Home>
IT security & outsourced activities and processes according to MaRisk AT 9
03
In the case of larger institutions, which have to manage many types of outsourcing, this is done via central outsourcing management, which prepares an annual report on all material outsourced services and processes for the supervisory authority. BaFin also stipulates that institutions must ensure the implementation and further development of outsourcing management and corresponding control and monitoring processes. Ongoing documentation of outsourced activities and processes as well as coordination and review of risk management must also be ensured.
06
The services to be provided, auditing rights, powers to give instructions, and notice periods must be specified in a comprehensive outsourcing contract to formally ensure the continuity and quality of the outsourced processes. Furthermore, the contractual relationship must also include rules covering subcontracting, which is when the service provider in turn hires a subcontractor to perform the services. Particular attention is paid to the possible right to reserve approval and the obligation to provide information along the entire supply chain up to the institution.