What is a materiality assessment

Cloud computing and cloud services - outsourcing to the "cloud"

Cloud computing plays an increasingly important role in the financial sector in the course of advancing digitization. When using cloud services, the supervised institutions must comply with the regulatory requirements for outsourcing. Reason enough for PayTechLaw to briefly present some important aspects of the framework conditions that apply for this. At this point it should be said that there are still some uncertainties in practice when applying the regulatory requirements. But there is a glimmer of hope - read on!

What is cloud computing?

The European Banking Authority (EBA for short) defines "cloud services" or "cloud computing" in its recommendations for outsourcing to cloud providers as follows:

Services that are provided with the help of cloud computing, i.e. a model that enables location-independent, convenient and demand-driven network access to a common pool of configurable computing resources (such as networks, servers, storage, applications and services) and that is fast and with a minimum of administrative effort or can implement and activate the interaction of the service provider.

Further information on cloud computing can be found e.g. at the Federal Office for Information Security.

Regulatory framework

The use of cloud services by supervised payment service providers and e-money issuers will regularly represent outsourcing in the regulatory sense.

The regulatory requirements applicable to major outsourcing are essentially set out in AT 9 of the BaFin Circular Minimum Requirements for Risk Management in Banks (MaRisk). In its circular banking supervisory requirements for IT (BAIT), BaFin sets out under II. 8., margin no. 52 it is clear that the aforementioned requirements must also be observed when using cloud services.

In addition, since July 1, 2018, when using cloud services, the recommendations of the EBA on outsourcing to cloud providers, or EBA recommendations for short (see above), must be observed.

MaRisk, BAIT and the EBA recommendations only apply directly to credit institutions and financial services institutions. In practice, however, it can be assumed that BaFin also expects payment institutions and e-money institutions to orient themselves towards the aforementioned regulatory framework when using cloud services.

The regulatory framework generally applies regardless of whether the cloud services used are a public cloud, a private cloud, a community cloud or a hybrid cloud (cf. for the definition of the aforementioned terms, section 2, margin no. 3 of the EBA recommendations).

Materiality assessment

Supervised institutions that want to use cloud services must check before outsourcing whether the intended use of the cloud services is a significant outsourcing from a risk perspective. This test is to be carried out taking into account the criteria listed in Section 4.1 of the EBA recommendations.

Requirements for outsourcing contracts

If the use of the cloud service involves significant outsourcing, the outsourcing contract concluded with the cloud provider must include the regulations specified in AT 9 items 7 and 8 of the MaRisk. According to this, the following agreements in particular must be made within the framework of the outsourcing contract:

  • Specification and, if necessary, delimitation of the service to be provided by the cloud provider;
  • Determination of appropriate information and audit rights for internal auditors and external auditors of the institute;
  • Determination of unrestricted information and audit rights for the responsible supervisory authorities (in particular BaFin);
  • Rights of instruction for the institute;
  • data protection regulations and regulations on other security requirements;
  • Regulations for the outsourcing of activities by the cloud provider to subcontractors.

In particular, when implementing the regulatory requirements with regard to the information and audit rights of the institutes and the responsible supervisory authorities in the outsourcing agreements, there should be regular discussions with cloud providers (especially with those who are based in a country outside the European Economic Area) come.

Information and examination rights for the institutes

The information and audit rights of the institutes and the auditors commissioned by the institutes at the cloud provider must not be restricted in principle. In particular, there must be the option of on-site inspections. A contractual obligation of the institutes to initially use standardized audit reports from the cloud providers would inadmissibly restrict the institutes' information and audit rights.

However, BaFin and EBA allow certain simplifications with regard to the actual implementation of examinations by the outsourcing institute. The outsourcing institute does not necessarily have to use its own examination resources. BaFin and EBA consider audits within the framework of so-called "pooled audits" to be permissible, in which joint audits are carried out by several customers of the cloud provider by one customer or by a third party commissioned by these customers. In addition, under certain conditions, certification of the cloud provider by a recognized certifier and external or internal test reports provided by the cloud provider may be sufficient as an examination procedure.

Information and examination rights for the supervisory authority

The outsourcing institute has to contractually agree with the cloud provider unrestricted information and inspection rights of the supervisory authorities with regard to the outsourced activities and processes. In particular, this also includes the option of on-site inspections.

Obligation to indicate the intention of a significant outsourcing to cloud providers

Institutions have the intention of outsourcing essential services to cloud providers to notify the competent supervisory authorities. For payment institutions and e-money institutions, this results from Section 26 (2) of the Payment Services Supervision Act (ZAG). A corresponding notification obligation for credit institutions can be found in Section 4.2 of the EBA recommendations.

Uncertainties in the application of the regulatory requirements - the glimmer of hope

The regulatory requirements for the use of cloud services are currently still unclear on some points. However, there is a glimmer of hope that the uncertainties will be resolved in the foreseeable future. BaFin has announced that it will publish a special guide in the course of this year in which the institutes will be informed in detail about the regulatory requirements for the use of cloud services. One can be curious. In any case, PayTechLaw will keep you informed.

Cover picture: Copyright © fotolia