in the area of outsourcing again as part of an accompanying law to the regulation.