Cloud computing in banking - overview of regulatory requirements
// by Matthias Rensing
Hybrid Cloud, IT & Management Consulting, Security & Compliance
The use of cloud computing is subject to particularly strict requirements in the financial sector, which must be observed when drafting contracts with providers.
Cloud computing is becoming an increasingly important topic in banking. Despite guidance from the EBA and BAFIN, uncertainty remains about the regulatory requirements. The question therefore arises as to which regulatory and relevant requirements must be observed in cloud computing.
The study "Cloud Computing in the Banking Sector 2021" shows that 78 percent of German banks already use cloud computing. This represents an increase of 25 percent compared to 2018. About half of the banks that have not yet used cloud computing are planning to introduce it in the near future. The banks surveyed named data security, meeting compliance requirements and unclear regulatory requirements as the financial sector's biggest challenges in cloud computing.
Overview of relevant laws and directives
1. MaRisk: Minimum Requirements for Risk Management
2. BAIT: Banking supervisory requirements for IT
3. German Banking Act (Kreditwesengesetz - KWG); in particular § 25 Outsourcing of Activities and Processes;
4. EBA Guidelines on outsourcing (EBA/GL/2019/02)
The first step towards concretising the regulatory framework for cloud computing was the publication "Bankaufsichtliche Anforderungen an die IT" (BAIT) The BAIT specifies the interpretation and interpretation of the Minimum Requirements for Risk Management of Banks (MaRisk) with regard to IT. The BAIT specifies that the use of cloud computing, which constitutes an outsourcing of IT services, is subject to the same supervisory requirements for outsourcing pursuant to Section 25b of the German Banking Act (KWG) in conjunction with AT 9 MaRisk.
The BaFin's "Guidance on outsourcing to cloud providers" and the EBA's guidelines on outsourcing (EBA/GL/2019/02) further specify the requirements for outsourcing to cloud providers. The following critical areas of action can be derived from this:
2. Analysis and materiality assessment
3. Contract design for significant outsourcing
4. Exit strategy
BaFin's "Guidance on outsourcing to cloud providers" does not specify any new requirements, but is rather the interpretation of BAIT with regard to the topic of cloud computing. The document is intended to support German banks in outsourcing to cloud providers and inform them about regulatory specifics.
The following sections discuss the individual topics.
Before the start of any outsourcing, a strategic evaluation of the planned procedure must be carried out. For example, BaFin requires that the use of cloud computing has been sufficiently considered within the bank's IT strategy and that a risk analysis has been carried out when outsourcing to a cloud provider. In addition, a process must be created and documented that describes the entire life cycle of a future cloud service, starting with the cloud strategy and the migration concept through to the exit strategy. The bank must also have checked all affected internal processes to see whether they are "cloud ready" before starting the outsourcing.
Analysis and materiality assessment
If the strategy for outsourcing to a cloud provider has been adopted, a risk analysis must be prepared for the respective outsourcing. Within the scope of this analysis, the relevant aspects are assessed and it is determined whether it is an outsourcing and whether it is to be assessed as material. A case-by-case assessment is always necessary for each outsourcing and a separate risk analysis must be prepared. The level of detail of the analysis can be individually adapted to the type, scope, complexity and risk content of the outsourced matter.
Contract design for significant outsourcing
In the case of significant outsourcing, specific elements must be included in the contract with the cloud provider according to BaFin and EBA. The EBA guidelines on outsourcing (EBA/GL/2019/02) specify the minimum requirements for outsourcing contracts. The most important contractual elements are, among others, a detailed description of the subject matter of the service as well as information and audit rights for the bank and supervisory authorities. In this context, any direct or indirect restriction of the audit rights by the contract is inadmissible. With the "Guidance on outsourcing to cloud providers", BaFin has created a framework for facilitations such as collective audits and the use of evidence / certificates and audit reports for outsourcing to cloud providers. Since the hyperscalers (Azure, AWS, GCP) have often resisted the audit rights of individual banks due to their monopoly position, the facilitations make it possible for the banks to find contracts and to operate in the cloud in compliance with the rules.
With noventum consulting on the way to the cloud
As IT strategy and IT sourcing experts, noventum's consultants have been actively involved in cloud computing for many years. Through many strategic cloud projects, we have deepened our experience and today advise our customers, from medium-sized businesses to DAX companies, on their strategic approach to the cloud.
Detailed templates, checklists and process models make your cloud project a model of success right from the start.
Are you planning a cloud project and looking for support? Feel free to contact us!
Through the publication of the EBA Guidelines on Outsourcing (EBA/GL/2019/02), the requirements for an exit strategy have been further specified by the supervisory authorities. Thus, an exit strategy must be prepared for each material outsourcing. Especially in the case of outsourcing to cloud providers, the exit strategy should already be taken into account in the IT strategy, as otherwise there is a risk of vendor lock-in. Vendor lock-in means that a company has such a strong dependency on the cloud provider that a switch to another cloud provider becomes impossible or unprofitable. Vendor lock-in can be avoided by choosing a suitable IT architecture and cloud services. For example, by using a microservice architecture, an IT service can be distributed across several cloud platforms as part of a multi-cloud strategy.
The increasing demand for cloud solutions has also left its mark on the banking industry. Thus, the special features of cloud computing are also increasingly being taken into account in banking supervisory requirements. Regulation no longer prevents cloud outsourcing. Rather, it forces banks to approach cloud computing strategically, risk-oriented and holistically. With the easing of audit law through collective audits and the use of evidence / certificates, outsourcing to hyperscalers such as AWS, Azure or GCP in line with regulatory requirements is also possible. However, those responsible for the cloud in the institutions should keep a watchful eye on the development around the topic of DSGVO and data sovereignty. In particular, the "Schrems II ruling" and the "GAIA-X" project clearly show that Europe's dependence on US data centres and US internet platforms has become a geopolitical issue. Whether this will also have an influence on regulation in the medium term remains to be seen. The success of "GAIA-X" will be decisive for the topic of the GDPR in the cloud.
noventum consulting GmbH