Skip to main content
JUN 21, 2022

The banking regulators viewpoint: keeping an eye on Cloud Computing within the German Market

Jörg Martin

Head of Application Services OBS

Reading time: 2 min

OWINTALK | BEHIND BUSINESS, BEYOND NEWS

“Every system that is not standing in the bank’s own data centre can be considered as cloud computing.”

German banks have been flirting with the topic of IT outsourcing for years. Many have already outsourced services but are still hesitant about outsourcing data centre services.

On the other hand, the requirements of the supervisory authority – and thus the costs – are high, and what’s more, the corresponding infrastructure is still available in the banks from the past. Why not continue to use it?

A necessary technology upgrade, not only because of the age of the hardware, but also driven by the need to use other operating systems (such as Linux), again leads to the question, “do I buy this by myself or is now the moment to outsource it?” A side aspect (or is it more ?!) to this is also that not only the hardware is getting older and older, but also the operators of the hardware, the IT people.

When it comes to the topic of the cloud, many people first think of the large cloud operators and the benefit of “being able to add resources so easily”. But is the resource utilisation of a core banking system really so volatile that this is a real advantage?
On the other hand, for many banks, when they think of their core banking system, the public cloud is not in focus. “Is my data really protected? Is my data available in third countries?” These could be questions that also – and especially themselves – need to be answered in the context of outsourcing.

However, cloud is not only the public cloud, but also everything that is “not in your own data centre”.
And here, many providers in the German market have already positioned themselves specifically for the regulated market of banks and financial service providers. The following steps have often already been taken:

  • Technical preparations
    The providers have adapted their own technical (network) structure to create offers for banks providing different security levels depending on the required service levels.
  • Regulatory compliance
    To be compliant with the regulator, also a tech provider needs to “become” a bank – and this transformation is not (only) technological, but a question of the mindset

On the one hand, there exist longstanding standards everyone is familiar with (e.g. the certifiable ISO 27001 standard). Instead, the whole value chain provided by the outsourcer often includes many services not covered by the ISO certificates; and these certificates do not specifically address the issues raised by the banking supervisory authorities. So, to cover the issue holistically, the audit of the control system can form the assurance required.

These audits, using the auditing standard of the IDW (Institute of German Certified Public Accountants, the international equivalent is the ISAE 3402) can be “certified” by an independent auditor. In this way, the audit report, as it is based on a control system specifically tailored to include the banking regulations, e.g. BAIT/MaRisk in Germany, can really assure the banks that their service provider is not only “tangible on site”, but also fulfils the regulatory banking requirements and can prove this. As a consequence, also not much additional effort – adding additional costs – must be invested by the banks, because they can already fulfil their audit obligations by submitting an audit attestation by the service provider – and it still leaves them open to take the second step to carry out their own audits on site when required.

Finally, don’t be afraid of outsourcing to a private cloud. The reasons can be closer to your own needs than just following “a hype”.

RELATED POST