BaFin compliance with the cloud

In this article you will read,

• which BaFin regulatory requirements Creditreform is subject to,
• why data sovereignty is essential to the company,
• and how the Open Telekom Cloud supports them.

Anyone using a cloud in a financial environment must also have the ability to enforce audit and control obligations on the cloud provider as the client. Creditreform and the Open Telekom Cloud have paved the way for this with the Financial Addendum.

Creditreform, based in Neuss, is a well-known player in the market: it is Germany's leading provider of business information, marketing data and solutions for claims management (debt collection). It has 161 offices in Europe and serves 162,000 member companies worldwide. 

It all started very small in Mainz in 1879, when 25 small businesses and traders got together and founded an association to protect themselves from defaulting business customers. Business partners who were in debt with one of the member companies could no longer obtain credit from another company in the association, thus establishing a typical data-based business model. The idea appealed to many tradespeople. Associations based on the Mainz model also emerged in other German cities. As early as 1883, an umbrella organization of the Creditreform associations was founded, which was also organized as an association and still exists today. 

Over the years, Creditreform expanded its services. Since 1928, it has also offered creditworthiness checks. Creditreform's services are still very important, even in the face of current regulatory requirements. For example, against the background of the Money Laundering Act, companies are obliged to know who they are doing business with in order to prove this to the supervisory authorities in the form of a risk analysis. For this purpose, Creditreform also offers CrefoTrust, a solution for digital identities.

Today, Creditreform has a treasure trove of over 88 million pieces of company data. “We attach great importance to data security, or perhaps to choose a more modern word: data sovereignty. Our business model is built on data. This data and its refinement and further processing are the crown jewels of our company,” explains Frank Vollmar, CTO and Managing Director of Verband der Vereine Creditreform e.V.

Until now, Creditreform has stored and processed these continuously growing volumes of data in its own data centers, but the company recognized the clear advantages of the cloud: scalability, rapid provision of resources and, last but not least, a reduced carbon footprint. “Our idea was to move workloads to the cloud in order to achieve greater flexibility and use resources more efficiently.” Find out more about the reasons for the Open Telekom Cloud and its use in the video:

Creditreform's clients also include many banks. When Creditrefom provides services for them, it is also contractually subject to BaFin's regulatory requirements as a service provider. “We were looking for a way to use the options of the cloud, but at the same time meet the applicable compliance requirements: the GDPR, of course, but also the relevant regulatory requirements of the financial sector,” emphasizes Torsten Krall, Technical Lead in Receivables Management at Verband der Vereine Creditreform e.V.

Beyond the frequently reported data residency in the EU, BaFin specifically requires that, in the event of any doubt, bank customers must prove that they can enforce their auditing and control obligations vis-à-vis service providers. They thus “pass on” the obligation to Creditreform – and Creditreform in turn to their cloud provider. “With the Open Telekom Cloud, we have found a partner that grants us precisely these rights.” The two partners agreed on a so-called Financial Addendum, which also includes the relevant sub-service providers of the Open Telekom Cloud – all of which belong to the Telekom Group.

In 2023, Creditreform began moving its first workloads to the Open Telekom Cloud. The main workload came from extensive databases based on Microsoft SQL. “Here, the Open Telekom Cloud also came in handy,” recalls Krall, ”because the requirements of our databases could not be met with the standard machines. The team provided us with extra powerful machines for this purpose.” Creditreform operates several large database clusters for the Receivables Management division, around half of which have now been migrated to the Open Telekom Cloud.

This year (May 2024), the team migrated the branch offices from the old debt collection application to a new one. This involves extracting the data of each individual branch from the old database and transforming it into the new program. This is very resource-intensive, but scales very well horizontally – perfect for the cloud. Depending on the branch office, between two and twelve nodes are used. Ultimately, using the cloud avoids waiting times and weekend work.

Creditreform also makes use of other services from the Open Telekom Cloud Team. “As the availability of our services is very important to us, we decided to also conclude an Enterprise Agreement,” says Krall. Robert Uhl, the responsible Customer Success Manager at Open Telekom Cloud, explains: “The Enterprise Agreement guarantees Creditreform the shortest response times and the availability of a personal contact person – around the clock.” Creditreform also used the Managed Services of the Open Telekom Cloud team for a specific complex SQL challenge. 

Creditreform is continuously expanding its commitment to the Open Telekom Cloud. After the initial tests, it booked reserved packages for productive workloads, which offer significant discounts. Pay-as-you-go resources are primarily used in testing and development. “We can try out how our systems react to more nodes or multiple availability zones, for example, how other VMs affect them or try out new versions of Kubernetes or databases.”

“We value the possibilities of the Open Telekom Cloud. Ad hoc access to a wealth of standardized services brings us enormous speed gains. But we value the people behind it even more. Our contacts are always solution- and customer-oriented and we are perceived as partners at eye level,” summarizes Vollmar.