Cloud outsourcing rules under MaRisk/EBA Guidelines

The following is a summary of the additional provisions in the European Banking Authority's Guidelines on Outsourcing Arrangements of 2019 ("EBA Guidelines") as they have been transposed into Circular 10/2021 (BA) Minimum Requirements for Risk Management (Rundschreiben 10/2021 (BA) — Mindestanforderungen an das Risikomanagement ("MaRisk")) that specifically mention cloud services:

1. Where relevant (e.g., in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis (EBA Guidelines No. 82; MaRisk AT 9 No. 7 k).
2. In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve handling or transferring personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing locations (i.e., country or region) and information security considerations (EBA Guidelines No. 83; MaRisk AT 9 No. 7 d).
3. Internal and external auditors must be sufficiently skilled when complex cloud services are audited (EBA Guidelines No. 97; not explicit mentioned in the MaRisk).

Cloud outsourcing rules under the ESMA Guidelines

Regarding investment firms, UCITS managers and alternative investment fund managers ("AIFMs"), the Guidance Note on Cloud Services is superseded by the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 10 May 2021 ("ESMA Guidelines"), even if the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) has not clarified the interplay between its guidance note and the ESMA Guidelines. Prudence would suggest applying both sets.

The ESMA Guidelines cover the following points:

1. Governance, oversight and documentation

Firms should have a defined outsourcing strategy and have clear responsibilities for documentation, management and control of cloud outsourcing, including a cloud outsourcing oversight function or designated senior staff members who are directly accountable to the management body. They need to monitor the performance of activities and need to reassess from time to time the criticality of the processes for their business. Additionally, they must also keep an up-to-date detailed register of cloud outsourcing arrangements. Firms should allocate sufficient resources to ensure compliance with the ESMA Guidelines and all the legal requirements applicable to its cloud outsourcing arrangements.

Performance of outsourced activities, security measures and agreed service levels must be monitored.

2. Pre-outsourcing analysis and due diligence

Firms must assess the criticality of the outsourced processes before the outsourcing takes places and assess the risks associated with them. For critical functions, the analysis must be more thorough. In addition, the cloud service provider's suitability must be assessed in due diligence.

3. Key contractual elements

See Question 3 generally on specific contractual requirements.

4. Information security

A firm should have adequate information security requirements in its policies and procedures and should apply them to cloud outsourcing.

5. Exit strategies

If outsourcing critical functions, firms must have an exit strategy The cloud outsourcing provider must support the firm in migrating the data and services to another provider.

6. Access and audit rights

The outsourcing must not impair the firm's ability to access and audit the activities. Third-party certifications and pooled audits are permitted, but they are subject to a detailed risk assessment if outsourcing critical functions. Firms must also have skilled people that can perform on-site audits.

7. Sub-outsourcing

Sub-outsourcing is viewed critically, and it must be ensured that control and supervision are maintained. Critical sub-outsourcing should be subject to a right of objection by the firm.

8. Written notification to competent authorities

Authorities must be informed ahead of a planned cloud outsourcing. In Germany this is superseded by a general requirement in Section 54(1) No. 13 of the Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG")) regarding investment firms and Section 36 of the Capital Investment Code (Kapitalanlagegesetzbuch) regarding AIFMs and UCITS managers to notify BaFin of the intent outsource material functions, the implementation thereof and material incidents in the framework of existing outsourcing.

Cloud outsourcing rules under the Guidance Note on Cloud Services

The key obligations summarized in the guidance note entitled "Orientation help regarding outsourcing to Cloud service providers" (Merkblatt — Orientierungshilfe zu Auslagerungen an Cloud-Anbieter ("Guidance Note on Cloud Services")) are as follows:

1. The risk analysis should be comprehensive and cover the following points:

• Design
• Criticality of the outsourced functions
• Risks resulting from the selected service model Infrastructure as a Service ("IaaS"), Platform as a Service ("PaaS") or Software as a Service ("SaaS"), as BaFin takes the view that the bank's/AIFM's ability of control is highest in IaaS models and lowest in SaaS models (We assume that the contemplated cloud hosting services would likely be considered IaaS, i.e., have a lower risk.)
• Financial, operational, legal and reputational risk (based particularly on the location of storage devices)
• Risk resulting from multiple outsourcing to the same cloud services provider
• Supervisory restrictions in certain countries
• Geopolitical risk and applicable laws, particularly on data protection
• Risk for integrity, availability, confidentiality and authenticity of data, particularly regarding access to data located in a different jurisdiction, interfaces between own and third-party systems and risk from sudden termination (such as data loss or limited migration to a new provider)
• Risk resulting from sub-outsourcing by the cloud services provider

2. A detailed written agreement should be created.

3. Monitoring and audit rights are required, which should include unlimited access to data centers, equipment, systems and networks.

4. Further, it is unacceptable to limit audit rights by with the following:

• Staged information and audit procedures
• Limitation to submission of audit reports and test certificates
• Condition of prior training before an audit can take place
• Limitation to "commercially reasonable" audits
• Limits on timing and number of audit personnel
• Limited access only via management consoles
• Predetermined processes and limitations on the scope of the audit

5. However, in some instances, audits by the internal audit teams of the banks can be replaced by internal audits by the teams of the cloud services provider or other banks, particularly in case of "pooled audits" by several banks/AIFMs.

6. On-site audits by regulatory authorities must not be restricted (including access to data centers, equipment, systems and networks) and the cloud service provider must agree to cooperate with the regulators. The audit rights must cover the entire "chain" of outsourcing, including sub-outsourcing.

7. Instruction rights must include the ability for the outsourcing institution to ask for certain types of certifications and proofs.

8. Outsourcing institutions must ensure that all applicable data protection and data security laws are observed.

9. Outsourcing institutions must know the location of where the data is stored (at least the name of the city, but if there is a valid reason, the cloud services provider must also give the street address).

10. Data and systems must be redundant to ensure availability in case of a failure of a data center.

11. Termination rights should include an obligation on the cloud service provider to continue providing the services until a replacement provider is found. The cloud service provider should support the transfer to the replacement provider. Data at the level of the cloud services provider must be deleted completely and irrevocably after transfer.

12. There should be an exit strategy, which should be reviewed to ensure that it could be implemented in practice.

13. The agreement should deal with sub-outsourcing. The sub-provider must also observe all obligations under the outsourcing agreement. Sub-outsourcing may trigger a reassessment of the risks.

14. Cloud services providers must accept comprehensive information obligations regarding developments, which could impair the services, including any disruptions of services. In addition, the bank must be informed of critical events regarding the provider, particularly financial deterioration.

As for data privacy and/or data security laws, please see Question 7 for the required contractual stipulations.