On 8 November 2018, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) published a guidance notice on outsourcing to cloud providers. In the following article, we take a first look at the new rules, which also apply directly to payment institutions. Are cloud services full of “little fluffy clouds”?
“Cloud providers” promise that institutions can make significant savings regarding their IT resources by outsourcing all or some of their IT infrastructure needs, such as for processing power or storage, to “cloud services”. Cloud services have so far hardly been mentioned in the regulatory requirements of BaFin. In principle, they constitute a “normal” outsourcing to which the requirements of BaFin apply, such as those laid down in AT 9 of the “Minimum Requirements for Risk Management” (MaRisk) pursuant to the BaFin Circular 09/2017 (BA) of 27 October 2017 or in Part II No. 8, note 52 of the “Banking Supervision Requirements for IT” (BAIT) pursuant to BaFin Circular 10/2017 (BA) in the version of 14 September 2018. For payment institutions it was unsatisfactory that the previous requirements as stipulated in the MaRisk and the BAIT only applied directly to banks, even though in practice BaFin also used them as a benchmark to assess outsourcing under Section 26 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG). In order to take into account the special nature of cloud services, the European Banking Authority (EBA) published recommendations on the use of cloud services (EBA/REC/2017/03) following a consultation procedure, the German version of which was published on 28 March 2018. For the implementation, BaFin has largely followed the EBA recommendation but it chose to adopt a practical approach which focuses on the concrete nature of the relevant agreement. We think this approach is highly welcome! It puts one in mind of the “Outsourcing Circular” (Rs. 11/2001 of 6 December 2001) and the model agreement published by BaFin at that time. https://www.youtube.com/watch?v=CdMs7eqMvNg
(1991 – when “cloud” was still exclusively used to describe that phenomenon in the sky)
Definition of “cloud services” (Part II)
Both the EBA’s “recommendations” as well as BaFin’s “guidance notice” contain a definition of “cloud services”. They are defined as services that enable
…ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services)
…that can be rapidly provisioned and released with minimal management effort or service provider interaction.
As a rule, BaFin regards any use of cloud services as outsourcing.
Strategic considerations and materiality assessment (Parts II and IV)
In its “guidance notice”, BaFin first provides detailed information on the strategic points an institution should consider before deciding on a particular form of outsourcing. Content-wise, this is quite similar to the passages in Part II of the BAIT as well as the explanations of BaFin on AT 9 in the MaRisk. Without wanting to go into detail at this point, it can still be stated that going forward, the decision to use cloud services as well as the decision for or against a particular provider should be documented in sufficient detail to ensure that an auditor can understand what strategic considerations an institution made when taking the decision. Institutions that have already established a formalised decision-making process and which have a lot of practice with documenting such decisions should not have any major problems with this approach. However, we believe this may pose a challenge especially for payment institutions that have not yet abandoned their dynamic approach to this process, as a remnant from their start-up phase, or that do not want to do so.
Outsourcing object (Part V, No. 1)
BaFin emphasizes the importance of the agreement specifying the service that is to be rendered. This means that, in addition to the description of the actual technical services, the agreement must also include provisions regarding the support, responsibilities/obligations to cooperate, duration and, above all, service level agreements. From our experience we know that in practice, many agreements are inadequate in this regard: Providers of cloud services seem to be afraid to commit themselves with respect to their services and, above all, to the quality of their service delivery. The outsourcing institutions, on the other hand, are confronted with the fact that it is not easy to comprehensively describe their own service requirements in a way that is clearly understandable for a third party, or to define processes and decision paths, or to determine the service levels that need to be met. The implementation and use of a cloud service can therefore quickly become much more complex, and thus more expensive, than expected. BaFin also – somewhat irritatingly – emphasizes how important it is that the location of the service provision, e.g. the location of the computer centre, is specified in the agreement. However, it is a key feature of cloud services that they can be used irrespective of the location (which BaFin understands, see Part II, definition of “cloud services”), but they can also be provided regardless of the location. On the whole, the BaFin requirements are similar to MaRisk in this regard, but phrased more strictly and clearly than before (cf. AT9, para. 7 lit. a and para. 9).
Information and audit rights of the regulated entity (Part V, No. 2)
Any outsourcing must not restrict the ability of the respective institution to conduct audits. This principle is well known and is described in some detail in the guidance notice on cloud services. BaFin attaches particular importance to the fact that the audit rights may not be restricted by requirements which are contractually agreed with the cloud provider, e.g. if the parties try to link the right to conduct an on-site audit with certain prerequisites, or make it subject to time restrictions, or if an on-site audit is made dependent on the auditor’s prior participation in training courses. From a cloud provider’s point of view, this strict approach is made even more difficult to comply with by the fact that BaFin stresses that certificates and test reports on their own are not sufficient proof. Rather, a separate audit must always also be possible. In practice, this will likely cause some difficulty in the implementation, especially for large, international providers. Providers generally want to avoid “audit tourism” at all costs, as this in itself poses risks to security in general and also to other customers’ data. At the same time, by mentioning collective audits, BaFin indicates a way in which in particular payment institutions, which have not previously been able to rely directly on the MaRisk-regulated possibility of “pooled audits” (BT 2.1, para. 3), could get together with other institutions which are customers of the cloud provider, with the aim of a single auditor carrying out the audits. It is also stressed – in the “guidance notice” and in the MaRisk – that the possibility of on-site audits must be included in the entire outsourcing chain. The rules in the “guidance notice” are much more detailed than in the MaRisk, AT 9 para. 7 lit. c. In addition to the DIN/ISO 2700x standard already mentioned in the MaRisk, BaFin also lists the BSI’s Cloud Computing Compliance Controls Catalogue (C5). It remains to be seen whether in addition to this, other auditing standards and certificates, such as those of the CSA Cloud Security Alliance, will also prevail.
Information and audit rights of regulators (Part V, No. 3)
In addition to the auditing rights of the institution, the auditing rights of the supervisory authority must also be ensured. Furthermore, the principle applies that the supervisory authority must be able to audit the cloud provider in the same way as it can audit the institution it supervises. In this respect, too, BaFin clearly rejects any attempts by cloud providers to indirectly restrict the auditing rights or to attach conditions to it (see above). This is stricter than AT 9 para. 7 lit. b and c of the MaRisk.
Instruction rights (Part V, No. 4)
The institution has to agree with the cloud provider on the right to give instructions in order to ensure that all influence and control options are in place which are required to fulfil the agreed services. In principle, this right to give instructions is quite similar to the right of the “data controller” within the meaning of the EU General Data Protection Regulation (GDPR) to give instructions to its processor, cf. Art. 28 para. 3 lit. a GDPR. In both cases, cloud providers will only be able to adhere to this requirement if they carry out a strict and very extensive client separation, which, due to systemic limitations, seems unlikely at least with regard to public clouds. A new aspect is BaFin’s requirement that the relevant institution should have influence on the extent of evidence papers, certifications or audit reports if the cloud provider attempts to rely on them. It remains to be seen how this will be compatible with the highly standardised certification procedures and the “large-scale industrial” processes established by large cloud providers. It is likely that these requirements can only be effectively enforced by institutions with smaller providers. In principle, the institution may also conclude that it does not need to reserve any instruction rights. In this case, however, all services must be described in detail. Therefore, this approach is mostly appropriate for the use of highly standardised and rather low-risk cloud services. On the whole, it can again be observed here that the requirements are stricter than previously stipulated in the MaRisk, AT 9 para. 7 lit. d and AT 7.2, para. 2.
Data security/protection (information regarding the location of data storage) (Part V, No. 5)
It is no great surprise that BaFin expects the agreement with the cloud provider to contain provisions to ensure adherence with data protection rules and other security requirements. In addition to data protection requirements in accordance with the GDPR, this also includes measures regarding data security, reliability, redundancy and the export or return of data from the cloud provider to the institution or another provider. On the whole, these are hardly new points as they are stipulated in a similar but shorter form in AT 9 para. 6, and 7 lit. f and g of the MaRisk or they arise from the requirements of the GDPR. However, in the case of software-as-a-service and platform-as-a-service cloud services, exporting data can pose somewhat of a challenge. Depending on the software or platform, this may not be available anywhere else than from the cloud provider, and data must therefore first be converted, which can time-consuming and expensive, before the data can continue to be used. BaFin’s insistence on specifying the location where the data is stored is hardly compatible with the original idea of cloud computing (“the internet is the computer”). Large providers in particular use a large number of ever expanding data centres located all over the world. Data is exchanged between these locations as needed. This means that a user’s data can today be stored in a data centre in Belgium, tomorrow in Vietnam, and the day after tomorrow in the USA. “The cloud” makes it possible for the user not to notice any of this. If a list of all locations was attached to an agreement, it would probably already be obsolete a few weeks after the agreement was executed. There are offers in the market that provide for a restriction to certain regions (e.g. “EURO” cloud, processing/storage takes place only within the EU) or even in a certain country (“German cloud”, processing/storage takes place only with Germany). However, these offers are often more expensive and not available from all cloud providers. For this, choosing a smaller, national or EU-wide cloud provider could be a solution. One particular and separate question is how cloud providers which are based in the USA or whose (ultimate) parent company is based in the USA plan to ensure data security while complying with the US CLOUD (Clarifying Lawful Overseas Use of Data Act) dated 23 March 2018. The CLOUD Act allows US authorities to access all data on servers which are under the (ultimate) control of US companies, even if they are located abroad at a subsidiary of the company. This affects providers such as Microsoft, Amazon, Google and Oracle. The US law ignores any conflicting legal provisions, such as Art. 48 GDPR, which prohibits data transfers to third countries without relevant legal assistance agreements or requests for legal assistance. Even a “Euro cloud” or a “German cloud” does not protect against such access – only the use of a cloud provider with no US connection. In principle, this should boost local or national providers, who are also unlikely to have any difficulties in naming their data centre locations.
Termination modalities (Part V, No. 6)
In analogy to MaRisk, BaFin emphasizes that in addition to termination rights and appropriate notice periods, which permit a proper transfer of the services, extraordinary termination rights also have to be stipulated in the agreement to allow the institution to also terminate the agreement at short notice, for example if BaFin demands that the agreement is terminated. It is this obligation of the institution which mandated the creation and maintenance of an exit strategy, as only then such termination right can reasonably be exercised. Similar provisions can already be found today in MaRisk, AT 9 paras. 6 and 7 lit. f.
Sub-outsourcing (Part V, No. 7)
Equally well known are the guidelines on the possibilities and modalities of sub-outsourcing, i.e. the use of subcontractors by the cloud provider. These sub-outsourcings must ultimately be performed in a way to ensure continued compliance with all applicable regulatory requirements. Additionally, effects on the overall operational risk of the institution must be considered. On the whole, the guidance notice provides very few new aspects in comparison with MaRisk, AT 9, points 8 and 11, particularly as contractual data processing under the GDPR (Art. 28 paras. 2 and 4) contains very similar requirements.
Information obligations (Part V, No. 8)
The institution has to oblige the cloud provider to immediately inform the institution of any developments, disruptions and other circumstances that may affect the proper performance of the outsourced services – and of any measures taken or planned to remedy the situation. This provision is similar to MaRisk, AT 9 para. 7 lit. h. There is also some similarity to the notification obligations pursuant to Art. 33 GDPR in conjunction with Art. 28 para. 3 lit. f GDPR, according to which the processor has to support the data controller.
Information on the governing law (Part V, No. 9)
It is interesting to note that for reasons of legal certainty BaFin requires the parties to agree on German law or the law of a member state of the EU/EEA. Although freedom of contract applies in principle, it is reasonable to assume that the choice of a different governing law requires a risk assessment and will require further explanation in future. It is therefore advisable to document this risk assessment well.
It is also worth noting that the BaFin’s guidance notice does not contain any paragraph on contingency planning. BAIT, on the other hand, only recently, on 14 September 2018, had a whole section on this topic added, which, among other things, specifies AT 7.3 of the MaRisk. This may be due to the fact that the entire guidance notice is designed to ensure the availability of the processes and data that are outsourced to the cloud provider. It is nevertheless a remarkable fact, and it remains to be seen whether future amendments will close this gap. Not least because Section 27 para. 1 No. 3 ZAG imposes a legal obligation on payment institutions to maintain contingency concepts. In the meantime, payment institutions would be well advised to continue looking towards MaRisk, AT 7.3 and BAIT when implementing this requirement.
On the whole, the content of the guidance notice is merely a consistent, and more detailed than was the case previously, explanation of the implementation of the already existing requirements from MaRisk, AT 9, and BAIT, Part II, paras. 52ff. Even if the main focus is on cloud services, conclusions can still be drawn regarding other types of outsourcing. This will be of particular interest once the EBA’s current consultation procedure on outsourcing (EBA/CP/2018/11) has been concluded. These requirements will then apply to all regulated banks and payment institutions and include the current guidelines on cloud computing. So watch this space to see whether the supervisory authorities will take further steps towards clouds and what legal requirements they will impose on institutions in the future. Cover picture: Copyright © fotolia / mchlskhrv