Wirecard – the harsh consequences for outsourcing in Germany

Background

On 26 October 2020, in response to the Wirecard scandal, the Federal Ministry of Finance and Justice and the Federal Ministry of Consumer Protection published a draft act, the Finanzmarktintegritätsstärkungsgesetz (FISG) to strengthen the integrity of the German financial markets.

Primarily, FISG comprises new measures and supervisory powers for the German regulator, BaFin, to intervene earlier and with enhanced powers where it suspects balance sheet fraud. It also strengthens the independence of auditors and introduces a 10-year rotation cycle for auditors.

Market reaction in Germany is, though, one of surprise that the FISG also includes substantially new and stricter requirements around outsourcing. These rules would affect the whole market including banks, investment firms and even asset managers.

I. Regulatory framework

Outsourcing requirements have been the subject of debate for some time and the approach of Brexit has become a catalyst for a wide variety of questions on this topic. The German market is still digesting the EBA Guidelines of February 2019, which have applied since September 2019 and under which existing outsourcings must be remediated by 31 December 2021. These were intended to harmonise the market and, in preparation for their introduction, BaFin has also published a revised version of the "Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, MaRisk)", which, among other things, details outsourcing requirements in Germany. This consultation runs until 4 December 2020.

II. Planned new regulations

However, any hope of benefitting from a harmonised landscape was short lived: the FISG may introduce requirements that go far beyond the EBA guidelines and MaRisk. BaFin's extended supervisory powers in respect of outsourcing companies are accompanied by a number of other measures, such as strict fines.

1. Extension of the outsourcing definition

In contrast to the EBA guidelines and MaRisk, the FISG provides that

• the intention of a material outsourcing
• the conclusion of any outsourcing agreement (regardless of whether the outsourced service is categorised as material or non-material)
• any change in the categorisation as material and
• any other essential change to the agreement

must be reported to BaFin.

This would significantly expand the obligations around outsourcing and would also raise the question of how BaFin is expected to cope with the flood of notifications which it would receive. Additionally, it remains unclear why additional reporting obligations have been proposed only a short time after the introduction of an outsourcing register, to which the regulator has full access.

The proposed provision is also notable since a corresponding notification obligation existed a long time ago, albeit in a restricted form, in the first outsourcing circular of the former Federal Banking Commission (BAKred).

At the time, this obligation was deliberately not included in MaRisk as BaFin did not consider it added value. Even at that stage, it was recognised that the supervisory authority would face difficulty in reviewing all notifications it received.

2. Extended powers and direct instruction rights of BaFin

The draft FISG also stipulates that BaFin and, where appropriate, the Bundesbank may impose supervisory measures on outsourcing companies. They will have direct authority to instruct outsourcing service providers and, in case of doubt, may prohibit outsourcing. The new powers would, de facto, place service providers under the direct supervision of BaFin. This would constitute a completely new element in respect of outsourcing scenarios where, until now, supervisory powers have been contractually imposed on service providers and have arisen from the fact that, essentially, the service provided by the service provider was, in practical terms, a service of the regulated entity.

The extended powers and direct instruction rights of BaFin towards the outsourcing companies which are being proposed have raised many questions. In any event, they create substantial difficulties in relation to existing contractual arrangements which would very likely have to be amended in order to address the new situation.

The new approach, in particular, raises concerns when it comes to outsourcing into other countries, when BaFin makes use of its powers in relation to a service provider located outside Germany. The FISG is likely to conflict with the territoriality principle limiting the supervisory powers generally to their own country.

3. Outsourcing register

The draft bill also foresees keeping an outsourcing register in which all significant and insignificant outsourcing activities are to be recorded. However, it appears that the FISG does not provide for the possibility of a centralised register in the group, as provided for in the EBA guidelines.

4. Appointment of a representative

The appointment of a receiving agent in the case of a third country outsourcing may also cause additional costs, create additional bureaucracy and does not provide added value.

III. Conclusion

The proposed amendments to the various pieces of legislation go far beyond the resolutions and guidelines adopted at European level. Rather, they seem to contradict the goal of a level playing field pursued by the EBA guidelines.

Without elaborating on the question as to whether the new rules are a suitable and justified reaction to Wirecard, they are in any event unhelpful for the German (and also the European) market. The current draft will, hopefully, be further amended.

But it can be expected that the FISG with or without further amendments will come into force before the end of this year.