Using the Open Telekom Cloud in compliance with BaFin requirements

In this article you will read about,

• why the public cloud is becoming increasingly popular with banks, financial service providers, and insurance companies,
• how BaFin-regulated companies can now use the Open Telekom Cloud for important processes, in compliance with the supervisory requirements
• and what additional contractual conditions are important.

More flexibility, higher performance, and greater security: This is what German banks expect from cloud computing. For many, the cloud is an important element in the implementation of their digitalization strategy, as the results of a PwC study show: In 2021, almost 80 percent of banks were already using cloud computing – an increase of 25 percentage points compared to 2018. In addition, around half of those banks that have not yet used cloud services are planning to do so soon. There is agreement on the challenges: For many respondents, it is difficult to maintain the necessary level of compliance when using the cloud. This often delays the implementation of cloud projects.

Anyone doing business in the financial sector is obliged to meet the requirements of the German Federal Financial Supervisory Authority (BaFin). All institutions and companies regulated by BaFin therefore have to analyze their risks and demonstrate effective risk and emergency management – including when it comes to IT. The banking supervisory requirements for IT (BAIT) set the benchmark for secure IT systems, processes, and IT governance. They also stipulate how regulated companies can outsource important data and processes to a public cloud.

"Since February 2022, BaFin-regulated companies can use our public cloud services not only for non-critical applications as before, but also for more sensitive data and processes. To this end, we have supplemented the contractual terms and conditions of the Open Telekom Cloud, based on the requirements of MaRisk and BAIT," says Fabian Placht, the cloud sales expert who is also responsible for the in-house Open Telekom Cloud in the regulated market, in addition to other cloud solutions. With the adjustments, the Open Telekom Cloud dispels any concerns of banks, financial service providers or insurance companies about outsourcing important data and workloads to their certified data centers. The so-called “Financial Addendum” ensures compliance with the corresponding BaFin requirements.

If regulated companies want to outsource their IT, they first have to determine just how critical data and applications are to their business operations. It doesn’t matter whether they plan to use traditional outsourcing or a public cloud. Risk management should answer the following questions: What are the risks involved in outsourcing and how are they assessed? To what extent have providers and processes been checked for possible risks? What measures ensure that business processes continue in the event of an IT failure?

Banks, financial service providers, and insurance companies can rely on the Open Telekom Cloud’s standards and certifications for their risk analysis. "With them, the risk catalog can be fulfilled in many places. Because the Open Telekom Cloud covers all the basic requirements, such as the regulations regarding information security and emergency management," says Placht. He points to certifications such as ISO/IEC 27001, ISO/IEC 27017, or ISO/IEC 27018, which are all concerned with, among other things, physical security in the data center. These include access systems, fire protection, and an uninterruptible power supply. Another standard is the BSI Cloud Computing Compliance Criteria Catalogue (BSI C5), which describes the minimum information security requirements for cloud services and which the Open Telekom Cloud has already met since 2018.

However, the security and protection measures of providers alone are not sufficient to meet all of BaFin’s regulations. For this reason, the Open Telekom Cloud has recently been providing contractual supplementary agreements for companies that are subject to regulation by the financial supervisory authority. They must have special audit and control rights contractually assured by the cloud providers to whom they outsource data or applications. "With our Financial Addendum, we enable our customers to have information, inspection, audit, and access rights. These rights meet the BaFin requirements," says Placht.

For example: The information, inspection, audit, and access rights apply in each case for the internal audit department, the responsible supervisory authority, and the bodies commissioned to carry out the audit by this authority, in order to be able to view and audit the outsourced services fully and without hindrance. This also applies to access to the necessary documents, data carriers, systems, and databases.

BaFin also requires a so-called right to issue instructions, which has also been incorporated into the Open Telekom Cloud’s supplementary agreements. Customers are authorized to give a provider certain instructions, for example to correct, delete, or block data.

However, the right to issue instructions in a public cloud also has limits: system architecture, infrastructure, or configurations, for example, are excluded. Hardware resources cannot simply be shut down in the public cloud, as numerous customers access the same IT infrastructure resources. There are, however, alternatives. For example, BaFin-regulated companies can use the public cloud virtually as a self-service and determine themselves when to shut down instances. In this case, instructions to the provider are not necessary. Or they can use dedicated servers or Open Telekom Cloud Hybrid, i.e., a hybrid form of public and private cloud, in order to have more influence over the outsourced infrastructure.

To ensure compliance with BaFin regulations, all subcontractors are also named in the Open Telekom Cloud contract addendum. That is because in some cases – for example, second level support – the Open Telekom Cloud relies on services provided by subcontractors. And the BaFin auditors must also be able to check these subcontractors. Therefore, they also have to grant BaFin the right to issue instructions and comply with the rights to information, inspection, testing, and access. "Everything we promise BaFin-regulated customers must also be observed by our subcontractors. If they in turn use their own subcontractors, they are also bound by the right to issue instructions," says Placht. The aim is to enable the auditors to check all processes end-to-end.

Last but not least, the banking supervisory requirements for IT stipulate that regulated companies must have an exit strategy from the public cloud. However, a one-month termination right would fall short here, since not only the cloud services, but also the processes have to move from one public cloud to another.

This is where those cloud solutions based on an open source IT infrastructure come into their own. Unlike proprietary cloud systems, for example, an open source infrastructure such as OpenStack enables customers to switch to another provider with an OpenStack solution at any time and with little effort. The switch works even more easily when customers use container technologies such as Docker and Kubernetes. Since they have all the essential information about workloads, such as the operating system or security and storage requirements, they can be transferred quickly from one cloud to another.