The German Federal Financial Supervisory Authority (“BaFin”) recently published an article that provides guidance on the regulatory framework for cloud computing.  This is a follow-up to the circular letter Minimum Requirements for Risk Management (“MaRisk”), which was published in German in October 2017 and the circular letter Supervisory Requirements for IT in Financial Institutions (“BAIT”), which was published in German in November 2017, with its English version released recently.

BaFin outlines the regulatory framework for cloud computing in this article.  In particular, BaFin makes clear that supervised entities must refer to BAIT for general guidance.  Furthermore, it is stated that the requirements of section AT 9 MaRisk also apply if the cloud service is a material outsourcing (“wesentliche Auslagerung”) in the meaning of section AT 9 MaRisk.  If this is the case, the cloud service is required to be evaluated on a case-by case basis.  If the cloud service constitutes a material outsourcing, supervised entities must comply with the supervisory requirements for outsourcing pursuant to Section 25b of the German Banking Act and the more specific requirements of section AT 9 MaRisk.

BAIT requires supervised entities to perform a risk assessment prior to the procurement of cloud services.  Supervised entities are afforded flexibility in defining the nature and the scope of a risk assessment, and the results of the risk assessment must be taken into account in developing contractual arrangements between supervised entities and their cloud service providers.

If the procurement of cloud services constitutes a material outsourcing, BaFin makes clear that supervised entities, such as financial institutions and insurance companies, must ensure they have unrestricted information rights and audit rights with their cloud service providers.  These rights include the rights of access to the business premises, data centers, servers, and employees of the cloud service provider.  Such unrestricted rights must also be granted to BaFin via the outsourcing contract between the supervised entity and its cloud service provider, as a way to make sure BaFin would have the ability to monitor the outsourced cloud computing activities and processes.  BaFin also indicates that it plans to release more detailed guidance on the issue of cloud computing over the course of this year.

BaFin requires supervised entities to incorporate the information rights as well as the audit rights maintained by BaFin and the supervised entity into the contractual agreements between the supervised entities and cloud service providers.  BaFin would be granted the same level of rights, which would allow BaFin to monitor the outsourced services, including the option to perform on-site inspection.  BaFin emphasizes that such rights of information and audit must be unrestricted: phased information and audit procedures would constitute a restriction and would not be compliant with relevant regulatory requirements.  The audit right should also not be dependent on the concept of commercial reasonableness.

BaFin plans to publish special guidance that will provide market participants with greater details regarding the supervisory requirements related to the use of cloud services.  It will also publish a circular specifying the supervisory requirements for insurance companies and pension funds in the coming months.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.