Regulation on Outsourcing for Credit Institutions and Similar Entities

Regulation on Outsourcing for Credit Institutions and Similar Entities

Pursuant to Section 72a, Paragraph 3, and Section 373, Paragraph 4, of the Act on Financial Business, cf. Statutory Order No. 406 of 29 March 2022, Section 62, Paragraph 3, Section 180(i), and Section 255, Paragraph 1, of the Act on Capital Markets, cf. Statutory Order No. 2014 of 1 November 2021, as amended by Section 4 of Act No. 2382 of 14 December 2021, Section 39, Paragraph 4, and Section 152, Paragraph 7, of the Act on Payments, cf. Statutory Order No. 2710 of 7 December 2021, and Section 5, Paragraph 2, and Section 14, Paragraph 2, of the Act on a Ship Financing Institute, cf. Statutory Order No. 646 of 18 May 2022, the following is enacted:

Chapter 1 Scope of Application etc.

Section 1. This Regulation applies to the following businesses when the business makes use of outsourcing:

1. Credit institutions.
2. Mortgage credit institutions.
3. Savings institutions.
4. Joint data centralities.
5. E-money institutions.
6. Payment institutions.
7. Danmarks Skibskredit A/S.

Paragraph 2. The Regulation also applies, with the necessary adaptations, to the businesses mentioned in Paragraph 1, Nos. 1-3 and 7, at the level of joint consolidation and consolidated level. Parent companies covered by Paragraph 1 must ensure that the use of outsourcing at the company and its subsidiary companies covered by Paragraph 1, Nos. 1-3 and 7, is consistent, well-integrated, and appropriate at all levels of the group.

Paragraph 3. The provisions of this Regulation also apply to IT operators of retail payment systems, insofar as the outsourcing relates to the operation of retail payment systems to which their authorization relates.

Paragraph 4. The provisions of this Regulation do not apply to outsourcing regulated by other rules in the financial sector.

Section 2. The outsourcing company must meet the requirements of this Regulation, taking into account whether the requirements are proportional in relation to the company's risk profile, business model, size, complexity of the company's activities, and the company's structure. For each individual outsourcing, the outsourcing company must take into account:

1. the complexity of the outsourced process, service, or activity,
2. the risks associated with the relevant outsourcing,
3. how critical or important the outsourced process, service, or activity is, and
4. the potential impact that the relevant outsourcing may have on the company's operations.

Chapter 2 Definition of Outsourcing

Section 3. Outsourcing comprises any form of arrangement between a company and a supplier, according to which the supplier performs a process, a service, or an activity that the outsourcing company would otherwise perform itself.

Paragraph 2. In assessing whether an arrangement constitutes outsourcing, the outsourcing company must consider whether the processes, services, or activities, or parts thereof, are performed repeatedly or continuously by the supplier. The outsourcing company must also consider whether the processes, services, or activities, or parts thereof, would normally fall within the scope of processes, services, or activities that would realistically be or could be performed by the outsourcing company. The second sentence applies even if the outsourcing company has not performed these processes, services, or activities itself previously.

Paragraph 3. If an arrangement with a supplier involves multiple processes, services, or activities, the outsourcing company must include all aspects of the arrangement.

Paragraph 4. The following do not constitute outsourcing:

1. A process, service, or activity that the company is required by legislation to have performed by a supplier, including statutory audit.
2. Use of market information services.
3. Global payment network infrastructures.
4. Clearing and settlement arrangements between clearing houses, central counterparties, and settlement institutions and their members.
5. Correspondent banking services.
6. Purchase of services, goods, or supplies that would not normally be performed by the outsourcing company.

Critical or Important Outsourcing

Section 4. Outsourcing shall be considered critical or important outsourcing if an error or deficiency in its performance would significantly impair the outsourcing company's:

1. ability to comply with the conditions of its authorization,
2. financial results, or
3. ability to carry out its activities on a sound basis.

Paragraph 2. Outsourcing of IT tasks performed for financial businesses shall, for joint data centralities, be considered critical or important outsourcing if an error or deficiency in its performance would significantly impair the financial businesses':

1. ability to comply with the conditions of their authorizations,
2. financial results, or
3. ability to carry out their activities on a sound basis.

Paragraph 3. Outsourcing of authorized activities is critical or important outsourcing.

Paragraph 4. Outsourcing of operational tasks in internal control functions shall be considered critical or important outsourcing, unless the failure or inappropriate performance of the outsourced processes, services, or activities will not have a negative impact on the effectiveness of the internal control function.

Paragraph 5. The outsourcing company must continuously assess whether an outsourced process, service, or activity is critical or important if the risk or scope of the process, service, or activity has changed significantly.

Section 5. The outsourcing company must include the result of the risk assessment, cf. Section 19, in the assessment of whether there is critical or important outsourcing. The outsourcing company must additionally take into account at least the following:

1. Whether the outsourcing is directly connected to the delivery of the activities that the outsourcing company is authorized to perform.
2. The possible consequences of any interruption of the outsourced process, service, or activity, or the supplier's inability to deliver the agreed deliverables continuously at the agreed service level in relation to: a) short- and long-term economic resilience and viability, b) business continuity and operational robustness, c) operational risks, d) reputational risks, or e) any recovery and resolution planning, resolution options, and operational continuity in connection with early intervention, recovery, or resolution.
3. The potential consequences of outsourcing for the outsourcing company's ability to: a) identify, manage, and monitor all risks, b) comply with all legislative requirements, or c) perform audits of the outsourced process, service, or activity.
4. The potential impact on services to the outsourcing company's customers.
5. All other outsourcing, the outsourcing company's total exposure to the same supplier, and the potential total effect of outsourcing within the same business area.
6. The size and complexity of the affected business areas.
7. The possibility that outsourcing can be expanded without replacing or revising the underlying contract.
8. The possibility of transferring the outsourcing to another supplier.
9. The possibility of reintegrating the outsourced process, service, or activity into the outsourcing company.
10. Data protection and the potential consequences of breaches of confidentiality or lack of security regarding data availability and data integrity for the outsourcing company and its customers.

Further Outsourcing

Section 6. The outsourcing company must, in the event of a supplier further outsourcing critical or important outsourcing to a sub-supplier, ensure that there is a written contract between the supplier and the sub-supplier, which obliges the sub-supplier to comply with applicable legislation, regulatory requirements, and contractual obligations.

Paragraph 2. The contract, cf. Paragraph 1, must give the outsourcing company, a third party appointed by the outsourcing company, and the Danish Financial Supervisory Authority the same rights of access and audit as set out in Section 21, Paragraphs 4 and 5.

Paragraph 3. The outsourcing company must terminate the outsourcing contract or parts thereof with the supplier, or exercise its right to oppose further outsourcing, if such a right has been agreed, if the proposed further outsourcing or change in existing further outsourcing has significant negative effects on the critical or important outsourcing, or will lead to a significant increase in risk, or if the contractual requirements established pursuant to Paragraphs 1 and 2 are not complied with.

Chapter 3 Management and Control of Outsourcing

Section 7. The outsourcing company must not, as a result of the use of outsourcing, become a legal entity without independent activity.

Paragraph 2. The outsourcing company must at all times fulfill all conditions of its authorization to conduct business.

Paragraph 3. The outsourcing company must, when using outsourcing, maintain good conduct in the exercise of business activities and the provision of services.

Section 8. The outsourcing company must, as part of its risk management and internal control, ensure that risks associated with outsourcing in all business areas are included in the outsourcing company's other risk management and internal control measures.

Paragraph 2. The outsourcing company must have sufficient competencies and resources to ensure adequate management, monitoring, and control of outsourcing.

Section 9. The outsourcing company must ensure that it effectively exercises its management powers in connection with outsourcing.

Paragraph 2. The outsourcing company must, when using outsourcing, ensure relevant measures that ensure adequate handling of personal data and data processed by suppliers.

Paragraph 3. The outsourcing company must, in critical or important outsourcing, be able to perform at least one of the following actions within a reasonable timeframe:

1. Transfer the process, service, or activity to one or more suppliers.
2. Reintegrate the process, service, or activity into the outsourcing company.
3. Cease the business activities that depend on the process, service, or activity.

Management's Tasks and Responsibilities

Section 10. The Board of Directors of the outsourcing company is responsible for ensuring that outsourcing is used securely in the outsourcing company.

Paragraph 2. The Board's responsibility and tasks cannot be outsourced.

Paragraph 3. The Board must monitor the Management's decisions and control of all risks associated with outsourcing.

Paragraph 4. The Board must approve, regularly review, and update a written outsourcing policy that meets the requirements in Annex 1. The Board must ensure that the policy is complied with in the outsourcing company.

Paragraph 5. The Board must, as part of the ongoing risk assessment, monitoring, and control, ensure that it periodically receives reporting on risks and any changes thereto, which are identified in connection with critical or important outsourcing, cf. Sections 19, 20, and 23.

Section 11. The Board must decide on clear frameworks and conditions prior to entering into critical or important outsourcing contracts and for the associated risks that the Board can accept.

Paragraph 2. The Board's frameworks and conditions, cf. Paragraph 1, must be decided based on a prior analysis, which must at least include the requirements in Sections 4, 13, and 18-20.

Paragraph 3. If the outsourcing company is part of a group that uses a centralized prior assessment of outsourcing, the outsourcing company must receive the assessment and ensure that the outsourcing company's specific structure and risks are taken into account in the prior assessment.

Section 12. The Management of the outsourcing company must, within the frameworks established by the Board, cf. Sections 10 and 11, ensure that the use of outsourcing in the company is secure.

Paragraph 2. The Management must ensure that the responsibility for management, monitoring, and control, as well as documentation of all outsourcing, is clearly placed.

Paragraph 3. The Management must appoint an outsourcing manager, who is responsible for the management, monitoring, and control of outsourcing and for ensuring the documentation of outsourcing.

Paragraph 4. The Management may, within the frameworks and conditions set pursuant to Section 11, Paragraph 1, enter into outsourcing contracts with suppliers.

Paragraph 5. The Management must ensure that the Board is informed of changes to critical or important outsourcing and the potential consequences of these changes. The information must also be provided to outsourcing companies that are part of a group, where the monitoring is performed centrally, cf. Section 25.

Chapter 4 Conflicts of Interest

Section 13. The outsourcing company must continuously identify, assess, prevent, and remediate conflicts of interest that arise or may arise from the use of outsourcing.

Emergency Plans

Section 14. The outsourcing company must prepare, maintain, and regularly test emergency plans regarding critical or important outsourcing.

Paragraph 2. If the outsourcing company is part of a group, the outsourcing company may, with the necessary adaptations, instead use centrally established emergency plans for outsourcing.

Documentation Requirements

Section 15. The outsourcing company must document assessments and decisions that are necessary to comply with this Regulation.

Outsourcing Register

Section 16. The outsourcing company must maintain and continuously update a register with information about outsourcing in accordance with the requirements in Annex 2.

Paragraph 2. The outsourcing company must keep documentation for completed outsourcing in the register and other documentation for a minimum of 5 years, unless otherwise follows from other legislation.

Paragraph 3. The outsourcing company must, upon request from the Danish Financial Supervisory Authority, without undue delay, provide information from the register in electronically readable form to the Danish Financial Supervisory Authority.

Paragraph 4. If the outsourcing company is part of a group, the outsourcing company may appoint a company in the group that maintains the register of the outsourcing company's outsourcing.

Paragraph 5. If the outsourcing company is part of a group that maintains a register of existing outsourcing, the companies in the group covered by this Regulation must, without undue delay, be able to obtain their individual register of outsourcing.

Exit Strategies

Section 17. The outsourcing company must, when outsourcing critical or important outsourcing, have alternative exit strategies that meet the requirements in Annex 4.

Paragraph 2. If the outsourcing company is part of a group where the exit plan for a critical or important outsourcing has been established at the group level, the outsourcing company must receive a summary of the exit plan and ensure that the plan can be executed effectively.

Chapter 5 Outsourcing of Authorized Processes, Services, or Activities

Section 18. Where the performance of processes, services, or activities requires authorizations, the outsourcing company must, prior to outsourcing, ensure that the supplier has the necessary authorizations.

Paragraph 2. If the supplier is established in a country other than Denmark within the European Union or in a country with which the Union has concluded an agreement in the financial sector, the outsourcing company must ensure that the supplier is registered and has authorization to provide the authorized activity from the home country's supervisory authority, or otherwise has authorization to perform the authorized activities in accordance with national legislation.

Paragraph 3. If the supplier is established in a country outside the European Union, with which the Union has not concluded an agreement in the financial sector, the outsourcing company must ensure that the following conditions are met:

1. The supplier is registered or has authorization to provide the authorized activity and is subject to supervision in the home country.
2. There is a cooperation agreement between the Danish Financial Supervisory Authority and the authorities supervising the supplier in the home country, which ensures that the Danish Financial Supervisory Authority has at least the following powers: a) The Danish Financial Supervisory Authority can, upon request, obtain necessary information to perform supervisory tasks in accordance with financial legislation. b) The Danish Financial Supervisory Authority can access all data, documents, premises, or employees in the supplier's home country that are relevant for the performance of its supervisory powers. c) The Danish Financial Supervisory Authority can receive information from supervisory authorities in the supplier's home country about possible breaches of financial legislation as quickly as possible. d) The Danish Financial Supervisory Authority can cooperate with supervisory authorities in the supplier's home country on enforcement in the event that the supplier violates relevant Danish regulatory requirements and Danish legislation.

Chapter 6 Risk Assessment in the Use of Outsourcing

Section 19. The outsourcing company must, before a decision on outsourcing or further outsourcing:

1. assess the potential consequences for the outsourcing company's operational risks, and
2. take necessary measures to limit operational risks associated with the outsourcing.

Paragraph 2. The assessment pursuant to Paragraph 1, No. 1, must at least include:

1. An identification and classification of the relevant processes, services, or activities and related data and systems based on their sensitivity and required protection measures.
2. A risk-based analysis of the processes, services, and activities and related data and systems in connection with the outsourcing.
3. Assessments of the consequences of the supplier's location.
4. Assessments of the political stability and security situation in the relevant jurisdictions.
5. Definition and establishment of an appropriate protection level for data confidentiality, continuity of the outsourced activities, and integrity and traceability of the data and systems in connection with the intended outsourcing.
6. Assessments of relevant security measures for data transfer, data processing, and data storage.
7. Assessments of the significance of the supplier possibly being a subsidiary or parent company to the outsourcing company.

Paragraph 3. The assessment must, where relevant, include scenarios of possible risk events.

Paragraph 4. The assessment must take into account the expected consequences of outsourcing, including at least the following:

1. Concentration risks.
2. The total risks resulting from outsourcing across the outsourcing company or in the total group.
3. The risk that the outsourcing company may be forced to provide financial support to a distressed supplier or take over its business activities.
4. The measures that must be implemented by the outsourcing company and the supplier to manage and reduce the risks.

Paragraph 5. The assessment must, if suppliers can further outsource critical or important outsourcing to sub-suppliers, take into account the following:

1. The risks associated with further outsourcing.
2. The risk that multiple sub-suppliers through further outsourcing may reduce the outsourcing company's ability to control critical or important outsourcing and the supervisory authorities' ability to effectively supervise critical or important outsourcing.

Paragraph 6. The assessment must take into account risks associated with the eventual termination of outsourcing, including risks associated with transferring the outsourced process, service, or activity to another supplier or reintegrating the process, service, or activity into the outsourcing company.

Prior Investigation

Section 20. An outsourcing company must, before a decision is made on the choice of supplier in outsourcing, conduct an investigation of the supplier.

Paragraph 2. The investigation must at least include an assessment of:

1. The supplier's business model, company type, size, complexity, financial situation, ownership, and group structure.
2. The long-term relationships with suppliers that have already been assessed and that perform services for the outsourcing company.
3. Whether the supplier is affiliated with the outsourcing company.
4. Whether the supplier is subject to supervision by the Danish Financial Supervisory Authority or another relevant authority.
5. Whether the supplier can take appropriate technical and organizational measures to protect the outsourcing company's data, including personal data.
6. Whether the supplier and any sub-suppliers act in accordance with the outsourcing company's values and code of conduct.

Chapter 7 Outsourcing Contract

Section 21. The outsourcing company must enter into a written outsourcing contract with the supplier, where the parties' rights and obligations are clearly stated.

Paragraph 2. The outsourcing contract must, for critical or important outsourcing, meet the requirements in Annex 3.

Paragraph 3. The outsourcing company must, in the outsourcing contract for outsourcing that is not critical or important, meet the requirements in Annex 3, No. 3.

Paragraph 4. The outsourcing company must, in the outsourcing contract for outsourcing that is not critical or important, based on a risk-based approach, ensure the right of access and audit as indicated in Paragraph 5 and Annex 3, No. 4.

Paragraph 5. The outsourcing company must, in critical or important outsourcing, ensure that the outsourcing contract or other contractual arrangements do not hinder or limit the actual exercise of the right of access and audit for the outsourcing company, the Danish Financial Supervisory Authority, Financial Stability, or a third party appointed by the outsourcing company to exercise these rights.

Paragraph 6. The outsourcing company must, in the outsourcing contract for outsourcing that is not critical or important, take into account that outsourced processes, services, and activities may become critical or important.

Chapter 8 Data Protection and IT-related Outsourcing

Section 22. The outsourcing company must, subject to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and subsequent amendments thereto, take into account differences in national provisions on data protection when outsourcing or further outsourcing data.

Paragraph 2. The outsourcing company must adopt a risk-based approach to data storage and data processing locations and information security considerations if outsourcing involves the processing or transmission of personal data or confidential data.

Paragraph 3. The outsourcing company must, where relevant, ensure that it is able to perform tests of IT security to assess the effectiveness of measures to counter cyber and information risks as well as communication technology risks.

Chapter 9 Monitoring and Control

Section 23. The outsourcing company must, based on a risk-based approach, continuously monitor, investigate, and control the supplier's work and perform audit reviews of the supplier.

Paragraph 2. The outsourcing company must, before a planned visit to a supplier, ensure that the outsourcing company, auditors, or third parties acting on behalf of the outsourcing company give the supplier reasonable notice.

Paragraph 3. The supplier shall not receive reasonable notice if this is not possible due to an emergency or crisis situation, or if the visit's...