Current regulations regarding outsourcing

Until now, the 5th MaRisk amendment (Minimum Requirements for Risk Management) and the BAIT (Supervisory Requirements for IT in Financial Institutions) regulated the outsourcing of financial services. Starting at the end of this year´s third quarter, the new EBA-Guidelines regarding outsourcing are put into force.

Figure 1: Current regulations regarding outsourcing

According to the MaRisk amendment, software for the identification, evaluation etc. of risks respectively core banking systems as well as the operation of them through third parties is considered to be outsourcing. These outsourced activities need to be analyzed regularly as well as occasion-related through a risk analysis including the consideration of risk concentration and the risk of further outsourcing. Consequently, well-founded knowledge within the bank has to be ensured in order to allow for a qualified service control and a frictionless back-sourcing. Moreover, an exit strategy respectively emergency planning has to be defined.

The MaRisk amendment is also to be considered within the contract design: the degree of acceptable misperformance has to be defined within the bank. Furthermore, other security requirements have to be agreed upon through a contract. In addition, information and approval duties for further outsourcing have to be determined.

Finally, a “central outsourcing management” has to be established depending on the type, extent and complexity of the outsourced activities. This outsourcing management is concerned with the implementation of control and monitoring processes as well as the thorough documentation of outsourcing and further relocation.

In conclusion, the most challenging aspect is the identification of the concerned software and the intensified risk analysis of that software. zeb supports banks’ adherence of the regulatory requirements through a certification of its software solution zeb.control after IDW PS 880.

Certification zeb.control

During the examination, external auditors got a detailed insight in the processes and the software. The re-certification of the zeb.control software concerned the general development process and the software platform as well as the modules ALM, Trading and Credit. It confirmed the quality of the whole solution once again.

Figure 2: Process of the certification by external auditors

The examination was prepared by giving access to comprehensive records such as the documentation of the development process of zeb.control, project records of selected product releases including the whole test documentation as well as the respective test environments to retest the test cases.

The examination’s subjects were the development infrastructure and the development process of the zeb.control software. Moreover, general and specific functions of selected modules and especially software security and documentation were part of the examination. The provided records were examined regarding the question whether a qualified third person could independently understand the concepts and their execution. Additionally, the documented test cases within the software and the documentation were checked.

The examination’s result was the creation of an examination report and a testation after the international recognized examination standard IDW PS 880 as well as a suggestion based on the documentation: “According to our assessment resulting from the insights gathered through the examination, the audited software product zeb.control – given an appropriate use – enables a processing corresponding to the regulatory requirements and adheres to the foregoing criteria.”

Hence, the zeb.control software was successfully re-certified after the “IDW PS 880 – The Examination of Software Products”.