Cloud computing in banking - overview of regulatory requirements

Cloud computing is becoming an increasingly important topic in banking. Despite guidance from the EBA and BAFIN, uncertainty remains about the regulatory requirements. The question therefore arises as to which regulatory and relevant requirements must be observed in cloud computing.

The study "Cloud Computing in the Banking Sector 2021" shows that 78 percent of German banks already use cloud computing. This represents an increase of 25 percent compared to 2018. About half of the banks that have not yet used cloud computing are planning to introduce it in the near future. The banks surveyed named data security, meeting compliance requirements and unclear regulatory requirements as the financial sector's biggest challenges in cloud computing.

Overview of relevant laws and directives

1. MaRisk: Minimum Requirements for Risk Management

2. BAIT: Banking supervisory requirements for IT

3. German Banking Act (Kreditwesengesetz - KWG); in particular § 25 Outsourcing of Activities and Processes;

4. EBA Guidelines on outsourcing (EBA/GL/2019/02)

The first step towards concretising the regulatory framework for cloud computing was the publication "Bankaufsichtliche Anforderungen an die IT" (BAIT) The BAIT specifies the interpretation and interpretation of the Minimum Requirements for Risk Management of Banks (MaRisk) with regard to IT. The BAIT specifies that the use of cloud computing, which constitutes an outsourcing of IT services, is subject to the same supervisory requirements for outsourcing pursuant to Section 25b of the German Banking Act (KWG) in conjunction with AT 9 MaRisk.

The BaFin's "Guidance on outsourcing to cloud providers" and the EBA's guidelines on outsourcing (EBA/GL/2019/02) further specify the requirements for outsourcing to cloud providers. The following critical areas of action can be derived from this:

1. Strategy

2. Analysis and materiality assessment

3. Contract design for significant outsourcing

4. Exit strategy

BaFin's "Guidance on outsourcing to cloud providers" does not specify any new requirements, but is rather the interpretation of BAIT with regard to the topic of cloud computing. The document is intended to support German banks in outsourcing to cloud providers and inform them about regulatory specifics.

The following sections discuss the individual topics.

Strategy

Before the start of any outsourcing, a strategic evaluation of the planned procedure must be carried out. For example, BaFin requires that the use of cloud computing has been sufficiently considered within the bank's IT strategy and that a risk analysis has been carried out when outsourcing to a cloud provider. In addition, a process must be created and documented that describes the entire life cycle of a future cloud service, starting with the cloud strategy and the migration concept through to the exit strategy. The bank must also have checked all affected internal processes to see whether they are "cloud ready" before starting the outsourcing.

Analysis and materiality assessment

If the strategy for outsourcing to a cloud provider has been adopted, a risk analysis must be prepared for the respective outsourcing. Within the scope of this analysis, the relevant aspects are assessed and it is determined whether it is an outsourcing and whether it is to be assessed as material. A case-by-case assessment is always necessary for each outsourcing and a separate risk analysis must be prepared. The level of detail of the analysis can be individually adapted to the type, scope, complexity and risk content of the outsourced matter.

Contract design for significant outsourcing

In the case of significant outsourcing, specific elements must be included in the contract with the cloud provider according to BaFin and EBA. The EBA guidelines on outsourcing (EBA/GL/2019/02) specify the minimum requirements for outsourcing contracts. The most important contractual elements are, among others, a detailed description of the subject matter of the service as well as information and audit rights for the bank and supervisory authorities. In this context, any direct or indirect restriction of the audit rights by the contract is inadmissible. With the "Guidance on outsourcing to cloud providers", BaFin has created a framework for facilitations such as collective audits and the use of evidence / certificates and audit reports for outsourcing to cloud providers. Since the hyperscalers (Azure, AWS, GCP) have often resisted the audit rights of individual banks due to their monopoly position, the facilitations make it possible for the banks to find contracts and to operate in the cloud in compliance with the rules.

Exit strategy

Through the publication of the EBA Guidelines on Outsourcing (EBA/GL/2019/02), the requirements for an exit strategy have been further specified by the supervisory authorities. Thus, an exit strategy must be prepared for each material outsourcing. Especially in the case of outsourcing to cloud providers, the exit strategy should already be taken into account in the IT strategy, as otherwise there is a risk of vendor lock-in. Vendor lock-in means that a company has such a strong dependency on the cloud provider that a switch to another cloud provider becomes impossible or unprofitable. Vendor lock-in can be avoided by choosing a suitable IT architecture and cloud services. For example, by using a microservice architecture, an IT service can be distributed across several cloud platforms as part of a multi-cloud strategy.

Conclusion

The increasing demand for cloud solutions has also left its mark on the banking industry. Thus, the special features of cloud computing are also increasingly being taken into account in banking supervisory requirements. Regulation no longer prevents cloud outsourcing. Rather, it forces banks to approach cloud computing strategically, risk-oriented and holistically. With the easing of audit law through collective audits and the use of evidence / certificates, outsourcing to hyperscalers such as AWS, Azure or GCP in line with regulatory requirements is also possible. However, those responsible for the cloud in the institutions should keep a watchful eye on the development around the topic of DSGVO and data sovereignty. In particular, the "Schrems II ruling" and the "GAIA-X" project clearly show that Europe's dependence on US data centres and US internet platforms has become a geopolitical issue. Whether this will also have an influence on regulation in the medium term remains to be seen. The success of "GAIA-X" will be decisive for the topic of the GDPR in the cloud.

Sources:

Die neuen EBA Leitlinien zur Auslagerung (EBA/GL/2019/02) - PwC Regulatory Blog

dl_kait_auslagerung_cloud_anbieter_wa (1).pdf

BaFin - Fachartikel - Cloud-Computing: Einhaltung der aufsichtsrechtlichen Vorgaben zu …

dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba.pdf 

Cloud Computing Compliance Criteria Catalogue – C5:2020 – Kriterienkatalog Cloud Computing (bund.de)

checkliste-public-cloud-im-regulierten-umfeld.pdf (finsurance-it-services.de)

Cloud-Beratung für Finanz- und Versicherungsunternehmen (finsurance-it-services.de)

More Information

Thank you for your interest in the noventum Cloud-Consulting!

If you would like to find out even more about noventum IT-Consulting, you will find information here.