@ mrmohock/stock.adobe.com
Topic Fintechs Cloud Computing
In very general terms, cloud computing describes the operation of IT resources by an external service provider as opposed to within a company. This typically makes use of a dynamic, pay-as-you-go online system with defined technical interfaces and protocols. Cloud services are IT services that are provided to the institution by a services firm via a network (e.g. processing, storage, platforms or software) and which are supplied, used and invoiced dynamically and tailored to requirements via defined technical interfaces and protocols. Companies are increasingly interested in cloud solutions due to the potential cost savings and the option to make use of expertise in a way that is scalable and tailored to their needs. Interest is being further heightened by the provision of innovative technologies from the fields of AI (artificial intelligence) and ML (machine learning) in the cloud.
BaFin considers cloud computing and cloud services to be very significant from a supervisory perspective. The use of cloud services is, in principle, already subject to financial market supervision, mostly in connection with governance issues, in particular risk management and outsourcing management. Alongside the extensive statutory requirements contained in the relevant supervisory laws, the administrative instructions issued are of particular importance. These include the Circular on Minimum Requirements for Risk Management – MaRisk for banks and financial services institutions and the equivalent circulars for asset management companies, insurance undertakings, small insurance undertakings and institutions for occupational retirement provision. To further specify the requirements, BaFin has already taken important steps to provide legal certainty as regards the use of cloud services.
This includes the Circular on Supervisory Requirements for IT in Financial Institutions (BAIT), which sets out BaFin’s supervisory expectations regarding the framework conditions for secure information processing and information technology. The same applies to the Supervisory Requirements for IT in Insurance Undertakings (VAIT), the Supervisory Requirements for IT in Asset Management Companies (KAIT) and the Supervisory Requirements for IT in Payment Services and Electronic Money Institutions (ZAIT). The BAIT, VAIT, KAIT and ZAIT provide further specification and more in-depth information and, in part, also expand on existing requirements.
With particular regard to the procurement of cloud services, BaFin and the Deutsche Bundesbank have also published “Guidance on outsourcing to cloud service providers”. The Guidance does not contain any new requirements; the existing requirements for outsourcing therefore remain unchanged. The principle that responsibility for ensuring compliance with the applicable statutory provisions must remain with the outsourcing supervised institution also applies where services are outsourced to cloud service providers.
BaFin provides basic information on all regulatory and supervisory matters.
