On 1 February 2024, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin“) published a supervisory notice (Aufsichtsmitteilung) on outsourcing to cloud service providers. The supervisory notice is based on the guidance published by BaFin in 2018, which was updated for this occasion and now represents a key anchor point for BaFin’s supervisory practice in outsourcing matters.
1. Outsourcing of cloud services in the financial sector
In the financial sector, the term outsourcing refers to the possibility of transferring certain business processes or functions to external service providers in compliance with regulatory requirements. This allows financial institutions to focus on their core competencies, work more efficiently and at the same time draw on specialised external resources. This is used by regulated entities to procure cloud services such as Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) services, among others.
BaFin’s supervisory notice updates the content contained in the guidance on the governance of cloud outsourcing, implementation processes and minimum contractual standards. In addition, two new chapters have been included that contain information on development, operation and cyber security in the cloud as well as on the specific monitoring and control of the cloud service provider’s performance and security.
The supervisory notice also contains various information on Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act – “DORA“). DORA is applicable from January 2025. The updated supervisory notice already provides an outlook on the relevant regulatory requirements in DORA with regard to outsourcing. An overview of DORA and other EU cybersecurity-related legislation can be found here.
2. Updated requirements for the drafting of outsourcing agreements
In particular, the supervisory notice is intended to make the supervisory assessment of various formulations in contractual clauses transparent. The following points in particular have been subject to significant changes as a result of the new supervisory notice:
2.1 Subject of performance
The 2018 guidance already stated that the outsourcing agreement must specify and, if necessary, delimit the services to be provided by the cloud service provider. The list of points that should be specified in principle was supplemented by the supervisory notice.
The options for adjusting the service in the event of a change in demand during the term of the contract should also be defined. An example of this is the addition of additional security measures in the event of a change in protection requirements or an adjustment of the service level promised by the service provider to the demand reports from performance and capacity management.
2.2 Information and audit rights of the supervised companies
The information that the supervised entity receives that it requires for the appropriate management and monitoring of the risks associated with the outsourcing must be retained by the supervised entity for a period of five years.
The effective exercise of information and audit rights may not be restricted by contractual agreements. Impermissible agreements that only grant information and audit rights under certain conditions now also include according to the supervisory notice:
- The agreement of a reference to the cloud service provider’s internal implementation guidelines, which provide for restrictions on the contractually agreed rights, and
- Costs that could restrict or hinder the exercise of information and audit rights due to their amount. The same applies to access to information and documents that is restricted to a specific location.
Depending on the relevant regulatory requirements, the supervised entities may utilise alternative audit approaches in order to make their audit procedures more efficient. In such a case, the alternative audit approaches must be taken into account in an appropriate form when drafting the contract with the cloud service provider.
2.3 Information and audit rights of the supervisory authority
Information and audit rights as well as control options of the supervisory authority may not be restricted by contract and, according to the new supervisory notice, also not by internal implementation guidelines of the cloud service provider.
It must be contractually agreed that the supervisor can also exercise its information and audit rights and control options in a proper and unrestricted manner with regard to the outsourced matter. In particular, the supervisor should be able to exercise information and audit rights for at least five years after the termination of the contract.
With regard to significant relocations, the aim is to ensure that equivalent information and audit rights are agreed for the entire outsourcing chain.
2.4 Cancellation modalities
Furthermore, the new supervisory notice on termination modalities has added cases in which termination for good cause should be possible in addition to cases in which the supervisory authority demands termination of the contract.
Furthermore, a provision is made for those companies that fall under the scope of the Act on the Recovery and Resolution of Institutions and Financial Groups.
2.5 Information obligations of cloud service providers
The scope and preparation of the information provided by the cloud service provider should be designed in such a way that the supervised entity can react appropriately. In particular, the supervised entity should be able to recognise and assess changes to its risk situation.
2.6 Note on the applicable law
If it is not possible when agreeing a choice of law clause, unless German law is agreed, that the law of a state of the European Union or the European Economic Area applies to the contract, all requirements for legal enforceability should remain guaranteed.
3. Outlook
The update of the supervisory notice is also the result of a supervisory dialogue that BaFin conducted with supervised companies, in which they described challenges in the implementation of existing supervisory requirements. These would result, for example, from a high degree of standardisation, which makes individual agreements more difficult, the global availability and high scalability of the technologically highly innovative range of cloud services and the high concentration on a few cloud service providers from third countries. BaFin has responded to this by considering flexible approaches. In this respect, it is to be welcomed that the supervisory dialogue is leading to a gain in technological knowledge on the part of BaFin. This may lead to the comprehensive identification and adequate addressing of potential risks arising from outsourcing. But it can also lead to flexibility being granted – for example in the case of sub-outsourcing – where this is proportionate from a risk perspective. Such an approach to proportional regulation can also lead to a reduction in unjustified regulatory overhead in order to prevent the regulation of outsourcing companies within an industry with a strong division of labour from becoming an economically disproportionate burden while remaining functional from a risk supervision perspective.
The supervisory notice does not have to be implemented in the strict legal sense, as the supervisory notice as an administrative regulation interpreting the standard – unlike material law – does not have any immediate independent external effect. In principle, the supervisory notice should be taken into account immediately as BaFin’s current administrative practice wherever possible.
Against this backdrop, affected companies should review their outsourcing agreements in the course of 2024 to determine whether they comply with the updated supervisory practice and take a look at the requirements for DORA in order to be able to meet them when they come into force on 17 January 2025.
With the kind support of Franziska Breuer, research assistant.