Outsourcing and Internal-Audit Officers under KWG, MaRisk and VAG

The regulatory landscape in Germany's financial and insurance sectors is among the most demanding in the world. Financial institutions and insurance companies operating in Germany face a complex framework of statutory requirements designed to maintain market stability, protect consumers, and safeguard digital infrastructure. Central to this framework is the strict oversight of operational risks, particularly those arising from the delegation of critical functions. To enforce compliance, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, or BaFin) mandates the appointment of specialized compliance officers and risk specialists. Specifically, roles overseeing outsourcing and independent internal-audit functions have become highly regulated, requiring precise operational structures and clear lines of individual responsibility.

Historically, outsourcing in the financial sector was viewed as a transactional procurement activity focused primarily on cost reduction. However, modern guidelines have transformed this perspective into an integrated model of Third-Party Risk Management (TPRM). The regulatory pillars under Section 25b of the German Banking Act (Kreditwesengesetz, or KWG), the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, or MaRisk), and Section 32 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, or VAG) demand a holistic approach. This shift is further accelerated by the Digital Operational Resilience Act (DORA), which reshapes ICT third-party risk management by placing stringent resilience and reporting obligations on financial entities and their external service providers[1].

These tightening standards place a heavy burden on managing directors and functional leads, who bear ultimate responsibility for any compliance failures. An ineffective governance structure can lead to severe operational disruptions, regulatory audits, and significant personal liability. Managing these complex structures is made easier through digital compliance management solutions such as the CIVAC platform, which assists with task tracking, mandatory training, and maintaining audit-ready documentation.

• German Banking Act (KWG) and MaRisk (AT 9 and BT 2): Set strict standards for outsourcing governance and process-independent internal-audit functions in banks and financial services providers.
• German Insurance Supervision Act (VAG): Establishes parallel but distinct compliance, key function, and internal audit requirements tailored specifically for the insurance industry.
• Digital Operational Resilience Act (DORA): Harmonizes ICT-related risk management across European financial markets, introducing direct oversight of critical third-party technology providers.
• Compliance Software Support: Digital tools like CIVAC Workspace help organizations coordinate these highly specialized roles, manage tasks, and maintain audit-proof documentation.

For international corporate groups with German operations, navigating these multi-layered national requirements alongside European regulations requires a highly systematic approach. Whether an organization decides to manage these complex duties through internal appointments using a SaaS platform like CIVAC Workspace or by selecting external partners through CIVAC Externe Beauftragte, establishing a clear compliance path is critical. This guide provides a detailed operational breakdown of the required roles, qualification profiles, statutory responsibilities, and liability risks under KWG, MaRisk, and VAG, outlining how modern institutions achieve complete compliance.

The regulatory framework for outsourcing in German financial institutions is anchored in Section 25b of the German Banking Act (Kreditwesengesetz - KWG) and the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement - MaRisk) AT 9. Under Section 25b KWG, the executive board of an institution retains ultimate responsibility for outsourced activities, meaning that liability and governance cannot be transferred to third-party vendors. To maintain proper oversight, institutions must implement rigorous risk analyses and ongoing monitoring systems for all outsourced processes.

To centralize the management of third-party risks, MaRisk AT 9 Tz. 12 mandates the appointment of a central outsourcing officer (Auslagerungsbeauftragter) and the establishment of a supporting central outsourcing management (Zentrales Auslagerungsmanagement - ZAM) unit. The central outsourcing officer must report directly to the executive board or be positioned in an organizational unit directly beneath it. This role serves as a vital control instance, collaborating with other risk management roles like the compliance officer to ensure all regulatory requirements are met across departmental borders.

• Conducting pre-outsourcing risk analyses to assess materiality and identify operational risks.
• Maintaining a centralized, up-to-date outsourcing register including all contractual parameters.
• Defining key performance indicators and service level agreements for continuous vendor monitoring.
• Coordinating reporting workflows and escalating critical performance issues directly to senior management.
• Ensuring comprehensive exit strategies are documented and testable for critical business processes.

The regulatory environment undergoes a fundamental shift with the enforcement of the Digital Operational Resilience Act (DORA), active as of January 17, 2025. DORA introduces a unified European framework specifically targeting information and communication technology (ICT) third-party service providers. While traditional MaRisk AT 9 requirements continue to govern general business outsourcing, DORA overlays these rules with highly prescriptive mandates for digital infrastructure, cybersecurity, and operational resilience.

To maintain compliance with both MaRisk and DORA, many financial institutions utilize the CIVAC platform to track vendor relationships, manage internal tasks, and secure audit-ready documentation in a centralized workspace.

For insurance and reinsurance undertakings operating in Germany, the regulatory requirements for outsourcing are remarkably strict. Under Section 32 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG), any insurer that delegates functions or activities to external service providers must establish a clear governance framework to maintain continuous control. While the executive board bears the ultimate legal responsibility, supervisory expectations mandate the designation of a dedicated outsourcing officer or outsourcing manager. This regulatory role acts as the central pillar of operational governance, ensuring that external service providers do not compromise the insurer's financial stability, compliance, or policyholder interests.

The statutory framework under VAG Section 32 is heavily influenced by the European Solvency II Directive and is further detailed by the Federal Financial Supervisory Authority (BaFin) in its circulars. Key among these are the Minimum Requirements under Supervisory Law on the System of Governance for Insurance Undertakings (Mindestanforderungen an das Risikomanagement in Versicherungsunternehmen, MaGo). Under these guidelines, insurers must distinguish between the outsourcing of ordinary tasks and the outsourcing of key or important functions. Critical areas such as risk management, compliance, actuarial functions, and internal audit are classified as key functions. If any of these core areas are outsourced, BaFin requires the appointment of a dedicated outsourcing manager who possesses the necessary authority to supervise the external service provider and coordinate regulatory communications.

• Conducting comprehensive pre-contractual due diligence and risk analysis to evaluate the capability and security standards of prospective service providers.
• Drafting, implementing, and regularly updating the insurer's internal written outsourcing policy (Ausgliederungsrichtlinie) in line with MaGo standards.
• Establishing performance-monitoring systems, including key performance indicators (KPIs) and service level agreements (SLAs), to track operational quality.
• Performing regular audits and on-site inspections at the service provider's offices to verify compliance with data security and regulatory guidelines.
• Providing the management board with structured risk reports detailing any operational deficiencies, contract deviations, or service disruptions.
• Serving as the primary point of contact for BaFin during regulatory inquiries and managing the mandatory reporting procedures for outsourcing arrangements.

Because the outsourcing officer of a key function is classified as a responsible person under Section 47 number 1 of the VAG, they must satisfy rigorous qualification and integrity standards. According to BaFin Circular 11/2023 (VA) regarding fit and proper requirements, the individual must prove both personal reliability (Zußaerlässigkeit) and professional fitness (fachliche Eignung). Professional fitness requires deep expertise in insurance operations, legal knowledge of VAG and MaGo frameworks, and practical experience in risk management or IT systems. Insurance undertakings must formally document this assessment and submit a notification to BaFin before the designated officer officially assumes their role. Neglecting this notification or appointing unqualified personnel can trigger severe regulatory interventions and administrative fines.

Establishing a fully compliant outsourcing architecture requires seamless coordination across multiple supervisory domains. In practice, the duties of the outsourcing officer closely align with other critical internal roles, especially for internal compliance officers who oversee multiple regulatory frameworks. Integrating these workflows with a ensures that regulatory risks are mapped cohesively. Leveraging a dedicated digital workspace like CIVAC Workspace, which is part of the comprehensive CIVAC platform, allows insurance groups to manage these complex responsibilities systematically, maintaining audit-ready documentation and centralizing provider assessments without administrative friction.

In the highly regulated German financial and insurance sectors, process-independent monitoring represents the final line of defense against systemic risks. Under the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, commonly known as MaRisk BT 2) for banks and Section 30 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz - VAG) for insurance companies, institutions must establish a fully independent internal audit function. This function must be led by a designated internal-audit officer or head of internal audit. Unlike operational risk management or day-to-day compliance teams, the internal-audit officer does not participate in any operational workflows. Instead, they provide objective, process-independent assurance directly to the management board regarding the adequacy and effectiveness of the institution's risk management, internal controls, and overall governance structures.

The statutory requirement to appoint a head of internal audit stems from Section 25a Paragraph 1 Sentence 3 Number 3 of the German Banking Act (Kreditwesengesetz - KWG) for credit institutions and financial service providers, which is further operationalized by MaRisk Module BT 2. For the insurance sector, Section 30 VAG codifies the identical requirement to establish an independent internal audit function. In both sectors, appointing an internal-audit officer is a mandatory regulatory requirement that cannot be bypassed. The appointment must be formally documented, and the Federal Financial Supervisory Authority (BaFin) must be notified of the appointment as well as any subsequent revocation. The internal audit function must be organized in a way that avoids conflicts of interest, meaning the head of internal audit cannot simultaneously hold other key operational roles, such as the Compliance-Beauftragter, as this would compromise their independence.

To be appointed, the internal-audit officer must meet strict regulatory qualification standards, commonly referred to as the Fit and Proper (Zuverlaessigkeit und fachliche Eignung) requirements under KWG and VAG. Technically, the candidate must possess comprehensive theoretical and practical knowledge of banking or insurance operations, risk management frameworks, and modern auditing methodologies. This typically requires several years of professional experience within the financial services sector and specialized internal audit experience. Furthermore, the officer must undergo continuous professional training to keep up with evolving regulatory frameworks, such as the revised MaRisk guidelines[2]. To manage these demanding educational obligations and document training histories in an audit-proof manner, many financial institutions rely on specialized digital systems like the CIVAC Workspace to track ongoing professional development.

The core responsibility of the internal-audit officer is to design, implement, and execute a comprehensive, risk-oriented audit plan covering all activities and processes of the institution, including outsourced services. This audit plan must be updated annually and approved by the management board. Importantly, the internal-audit officer has a direct reporting path to the management board, bypassing intermediate management layers, and must present a written audit report at least once a year. In terms of liability, while the management board retains ultimate responsibility for the institution's compliance, the internal-audit officer faces significant personal and regulatory exposure. Systemic failures to establish an independent audit function, or a failure to report critical deficiencies, can lead to severe personal administrative fines from BaFin under Section 56 KWG or Section 312 VAG. Managing these compliance tasks, maintaining clean audit trails, and supporting rigorous audit preparation require a secure, centralized system like the CIVAC Workspace to ensure that all documentation remains fully tamper-proof and accessible during regulatory inspections.

• Legal Basis: Section 25a Paragraph 1 KWG, MaRisk Module BT 2 for banking; Section 30 VAG for insurance companies.
• Core Objective: Providing process-independent, objective assurance to the management board regarding internal controls and risk management.
• Independence: Absolute separation from all operational business activities and direct reporting lines to the management board.
• Qualifications: Strict BaFin Fit and Proper requirements, including deep financial sector expertise and continuous professional training.
• Liability: High personal exposure to BaFin administrative fines for systemic audit failures or reporting omissions under Section 56 KWG and Section 312 VAG.

Failing to establish proper central outsourcing management or neglecting internal audit obligations is not merely a technical oversight; it carries severe financial and legal consequences for financial institutions, insurance companies, and their management. Under Section 56 of the German Banking Act (Kreditwesengesetz, KWG) and the corresponding provisions of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG), BaFin maintains broad enforcement powers. Regulatory authorities can issue direct administrative orders, temporarily prohibit outsourcing agreements, or impose hefty administrative fines of up to 100,000 EUR for individual violations, such as failing to comply with mandatory outsourcing reporting and management standards[3]. For systemic or organizational failures, corporate entities face much higher financial exposure, which is often calculated based on total annual revenues, presenting a significant threat to a firm's bottom line.

Crucially, liability does not stop at the corporate level. Under Section 130 of the German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten, OWiG), managing directors, board members, and executive officers can be held personally liable for a breach of duty of supervision (Aufsichtspflichtverletzung). If an executive fails to implement appropriate supervisory measures, and this failure enables an employee or a third-party service provider to violate a regulatory duty, the executive can face substantial personal fines. Under § 130 OWiG, a negligent omission in establishing adequate internal control mechanisms can trigger personal regulatory fine exposure of up to one million euros, while also creating a path for civil damage claims against the management team.

To prevent personal liability under Section 130 OWiG, directors must prove that they took all reasonable organizational steps to prevent regulatory breaches. In the context of outsourcing (under KWG § 25b and VAG § 32) and process-independent oversight (under MaRisk BT 2 and VAG § 30), this requires implementing a seamless, multi-tiered supervisory framework. Board members cannot simply delegate duties and assume they are covered; instead, they must actively verify that their designated outsourcing officers and internal audit officers have the necessary skills, training, and resources to fulfill their oversight mandates.

Reducing this regulatory and personal liability risk requires a structured approach to risk management and risk documentation. Directors can establish a robust liability shield by implementing process-independent assurance and maintaining a complete, audit-proof history of all compliance decisions, board reports, and task assignments. Relying on paper-based trails or manual spreadsheets is no longer sufficient under complex frameworks like MaRisk, VAG, and DORA. This structured documentation is essential for seamless audit preparation, enabling the internal audit officer to retrieve historical compliance data instantly. By leveraging solutions like the CIVAC Workspace, managing directors and compliance officers can securely document their supervisory activities, making it easy to prove compliance during any regulatory audit. Providing a continuous, automated paper trail in a secure digital environment remains the single most effective defense against supervisory negligence allegations.

German financial institutions and insurance providers face intense pressure to prove that their outsourcing officers and internal audit heads are properly qualified and actively performing their statutory oversight. Under MaRisk AT 9, BaFin mandates that entities maintain a clear, continuous record of their outsourcing arrangements and designated responsible officers. To streamline these extensive documentation demands, organizations can utilize the CIVAC Workspace to centralize their task tracking, risk documentation, and compliance audits in a single, audit-proof interface. This digital platform simplifies complex regulatory workflows, enabling compliance managers to generate comprehensive reports for BaFin audits with minimal effort.

Appointing internal resources to specialized roles under the German Banking Act (Kreditwesengesetz - KWG) or Insurance Supervision Act (Versicherungsaufsichtsgesetz - VAG) can strain internal headcounts and lead to critical qualification gaps. To address this, organizations can securely outsource eligible corporate officer roles using CIVAC Externe Beauftragte. This managed service provides certified, external experts who are officially designated by name to manage compliance tasks, act as a liaison to supervisory authorities, and ensure that all outsourcing frameworks remain compliant with current EBA guidelines and BaFin requirements[4]. By partnering with qualified external specialists, internal compliance officers can focus on strategic governance while reducing operational risk.

A fundamental requirement under MaRisk BT 2 and VAG § 30 is the continuous education and verified professional reliability of internal-audit and outsourcing officers. To prevent severe fine exposure or regulatory objections, companies must provide verifiable evidence of regular professional development for these roles. CIVAC addresses this need directly by offering structured training management and automated certificate tracking. With these automated workflows and an integrated library of compliance templates, financial institutions can simplify their audit preparation and maintain constant regulatory readiness.

• Centralized Compliance Hub: A single platform to document tasks, appointments, and regulatory assessments across all mandatory officer roles.
• Certified External Expertise: Seamless appointment of pre-vetted specialists through CIVAC Externe Beauftragte to reduce internal recruitment burdens.
• Automated Qualification Tracking: Simplified logging of continuous professional education certificates required for MaRisk and VAG compliance.
• Audit-Proof Documentation: Instant generation of comprehensive compliance reports and historical audit trails for BaFin inspections.

The appointment of an outsourcing officer is rooted in Section 25b of the German Banking Act (KWG) and further detailed in Module AT 9 of the Mindestanforderungen an das Risikomanagement (MaRisk). Significant institutions are explicitly required under AT 9 Tz. 12 to establish a central outsourcing management (ZAM) to supervise and control all outsourced activities.

The Digital Operational Resilience Act (DORA), applicable since January 17, 2025, introduces specific oversight rules for information and communication technology (ICT) third-party risks. ICT service relationships are governed by DORA Articles 28 to 30, which shifts certain responsibilities from traditional MaRisk AT 9 outsourcing frameworks into a specialized ICT third-party risk management framework.

Under Section 32 of the German Insurance Supervision Act (VAG), insurance companies must establish an outsourcing monitoring system. If key functions are outsourced, the company must appoint an internal outsourcing officer to act as the primary contact and supervisor, ensuring BaFin is notified of the outsourcing arrangement.

A head of internal audit must meet strict 'fit and proper' requirements. This includes professional qualification, such as deep knowledge of banking or insurance operations, audit methodologies, and relevant regulatory frameworks, alongside personal integrity and several years of leadership experience in auditing.

Under MaRisk BT 2 and VAG Section 30, complete outsourcing of the internal audit function is restricted. According to recent MaRisk updates, full outsourcing of key control functions like compliance or internal audit is only permitted for very small institutions under strict conditions, while larger entities must retain internal control.

Managing directors face personal liability under Section 130 of the German Act on Regulatory Offences (OWiG) for organizational negligence. Failing to appoint required regulatory officers or establish proper supervision can lead to corporate fines of up to 10 million euros or personal administrative fines.