The German Federal Financial Supervisory Authority (“BaFin”) recently published an article that provides guidance on the regulatory framework for cloud computing.  This is a follow-up to the circular letter Minimum Requirements for Risk Management (“MaRisk”), which was published in German in October 2017 and the circular letter Supervisory Requirements for IT in Financial Institutions (“BAIT”), which was published in German in November 2017, with its English version released recently.

BaFin outlines the regulatory framework for cloud computing in this article.  In particular, BaFin makes clear that supervised entities must refer to BAIT for general guidance.  Furthermore, it is stated that the requirements of section AT 9 MaRisk also apply if the cloud service is a material outsourcing (“wesentliche Auslagerung”) in the meaning of section AT 9 MaRisk.  If this is the case, the cloud service is required to be evaluated on a case-by case basis.  If the cloud service constitutes a material outsourcing, supervised entities must comply with the supervisory requirements for outsourcing pursuant to Section 25b of the German Banking Act and the more specific requirements of section AT 9 MaRisk.

BAIT requires supervised entities to perform a risk assessment prior to the procurement of cloud services.  Supervised entities are afforded flexibility in defining the nature and the scope of a risk assessment, and the results of the risk assessment must be taken into account in developing contractual arrangements between supervised entities and their cloud service providers.

If the procurement of cloud services constitutes a material outsourcing, BaFin makes clear that supervised entities, such as financial institutions and insurance companies, must ensure they have unrestricted information rights and audit rights with their cloud service providers.  These rights include the rights of access to the business premises, data centers, servers, and employees of the cloud service provider.  Such unrestricted rights must also be granted to BaFin via the outsourcing contract between the supervised entity and its cloud service provider, as a way to make sure BaFin would have the ability to monitor the outsourced cloud computing activities and processes.  BaFin also indicates that it plans to release more detailed guidance on the issue of cloud computing over the course of this year.

BaFin requires supervised entities to incorporate the information rights as well as the audit rights maintained by BaFin and the supervised entity into the contractual agreements between the supervised entities and cloud service providers.  BaFin would be granted the same level of rights, which would allow BaFin to monitor the outsourced services, including the option to perform on-site inspection.  BaFin emphasizes that such rights of information and audit must be unrestricted: phased information and audit procedures would constitute a restriction and would not be compliant with relevant regulatory requirements.  The audit right should also not be dependent on the concept of commercial reasonableness.

BaFin plans to publish special guidance that will provide market participants with greater details regarding the supervisory requirements related to the use of cloud services.  It will also publish a circular specifying the supervisory requirements for insurance companies and pension funds in the coming months.