Cloud computing is playing an increasingly important role as digitalisation progresses, including in the financial sector. When using cloud services, regulated institutions must comply with the regulatory requirements regarding outsourcings. This is reason enough for PayTechLaw to briefly present some of the key aspects of the framework conditions applicable in this area. We should already mention at this point that in practice some uncertainties remain in respect of the application of the regulatory requirements. But there is a glimmer of hope – so it’s worth reading on!
What is cloud computing?
The European Banking Authority (EBA) defines “cloud services” or “cloud computing” in its Recommendations on outsourcing to cloud service providers as follows:
Services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
You can find further information on cloud computing e.g. on the website of the Federal Office for Information Security.
The use of cloud services by regulated payment service providers and e-money issuers will regularly constitute outsourcing in the regulatory sense.
The regulatory requirements applicable to material outsourcings are essentially set out in AT 9 of the BaFin Circular on Minimum Requirements for Bank Risk Management (MaRisk) (current version of MaRisk only available in German). In its circular Supervisory Requirements for IT in Financial Institutions, BaFin clarifies under item II. 8, no. 52 that the aforementioned requirements must also be observed when using cloud services.
Additionally, since 1 July 2018, the EBA Recommendations on outsourcing to cloud service providers (see above) must be observed when using cloud services.
MaRisk, the circular on Supervisory Requirements for IT in Financial Institutions and the EBA recommendations apply directly only to credit institutions and financial services institutions. In practice, however, it can be assumed that BaFin also expects payment institutions and e-money institutions to adhere to the aforementioned regulatory framework when using cloud services.
The regulatory framework applies regardless of whether the cloud services used are a public cloud, a private cloud, a community cloud or a hybrid cloud (for the relevant definitions, please refer to Section 2, no. 3 of the EBA Recommendations).
Regulated institutions wishing to use cloud services must first check whether the intended use of cloud services amounts to a material outsourcing from a risk perspective. This review should be carried out taking into account in particular the criteria set out in Section 4.1 of the EBA Recommendations.
Requirements for outsourcing agreements
If the use of the cloud service amounts to a material outsourcing, the outsourcing agreement concluded with the respective cloud service provider must contain, among other things, the regulations listed in AT 9 para. 7 and 8 of the MaRisk. These include, in particular, the following:
- specifying and, if applicable, differentiating the services to be provided by the cloud service provider;
- determining appropriate information and auditing rights of the internal audit department as well as the external auditors of the institution;
- establishing unrestricted information and auditing rights for the competent supervisory authorities (in particular BaFin);
- if applicable, instruction rights for the institution;
- data protection regulations and regulations regarding other security requirements;
- regulations regarding the further outsourcing of activities by the cloud service provider to subcontractors.
It is to be expected that particularly the implementation of the regulatory requirements with regard to the information and auditing rights of the institutions and the competent supervisory authorities in the outsourcing agreements will regularly lead to discussions with cloud service providers (especially those domiciled in a country outside the European Economic Area).
Information and auditing rights of the institutions
The information and auditing rights of the institutions and of the auditors instructed by them at the cloud service provider’s premises may generally not be restricted. In particular, they must be able to carry out on-site inspections. A contractual obligation of the institutions to initially refer to standardised audit reports of the cloud service providers would constitute an inadmissible restriction on the information and auditing rights of the institutions.
However, BaFin and EBA allow certain simplifications with regard to the actual performance of such audits by the outsourcing institution. The outsourcing institution does not necessarily have to use its own auditing resources. BaFin and EBA regard audits within the framework of so-called “pooled audits” as permissible. In these cases, joint audits are carried out by several customers of the cloud service provider by one customer or by a third party commissioned by one of these customers. Additionally, under certain conditions, a certification of the cloud service provider by a recognised certifier and external or internal audit reports provided by the cloud service provider may be sufficient as the relevant audit procedures.
Information and auditing rights of supervisory bodies
The outsourcing institution must contractually agree with the cloud service provider unlimited information and auditing rights of the responsible supervisory authorities regarding the outsourced activities and processes. This includes, in particular, the possibility of on-site inspections.
Obligation to notify the intention of a material outsourcing to cloud service providers
Institutions have to notify the relevant regulatory authorities of their intention to outsource material services to cloud service providers. For payment institutions and e-money institutions this obligation is stipulated in § 26 sect. 2 of the Payment Services Supervision Law. In our opinion, a corresponding duty of disclosure for credit institutions can be found in Section 4.2 of the EBA Recommendations.
Uncertainties in the application of the regulatory requirements – the glimmer of hope
The regulatory requirements for the use of cloud services are still unclear in a number of aspects. However, there is a glimmer of hope that the uncertainties will be eliminated in the foreseeable future. BaFin has announced that it will publish a special orientation guide later this year which aims to inform institutions in detail about the regulatory requirements regarding the use of cloud services. We are curious to see what this will contain. PayTechLaw will keep you informed.
Titelbild / Cover picture: Copyright © fotolia