Within the framework of increasing digitalisation, supervisors must attach considerable importance to new IT technologies such as cloud computing. In this context, it is important that in particular supervised entities in the financial sector, in addition to supervisors, have an understanding of the relevant technical innovations so that they can assess the impact of these technologies on business models, capital adequacy and authorisation requirements. This is the only way to ensure that the specific risks involved in the use of new IT-based developments are given appropriate consideration in supervisory and regulatory practice.
With cloud computing, IT resources are operated by an external service provider rather than within a company. Cloud services are usually operated via a web-based system that is used dynamically. This provides users with an opportunity to save costs and make use of the external service provider’s technical expertise, generating increased interest in cloud computing solutions among companies.
If supervised entities choose to use cloud computing, they must comply with the relevant supervisory requirements for outsourcing.
The first step towards specification of the regulatory framework for cloud computing was publication of the circular “Supervisory Requirements for IT in Financial Institutions” (Bankaufsichtliche Anforderungen an die IT – BAIT) (see BaFinJournal November 2017 and January 2018 (only available in German)). The BAIT specify that AT 9 of the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk (only available in German)) also applies to the use of cloud services where this constitutes outsourcing of IT services. This means that supervised entities must comply with the supervisory requirements for outsourcing pursuant to section 25b of the German BankingAct (Kreditwesengesetz – KWG (only available in German)) in conjunction with AT 9 of the MaRisk to the extent necessary in each individual case.
In the coming months, BaFin will also publish a circular specifying its expectations towards insurance undertakings and pension funds. The Insurance Supervisory Requirements for IT(Versicherungsaufsichtlichen Anforderungen an die IT – VAIT) (only available in German) are currently the subject of a public consultation (see Expert article “IT security: BaFinspecifies IT requirements for the insurance sector”). Like the BAIT, this circular specifies that insurance undertakings must comply with the relevant applicable supervisory requirements for outsourcing when using cloud services.
BaFin will also evaluate the extent to which changes are needed to the existing supervisory requirements for outsourcing.
BaFin also plans to publish special guidance on the topic over the course of this year, particularly in light of discussions held with supervised entities, which have emphasised the need for a supervisory assessment of cloud computing. The guidance will provide the market with detailed information regarding the supervisory requirements related to the use of cloud services. With this additional step, BaFin intends to give companies greater certainty in applying the requirements under supervisory law.
Ahead of the publication of the guidance, this article addresses some key aspects of compliance with BaFin’s unrestricted rights of information and audit and abilities to monitor in addition to the unrestricted rights of information and audit of the supervised entities.
Requirements under supervisory law
Supervised entities that intend to use cloud services must assess in advance the extent to which compliance with the supervisory requirements for outsourcing is required.
If this assessment reveals that, in terms of risk, the planned outsourcing constitutes material outsourced activities and processes, then the credit institutions must comply with sections 25a and 25b of the KWG in conjunction with AT 9 number 7 and 8 of the MaRisk in the contractual arrangements. In such cases, insurance undertakings must comply with Article274(3) to (5) of the Delegated Regulation on Solvency II, section 32 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG (only available in German)) and margin no. 237 et seq. of the Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings (Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen – MaGO, see BaFinJournal February 2017 (only available in German)). These contain, in particular, regulations regarding suitable or unrestricted rights of information and audit.
Unrestricted rights of information and audit
Some supervised entities have submitted to BaFin drafts of outsourcing contracts involving the use of cloud services. These contracts related, for instance, to the use of computing power, storage and web applications.
The drafts submitted clearly show that in particular the rights of information and audit of BaFin and of the supervised entities have not been fully implemented in the contractual arrangements. However, it is particularly important that these rights are incorporated into the contracts since many providers of cloud solutions currently active on the financial market are domiciled in states outside of the European Union and European Economic Area. Even German providers of cloud services are not subject to BaFin’s supervision, meaning the supervisory laws are not directly applicable to them. It is therefore only possible to enforce the supervisory provisions on the basis of corresponding contractual rights.
Rights of information and audit of credit institutions
Ensuring unrestricted rights of information and audit vis-à-vis cloud service providers through contractual arrangements is of key importance, particularly with regard to the IT security of institutions.
Outsourced activities and processes that are not regarded as material in terms of risk are subject to the general requirements relating to a proper business organisation pursuant to section 25a (1) of the KWG (see AT 9 number 3 of the MaRisk). If the outsourced cloud services are regarded as material outsourced activities and processes, then the outsourcing agreement must grant both the internal audit function and external auditors appropriate and unrestricted rights of information and audit (AT 4.4.3 number 7 of the MaRisk). Only through unrestricted access to the cloud providers, for example to their business premises, data centres, servers and employees, can supervised entities properly exercise their rights of information and audit. On-site inspections in particular are therefore indispensable.
No restriction of rights
The effective exercise of the rights of information and audit should not be impeded or limited by contractual arrangements. Phased information and audit procedures constitute such a restriction and do not comply with the requirements of the MaRisk or the recommendations of the European Banking Authority (EBA). If performing the audit is made dependent on the concept of commercial reasonableness, then this is also generally regarded as a restriction. In addition, a contractual obligation to first rely on standardised audit reports made available by the cloud providers also constitutes an impermissible restriction of the rights of information and audit.
The use of management consoles may be suitable for certain controls, such as for monitoring compliance with service level agreements in ongoing operations. However, it cannot replace audits by the internal audit function, since management consoles only allow access to information made available by the cloud provider. The internal audit functions of institutions, however, must be able to obtain additional information that is necessary for the audit.
In the case of material outsourced activities and processes, BaFin also accepts pooled audits in accordance with BT 2.1 number 3 of the MaRisk in order to render audits more efficient both for institutions and also for cloud service providers that work for several institutions. In such cases, the audit activity may be performed by the internal audit function of one or more of the outsourcing institutions or by a third party commissioned by these institutions provided that the audit activity complies with the requirements in AT 4.4 and BT 2 of the MaRisk.
In addition, in accordance with BT 2.1 number 3 of the MaRisk, an institution’s audits may be performed by the internal audit function of the cloud provider or the institution may commission third parties to perform audits, provided that the audit activity conducted by the other auditors complies with the requirements in AT 4.4 and BT 2 of the MaRisk.
The outsourcing institution’s internal audit function must, however, regularly verify compliance with the specified requirements. The audit findings that are relevant to the institution must be passed on to the internal audit function of the outsourcing institution.
This also corresponds to the EBA recommendations and decreases the organisational burden for both institutions and the cloud service provider. Pooling the audit resources of institutions also addresses the concerns of cloud service providers regarding “audit tourism”.
If an institution decides not to perform the audit itself or not to perform the audit alone, this must not result in a restriction of the institution’s right of audit. The rights of information and audit of the internal audit function of the outsourcing institution must be granted in full through the outsourcing contract.
Mere provision by the cloud service provider of certifications or other evidence of compliancewith recognised standards does not satisfy the right of information and audit of the outsourcing institution. The outsourcing institution must have the opportunity to influence the scope of the information and audit. This corresponds to the EBA recommendations, which specify corresponding requirements for access to the certifications and audit reports of the cloud service provider.
BaFin’s rights of information and audit and ability to monitor
In addition, the outsourcing contract must ensure BaFin’s unrestricted rights of information and audit and ability to monitor in relation to the outsourced activities and processes. In particular, BaFin’s audits must not be dependent on whether they are commercially reasonable for the cloud service provider.
BaFin’s ability to monitor the cloud service providers must be the same as its ability to supervise the supervised entities as provided for by law. This includes, in particular, the option to perform on-site inspections.