Outsourcing Policy

An outsourcing policy under MaRisk AT

9 must include: Strategic principles for outsourcing decisions, criteria for distinguishing material from non-material outsourcing arrangements (materiality criteria), risk analysis requirements prior to each outsourcing, governance structure with clear roles and responsibilities including an outsourcing officer, minimum contractual requirements per KWG 25b, specifications for the outsourcing register and processes for ongoing monitoring and annual reporting to the management board.

Under MaRisk AT 9, an outsourcing arrangement is material when the outsourced activity could significantly impair the institution's financial position, business strategy or regulatory compliance if it fails or is performed inadequately. Material outsourcings are subject to stricter requirements: comprehensive risk analysis, detailed contracts with audit and access rights, mandatory notification to BaFin via the MVP portal since

2023 and ongoing monitoring. Non-material outsourcings require simplified risk analysis and documentation but must still be recorded in the outsourcing register.

BaFin supervises compliance with outsourcing requirements by credit institutions and financial service providers. Specifically, BaFin requires: A documented outsourcing policy as part of risk management, notification of material outsourcing arrangements via the MVP portal (mandatory since 01.01.2023 under FISG), a current outsourcing register covering all material and non-material outsourcings, annual reports to the management board on all material outsourcing arrangements. BaFin reviews the adequacy of outsourcing management during special examinations and annual audits (Section

44 KWG).

Under MaRisk, outsourcing exists when another company is tasked with performing activities and processes related to banking business, financial services or other institution-typical services that the institution would otherwise perform itself. Third-party procurement (sonstiger Fremdbezug) covers services that do not constitute banking business and do not replace institution-typical activities, such as facility cleaning or catering. This distinction is critical because only outsourcing arrangements are subject to the strict MaRisk AT

9 requirements.

Since January 2025, the Digital Operational Resilience Act (DORA) supplements MaRisk requirements for ICT services. DORA additionally requires: An ICT third-party register (Register of Information), stricter requirements for ICT providers with critical functions, incident reporting within

4 hours for major ICT incidents, regular Threat-Led Penetration Tests (TLPT) and exit strategies for critical ICT outsourcings. Institutions must extend their outsourcing policy with DORA-specific provisions and manage the parallel governance of MaRisk outsourcings and DORA ICT third-party arrangements.

The outsourcing register is a mandatory document under MaRisk AT 9. It must contain: Description of the outsourced activity and its criticality classification, name and location of the outsourcing provider, contract duration and termination periods, risk analysis results, information on sub-outsourcing arrangements, assignment to the responsible outsourcing officer. Since the 6th MaRisk amendment, the register must cover both material and non-material outsourcings and be kept up to date. For ICT outsourcings, DORA additionally requires a separate Register of Information.

ADVISORI supports banks and financial institutions in developing and implementing a MaRisk-compliant outsourcing policy: Gap analysis of the existing policy against MaRisk AT 9, KWG 25b, EBA Guidelines and DORA requirements, drafting or revision of the outsourcing policy with practical materiality criteria, setup of the outsourcing register and BaFin notification processes, implementation of governance structures and monitoring processes, training of relevant departments and alignment with internal audit. Our approach combines regulatory compliance with operational efficiency.