Due to the increasing importance of this topic, alongside growing uncertainty regarding the application of supervisory requirements in the financial sector, BaFin recently took some important steps to clarify and specify the regulatory framework for cloud computing.

Regulatory framework

If supervised entities choose to use cloud computing, they must comply with the relevant supervisory requirements for outsourcing.

The first step towards specification of the regulatory framework for cloud computing was publication of the circular "Supervisory Requirements for IT in Financial Institutions" (Bankaufsichtliche Anforderungen an die IT – BAIT) (see BaFinJournal November 2017 and January 2018 (only available in German)). The BAIT specify that AT 9 of the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk (only available in German)) also applies to the use of cloud services where this constitutes outsourcing of IT services. This means that supervised entities must comply with the supervisory requirements for outsourcing pursuant to section 25b of the German Banking Act (Kreditwesengesetz – KWG (only available in German)) in conjunction with AT 9 of the MaRisk to the extent necessary in each individual case.

In the coming months, BaFin will also publish a circular specifying its expectations towards insurance undertakings and pension funds. The Insurance Supervisory Requirements for IT (Versicherungsaufsichtlichen Anforderungen an die IT – VAIT) (only available in German) are currently the subject of a public consultation (see Expert article "IT security: BaFin specifies IT requirements for the insurance sector"). Like the BAIT, this circular specifies that insurance undertakings must comply with the relevant applicable supervisory requirements for outsourcing when using cloud services.

BaFin will also evaluate the extent to which changes are needed to the existing supervisory requirements for outsourcing.

Planned guidance

BaFin also plans to publish special guidance on the topic over the course of this year, particularly in light of discussions held with supervised entities, which have emphasised the need for a supervisory assessment of cloud computing. The guidance will provide the market with detailed information regarding the supervisory requirements related to the use of cloud services. With this additional step, BaFin intends to give companies greater certainty in applying the requirements under supervisory law.

Ahead of the publication of the guidance, this article addresses some key aspects of compliance with BaFin's unrestricted rights of information and audit and abilities to monitor in addition to the unrestricted rights of information and audit of the supervised entities.

Requirements under supervisory law

Supervised entities that intend to use cloud services must assess in advance the extent to which compliance with the supervisory requirements for outsourcing is required.

If this assessment reveals that, in terms of risk, the planned outsourcing constitutes material outsourced activities and processes, then the credit institutions must comply with sections 25a and 25b of the KWG in conjunction with AT 9 number 7 and 8 of the MaRisk in the contractual arrangements. In such cases, insurance undertakings must comply with Article 274(3) to (5) of the Delegated Regulation on Solvency II, section 32 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG (only available in German)) and margin no. 237 et seq. of the Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings (Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen – MaGO, see BaFinJournal February 2017 (only available in German)). These contain, in particular, regulations regarding suitable or unrestricted rights of information and audit.

Unrestricted rights of information and audit

Some supervised entities have submitted to BaFin drafts of outsourcing contracts involving the use of cloud services. These contracts related, for instance, to the use of computing power, storage and web applications.

The drafts submitted clearly show that in particular the rights of information and audit of BaFin and of the supervised entities have not been fully implemented in the contractual arrangements. However, it is particularly important that these rights are incorporated into the contracts since many providers of cloud solutions currently active on the financial market are domiciled in states outside of the European Union and European Economic Area. Even German providers of cloud services are not subject to BaFin's supervision, meaning the supervisory laws are not directly applicable to them. It is therefore only possible to enforce the supervisory provisions on the basis of corresponding contractual rights.

Rights of information and audit of credit institutions

Ensuring unrestricted rights of information and audit vis-à-vis cloud service providers through contractual arrangements is of key importance, particularly with regard to the IT security of institutions.

Outsourced activities and processes that are not regarded as material in terms of risk are subject to the general requirements relating to a proper business organisation pursuant to section 25a (1) of the KWG (see AT 9 number 3 of the MaRisk). If the outsourced cloud services are regarded as material outsourced activities and processes, then the outsourcing agreement must grant both the internal audit function and external auditors appropriate and unrestricted rights of information and audit (AT 4.4.3 number 7 of the MaRisk). Only through unrestricted access to the cloud providers, for example to their business premises, data centres, servers and employees, can supervised entities properly exercise their rights of information and audit. On-site inspections in particular are therefore indispensable.

No restriction of rights

The effective exercise of the rights of information and audit should not be impeded or limited by contractual arrangements. Phased information and audit procedures constitute such a restriction and do not comply with the requirements of the MaRisk or the recommendations of the European Banking Authority (EBA). If performing the audit is made dependent on the concept of commercial reasonableness, then this is also generally regarded as a restriction. In addition, a contractual obligation to first rely on standardised audit reports made available by the cloud providers also constitutes an impermissible restriction of the rights of information and audit.

The use of management consoles may be suitable for certain controls, such as for monitoring compliance with service level agreements in ongoing operations. However, it cannot replace audits by the internal audit function, since management consoles only allow access to information made available by the cloud provider. The internal audit functions of institutions, however, must be able to obtain additional information that is necessary for the audit.

Simplifications

In the case of material outsourced activities and processes, BaFin also accepts pooled audits in accordance with BT 2.1 number 3 of the MaRisk in order to render audits more efficient both for institutions and also for cloud service providers that work for several institutions. In such cases, the audit activity may be performed by the internal audit function of one or more of the outsourcing institutions or by a third party commissioned by these institutions provided that the audit activity complies with the requirements in AT 4.4 and BT 2 of the MaRisk.

In addition, in accordance with BT 2.1 number 3 of the MaRisk, an institution's audits may be performed by the internal audit function of the cloud provider or the institution may commission third parties to perform audits, provided that the audit activity conducted by the other auditors complies with the requirements in AT 4.4 and BT 2 of the MaRisk.

The outsourcing institution's internal audit function must, however, regularly verify compliance with the specified requirements. The audit findings that are relevant to the institution must be passed on to the internal audit function of the outsourcing institution.

This also corresponds to the EBA recommendations and decreases the organisational burden for both institutions and the cloud service provider. Pooling the audit resources of institutions also addresses the concerns of cloud service providers regarding "audit tourism".

Audit procedure

If an institution decides not to perform the audit itself or not to perform the audit alone, this must not result in a restriction of the institution's right of audit. The rights of information and audit of the internal audit function of the outsourcing institution must be granted in full through the outsourcing contract.

Mere provision by the cloud service provider of certifications or other evidence of compliance with recognised standards does not satisfy the right of information and audit of the outsourcing institution. The outsourcing institution must have the opportunity to influence the scope of the information and audit. This corresponds to the EBA recommendations, which specify corresponding requirements for access to the certifications and audit reports of the cloud service provider.

BaFin's rights of information and audit and ability to monitor

In addition, the outsourcing contract must ensure BaFin's unrestricted rights of information and audit and ability to monitor in relation to the outsourced activities and processes. In particular, BaFin's audits must not be dependent on whether they are commercially reasonable for the cloud service provider.

BaFin's ability to monitor the cloud service providers must be the same as its ability to supervise the supervised entities as provided for by law. This includes, in particular, the option to perform on-site inspections.

Rights of audit of insurance undertakings and BaFin's rights of audit

Insurance undertakings are also required to ensure through outsourcing contracts the unrestricted rights of information and audit and the ability to monitor of both the company and BaFin.

Whether a service relationship is considered to constitute outsourcing to a cloud service provider depends on which functions or insurance activities are intended to be outsourced. Not only functions and insurance activities that are regarded as important but also other activities must, pursuant to section 32 (1), (2) and (4) of the VAG, be subject to supervision. In accordance with margin no. 255 of the Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings (Aufsichtsrechtliche Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen – MaGo), the requirements of Article 274 of the Delegated Regulation on Solvency II must also be applied to other functions and insurance activities that are not regarded as important to the extent that these requirements are universal in nature.

The statements above regarding the restriction of rights of information and audit also apply here. In particular, if an insurance undertaking is contractually obliged to first rely on standardised audit reports made available by the cloud providers, this is usually regarded as a restriction. Phased information and audit procedures do not comply with the supervisory requirements for insurance undertakings. It is also considered a restriction if audits are dependent on the concept of commercial reasonableness.

BaFin is currently considering also allowing insurance undertakings to exercise certain rights of audit vis-à-vis cloud service providers through pooled audits together with other insurance companies. Here a distinction must be made between the granting of unrestricted rights of audit, in particular the option to perform on-site inspections, and the design of the audit procedure. Here too, the choice of audit procedure must not result in a restriction of the rights of audit.