Will the Supply Chain Act be delayed?

Based on a motion by the Free State of Bavaria, the Bundesrat is discussing whether the Supply Chain Act should be postponed. The law was promulgated in the Federal Law Gazette on July 22, 2021, and has been in effect since January 1 of this year. It defines due diligence obligations along the supply chain for companies with headquarters or branch(es) in Germany that are intended to contribute to the observance of human rights. What is new in particular is that the responsibility of companies exists along the entire supply chain.

On December 13, 2022, Bavaria filed a motion to suspend the law. The reason given by the Bavarian Minister President is that German companies already demonstrate a high sense of responsibility, hence a shift in the binding requirements is conceivable in principle. Due to the current geopolitical situation and the impact of the COVID 19 pandemic, he said, companies are already severely challenged. The application of the Supply Chain Act provides an additional, high burden. In addition, the motion states that a detailing of the requirements in the form of legal ordinances and recommendations for action is still pending, but is necessary for the effective implementation of the requirements.

It is unclear to what extent the application has a chance of success. For example, the German Federal Ministry of Labor and Social Affairs states on its website about the law in its FAQ that “less than one fifth of enterprises with more than 500 employees based in Germany fulfilled their supply chain due diligence obligations. Voluntary commitments are therefore not enough.]”

The application is currently being discussed by the relevant committees.

You can find the application of the Free State of Bavaria here on the website of the Bundestag.
You can find more information about the Supply Chain Sourcing Obligations Act here on the website of the Federal Ministry of Labor and Social Affairs.

Source: © German Bundestag – bundestag.de

BaFin panel addresses cloud suboutsourcings

The topic of cloud outsourcing was addressed in several meetings of BaFin’s special expert panel on cloud outsourcing. The requirements for these constellations are derived from the EBA Guidelines on Outsourcing Agreements or AT 9 MaRisk and are criticized by the industry due to their complexity.

In concrete terms, according to statements by financial institutions, service providers sometimes use a large number of sub-service providers worldwide to cover a wide range of services and risks. In many of these deployments, ensuring transparency and evaluating the services are difficult. Currently, institutions often solve the problem by considering only those subcontractors that are considered to be significant.

BaFin proposes the following procedure in this context:

1. Contractually agree on clear criteria that make a subcontractor potentially significant. Examples include direct operating services, support services, and risk reduction services.
2. Report on Service provider’s on potentially significant subcontractors based on the criteria defined in 1. above.
3. Identification of actual significant sub-service providers by the institution based on the service provider’s report.
4. Regular risk analysis by the institution for new, changed and potentially significant sub-service providers.
5. Decision to commence, continue or adjust performance based on the results of the Institution’s risk analysis.
6. Inclusion of major sub-service providers in the outsourcing register.
7. Regular and unrestricted review, monitoring and reporting of significant sub-service providers by the institution.

The minutes of the meetings of the Special Expert Panel can be found here on the BaFin website.

Source: © German Federal Financial Supervisory Authority / www.bafin.de