December 3, 2021

Volume XI, Number 337

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

December 02, 2021

Subscribe to Latest Legal News and Analysis

December 01, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

German Federal Financial Supervisory Authority Publishes Guidance on the Regulatory Framework for Cloud Services

The German Federal Financial Supervisory Authority (“BaFin”) recently published an article that provides guidance on the regulatory framework for cloud computing.  This is a follow-up to the circular letter Minimum Requirements for Risk Management (“MaRisk”), which was published in German in October 2017 and the circular letter Supervisory Requirements for IT in Financial Institutions (“BAIT”), which was published in German in November 2017, with its English version released recently.

BaFin outlines the regulatory framework for cloud computing in this article.  In particular, BaFin makes clear that supervised entities must refer to BAIT for general guidance.  Furthermore, it is stated that the requirements of section AT 9 MaRisk also apply if the cloud service is a material outsourcing (“wesentliche Auslagerung”) in the meaning of section AT 9 MaRisk.  If this is the case, the cloud service is required to be evaluated on a case-by case basis.  If the cloud service constitutes a material outsourcing, supervised entities must comply with the supervisory requirements for outsourcing pursuant to Section 25b of the German Banking Act and the more specific requirements of section AT 9 MaRisk.

BAIT requires supervised entities to perform a risk assessment prior to the procurement of cloud services.  Supervised entities are afforded flexibility in defining the nature and the scope of a risk assessment, and the results of the risk assessment must be taken into account in developing contractual arrangements between supervised entities and their cloud service providers.

If the procurement of cloud services constitutes a material outsourcing, BaFin makes clear that supervised entities, such as financial institutions and insurance companies, must ensure they have unrestricted information rights and audit rights with their cloud service providers.  These rights include the rights of access to the business premises, data centers, servers, and employees of the cloud service provider.  Such unrestricted rights must also be granted to BaFin via the outsourcing contract between the supervised entity and its cloud service provider, as a way to make sure BaFin would have the ability to monitor the outsourced cloud computing activities and processes.  BaFin also indicates that it plans to release more detailed guidance on the issue of cloud computing over the course of this year.

BaFin requires supervised entities to incorporate the information rights as well as the audit rights maintained by BaFin and the supervised entity into the contractual agreements between the supervised entities and cloud service providers.  BaFin would be granted the same level of rights, which would allow BaFin to monitor the outsourced services, including the option to perform on-site inspection.  BaFin emphasizes that such rights of information and audit must be unrestricted: phased information and audit procedures would constitute a restriction and would not be compliant with relevant regulatory requirements.  The audit right should also not be dependent on the concept of commercial reasonableness.

BaFin plans to publish special guidance that will provide market participants with greater details regarding the supervisory requirements related to the use of cloud services.  It will also publish a circular specifying the supervisory requirements for insurance companies and pension funds in the coming months.

© 2021 Covington & Burling LLPNational Law Review, Volume VIII, Number 166
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Burr Eckstut, Intellectual property attorney, Covington
Special Counsel

Burr Eckstut advises clients on strategic transactions involving the development and exploitation of technology and data, including joint ventures, IP licensing, and outsourcing. He also advises clients on intellectual property issues arising in mergers and acquisitions.

Mr. Eckstut has particular expertise in fintech, advising on legal matters arising with trading platforms and other financial market infrastructure, investment products, market and reference data, research, analytics, valuation, indexes and other benchmarks, and RegTech (regulatory technology)....

212 841 1112
Dr. Lars Lensdorf, IT attorney, Covington
Partner

Lars Lensdorf is partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection. Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services...

49 69 768063 30
Advertisement
Advertisement
Advertisement