The German financial watchdog BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) today published guidance with regard to the use of cloud solutions. Produced in collaboration with Deutsche Bundesbank, the German national bank, it presents an assessment of outsourcing to cloud providers and related risks.
The document is addressed at credit institutions, financial services institutions, insurance companies, pension funds, investment services companies, capital management companies, payment institutions and e-money institutions.
While it does not introduce any new obligations, it outlines the current supervisory practice in outsourcing cases. For example, the guidance describes how different wording in contract clauses are evaluated. In addition, BaFin and the Deutsche Bundesbank aim to create awareness among supervised firms of the existing regulatory requirements when dealing with cloud services as already described in the BaFinJournal of April 2018 as these requirements remain unaffected. In its press release, BaFin named the example that outsourcing does not result in a transfer of responsibility of a manager to the cloud provider to stress this point. Instead, the supervised company retains responsibility for outsourcing in order to comply with the legal requirements it must observe.
The press release and the guidance are available here.