BaFin's new leaflet on outsourcing to cloud providers
Insights into the expectations in preparation and drafting of contracts
The leaflet of the Federal Financial Supervisory Authority (BaFin) shows which regulations must be included in outsourcing contracts and which preparatory actions must be carried out before the outsourcing takes place.
By means of its "Leaflet - Guidance on outsourcing to cloud providers" published on 8 November 2018, the Federal Financial Supervisory Authority (BaFin) and German Central Bank (Deutsche Bundesbank) provide their understanding and interpretation of cloud services as well as their views on what banks and other supervised financial services institutions (hereinafter referred to as "supervised institutions") must bear in mind when engaging in outsourcing to cloud providers.
This leaflet is directed to all supervised institutions wishing to make use of a cloud service, whereby the specific information on contract drafting must only be observed in the case of material outsourcing (section 25 b of the German Banking Act (KWG) in conjunction with MaRisk) or non-differentiated outsourcing in accordance with German Capital Investment Code (KAGB).
Notes on the drafting of contracts
In 9 chapters, the BaFin elaborateson what regulations must be included in an outsourcing contract with a cloud services provider.
- First, the content and scope of the service must be precisely described. The use of SLAs (Service-Level-Agreements) is recommended to allow a clear distinction between the cloud provider's services and those services rendered by the supervised institution with its own resources.
- In addition, the underlying contracts must provide for information and auditing rights of the supervised institution as well as BaFin which must state that the cloud provider is held to grant unrestricted access rights.
- To facilitate compliance with their audit obligations, supervised institutions can carry out collective audits with other supervised institutions or limit their audits to evidence/certificates based on common standards (e.g. the C-5 catalogue of requirements of the Federal Office for Information Security (BSI)).
- A direction right for the supervised institution must be included, which aims at ensuring that the supervised institution is put in a position which enables it to exert influence on and exercise control over the outsourced services at any time.
- Various regulations regarding data security/protection must be taken into consideration. In particular, data must be accessible for repatriation at any time and failures of data centers must be secured.
- In addition to the general termination rules, the underlying contracts should provide for an extraordinary termination right that will be triggered if and when the supervisory authority demands termination of the outsourcing contract. In addition, the cloud provider must be obliged to after termination and retransfer completely and irrevocably delete all acquired data.
- Further outsourcing of outsourced activities and processes by the cloud provider to third parties must be made subject to the condition that both the supervised institution as well as the competent authority have information and auditing rights also vis-à-vis the subcontractor. The subcontractor’s set of obligations must to be identical with the cloud provider’s.
- The cloud provider must inform the supervised institutions of any developments that could affect the proper handling of the outsourced services. Security incidents as well as changes in the provision of the cloud service must be reported to the supervised institution immediately.
- The contract must be made subject to German law or the laws of a member state of the EU or of the European Economic Area.
Irrespective of the fact that the content of the leaflet is characterized as providing guidance, only and in itself does not change or amend applicable laws, but only describes current practice of the supervisor, it would be strongly recommendable for financial services institutions to abide by the recommendations when it comes to outsourcing. Only by doing so, it can be ensured that BAFin and the Deutsche Bundesbank would not raise objections with respect to corresponding contractual regimes. Implementing the recommendations will also help in having a clear and sound contractual bases for outsourcing and lead to the creation of standards.