In addition, BaFin explains the difference between two of its reporting procedures, named CASPER and SSM IMAS. Both are applications of the European Central Bank (ECB). Unlike the CASPER portal, the IMAS portal has been adapted for German companies so that the information requirements from the German Notification Regulation can also be taken into account in the IMAS form. Through IMAS, data is requested which the ECB requires for the supervision of significant institutions or groups of institutions. The BaFin MVP form, on the other hand, serves to implement the national notification requirement, which in turn implements the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02).

A record of a notification is only created for the respective registered notifier, and each MVP registration is also only valid for one notifier at a time. The form cannot be viewed by external auditors on BaFin’s system, but after completing and submitting the form, the reporter can save the document locally for their own records and auditors.

Filling out instructions

With regard to the instructions for completion, BaFin announced that it intends to improve the user-friendliness of the MVP portal in the future.

It is possible that individual categories may not always be relevant for credit institutions or financial services institutions. This is because the categorization of outsourcing serves to analyze concentration risks and thus contains categories that are intended to cover all entities supervised by BaFin. In cases where a clear allocation does not appear possible, categories are to be selected that most accurately reflect the nature of the processes and activities to be outsourced. The category “Other” should only be used in exceptional cases.

In the case of intra-group and intra-network outsourcing, no exit processes or options for action need to be described within the meaning of AT 9 para. 15 lit. D Minimum Requirements for Risk Management (MaRisk) – only a risk assessment needs to be carried out.

With regard to section 3 (1) No. 4 KWG-AnzV, BaFin clarifies that not every new risk analysis must be disclosed by means of a notification of change – only aspects that have a material impact on business activities.

Notification of intention and execution

Even if the internal decision and the signing of the contract take place within a very short period of time (one to two weeks), a summarized notification is still not possible. This is to enable effective supervision at an early stage. This is precisely the purpose of a notification of intent and would come to nothing with a summarized notification.

The notification for execution is to be made when the outsourcing agreement has been legally concluded, even if there are still months or even years between the conclusion and the actual start of performance. This is taken into account by the fact that the start of the contract is queried during the second notification, and the supervisory authority is thus well aware that the service is not yet active.

For the notification of outsourcing that took place before January 1, 2022, the form for the execution notification is to be used.

No waiting period has to be observed between the notification of intent and the execution notification in order to give BaFin time to intervene. Only the deadlines for submitting the respective notification must be met.

The rule of the “domestic agent for service of process” does not apply in the case of German parties. On the other hand, such an agent is only to be identified if the outsourcing company has its registered office in a third country.

The indication of a possible replacement of an outsourcing company for credit institutions, whether or not resulting from any regulation, can be considered part of the official assessment for replacing a service provider, according to section 3 (1) No. 17 KWG-AnzV. There is no need for a literal implementation of the regulation.

In the event that cloud service providers offer different cloud service models, the cloud service model that is used in the context of the outsourcing should be indicated in the notification form.

In the event that multiple products are used that constitute a material outsourcing, there is no requirement to prepare individual reports per product. Rather, an outsourcing relationship between the products should be presented with the help of the form if the queried data are identical.

Deletion of submitted notifications from the database is not technically possible, however, a change notification can be filled in so that the submitted notification is no longer visible to the supervisor as an active outsourcing.

No execution notification is required for capital management companies, as the KAGB and the associated ordinance do not provide for any obligation to report the execution of an outsourcing.

With regard to insurance companies, section 47 No. 8 and No. 9 of the Insurance Supervision Act do not require any reporting of the execution of an outsourcing; it is only stipulated that in cases where an intention is refrained from, the non-execution is reported.

If an outsourcing has taken place before January 1, 2022, three notifications must be provided in principle. These are (1) the execution notification of the outsourcing contract with service provider A, (2) the change notification for the termination of the contract with service provider A, and (3) the intention notification for service provider B. Exceptions exist only for a notification of outsourcing from before January 1, 2022, with regard to which only the intention notification for service provider B is required.

Material changes

A material change within the meaning of the ordinance requires that it has or could have a significant impact on the company’s business activities. Such changes are always subject to notification and must be assessed on a case-by-case basis.

Incorrect information can be corrected by submitting an updated report in which the remaining fields can be left blank.

Although the termination of a sub-outsourcing is not part of the rule catalog, this is not to be regarded as conclusive, which is why, in such situations, the change in facts about the termination of the sub-outsourcing can be indicated under “Other.”

If several life insurers of a group outsource many functions to a group-internal company, and if this is subsequently further outsourced to an external company, each life insurer must first indicate the outsourcing to the group-internal company for its company and also must have already indicated in the form the further outsourcing to the external company.

In the case of currently pending mergers, BaFin can waive the notification of outsourcing for those institutions that are currently in the takeover process. Instead, however, the acquiring institution must then report the outsourcings taken over as new outsourcings in the form of execution notifications. In the case of future mergers, the acquired institution would have to indicate the termination of the outsourcing with a change notification, and the acquiring institution would have to indicate the acquired outsourcing. However, both situations should be coordinated with the supervisor beforehand.

A notification must always be submitted upon becoming aware of material changes and without delay.

If a notice of intent has already been given, but the intent no longer exists and no execution will occur, this will be indicated by the failure to give notice of execution. A separate notification of non-execution is only provided for under the ISA Notification Ordinance, as no notification of execution is to be made there in general.

If a service provider changes its name, a new name of the outsourcing company can be entered as part of an update notification.

All known reasons for change are to be reported within one notification instead of in several notifications.

Serious incidents

In order to solidify the term “serious incident,” BaFin has drafted a list of typical serious incidents as an aid and added it to the notification ordinances. A more far-reaching specification is not expected to be made, despite the undefined legal terms, since such terms were certainly intended and are not unusual in other ordinances.

The contact person in the event of queries from the supervisory authority regarding the reported incident is specified on the form.

Reports of serious operational and security incidents at payment service providers (PSD2 reports) must continue to be submitted exclusively via BaFin's MVP portal.

Subsequent notifications

Outsourcing that took place before January 1, 2022 is generally not subject to subsequent notification as the regulations do not provide for these obligations. However, all new material outsourcings that took place in 2022 – as well as material changes to existing material outsourcings of credit institutions – had to be post-notified with a deadline of January 3, 2023. A further extension of this deadline is also not anticipated as it already represented an exception for institutions, and other business areas had to react to the change in the submission channel at a much shorter notice.

If, in the case of stock transfers, it is no longer possible to reconstruct the date of a resolution, the date of the first contract can be recorded instead.

No subsequent notifications are required for products or services that were terminated prior to November 29, 2022.

For future reports, BaFin recommends reporting significant changes and serious incidents in outsourcing that have not yet been reported via the MVP individually, as a reference number then already exists in the company to which reference is made.

The notification of existing outsourcing is not mandatory, but in the event of a significant change within the scope of an existing outsourcing, this must be recorded via the MVP as soon as reasonably possible.

In the case of a subsequent notification, the notification of intent can be dispensed with as the execution notification to be submitted records all necessary information.

Portfolio question

BaFin justifies additional inquiries with the capital management companies on portfolio outsourcing arrangements by stating that with the help of these inquiries, existing outsourcing arrangements will have been comprehensively recorded by the companies concerned by June 30, 2023, and that an initial analysis can thus be carried out to identify concentration risks.

Credit institutions must therefore keep an additional outsourcing register since it comprises significantly more information than that on the notification requirement and thus complies with the EBA Guidelines on outsourcing arrangements. The outsourcing register must be kept, but must only be provided upon request of the respondent. It must list all active material and non-material outsourcing arrangements, which is the difference in the notification requirement, where, in contrast, only material outsourcing arrangements since January 1, 2022 are recorded.

The random sample survey by BaFin is necessary and should be applied after the subsequent notifications because the overview for the identification of risks pursued by the notification obligation cannot be achieved if evaluations always have to be relativized to the status after January 1, 2022. In addition, the purpose of the random checks is precisely to obtain information on the number of significant outsourcings in the institutions, which would not be recognizable without them.

In-depth 2023-093