How Banks Achieve Security And Compliance In The Cloud

For digitization projects, outsourcing the infrastructure to cloud providers can be a suitable cornerstone for modernization. The technical possibilities have existed for several years, but banks in particular are skeptical despite the technological maturity of cloud offerings. Above all, the requirements of banking supervision and concerns about data security make them hesitant to take the step toward cloud banking. However, with the necessary compliance know-how and consideration of the right criteria when selecting a provider, the hurdles on the way to the cloud can be successfully overcome.

The 'Cloud Monitor 2018' study by KPMG and Bitkom shows: IT security and compliance are identified by the study participants as the greatest challenges on the way to the cloud. No wonder, then, that conformity with legal requirements, such as the General Data Protection Regulation (GDPR), is at the top of the list of requirements for companies when it comes to evaluating potential cloud providers. Transparency in security checks and a contractually regulated exit strategy are also high on the list of requirements among those surveyed.

As far as the feared data breaches or hacker attacks are concerned, the study can reassure: The benefits of cloud solutions include a high level of security. This can generally be better guaranteed in modern data centers than with in-house solutions thanks to a continuously updated technical infrastructure and demand-oriented updates of the security systems - especially if the service provider has industry-specific offerings. According to the document, there were more security-critical incidents within in-house IT than in the public cloud solutions used in the twelve months prior to the survey.


There are many solution variations in cloud computing for banks. The recommendations on outsourcing to cloud providers issued by the European Banking Authority (EBA) define four deployment models that differ in their administrative characteristics:
  • the private cloud, whose infrastructure is exclusively available to a single institution,
  • the public cloud, where multiple users rent IT infrastructure and server capacity in a flexibly adaptable manner,
  • the community cloud, an infrastructure that can only be used by a specific corporate community, and finally
  • the hybrid cloud, which is a hybrid of several infrastructure variants.
However, these designations do not represent a universally valid standard on the provider market, so it is advisable to obtain precise information from the various providers about the characteristics of the cloud service and then select an infrastructure that fits the requirements of your own IT.

Particularly in the case of banks, it is still common today to operate sensitive data and applications exclusively in a private cloud environment or to keep them completely out of the cloud through local installations. This is to rule out the possibility of customer data from different institutions being mixed up or viewed by other tenants, which would violate supervisory regulations. But even a public cloud can meet regulatory requirements if it is multi-tenant and meets other key criteria.


For banks in particular, cloud computing entails different obligations than operating a banking platform on a local installation, as the performance of typical banking services by third parties such as cloud service providers is considered outsourcing in the legal context. Institutions such as the EBA and the German Federal Financial Supervisory Authority (BaFin) have therefore already drawn up regulations to specify the framework for cloud computing. These specify, for example, which controlling intensity and procedures must be maintained by the outsourced risk and which measures take effect in the event of an emergency.

BaFin specifies the legal framework for risk management based on the German Banking Act (KWG) within the Minimum Requirements for Risk Management (MaRisk) and the Banking Supervisory Requirements for IT (BAIT) circular. Among other things, the technical organization of IT systems, information security requirements and what is understood by an appropriate emergency concept in the event of a malfunction are addressed here. It also describes the requirements for outsourcing to external cloud service providers. The Cloud Computing (C5) 2020 requirements catalog of the German Federal Office for Information Security (BSI) is also one of the basic guidelines when it comes to certifications for companies with high security requirements for cloud computing.


Following discussions with financial firms that highlighted the need for an official assessment of cloud computing from a supervisory perspective, BaFin and Deutsche Bundesbank published guidance on the topic at the end of 2018. This provides the market with detailed information on the supervisory requirements associated with the use of cloud services in the context of significant outsourcing. With this further step, BaFin aims to give companies more certainty when applying the legal requirements.

The implementation of information and audit rights for the supervisor and the banking institution is a crucial point in this, since the legal requirements of the supervisor do not make the cloud provider directly responsible, but the banks. This aspect must therefore be set out separately in contracts between provider and bank and includes, for example, unrestricted access to the provider's business premises, servers and data centers in order to carry out on-site audits. These audit rights must not be contractually restricted by measures such as staged audit procedures or standardized audit reports. Certificates or other evidence also do not legitimize denying the right to inspect and audit.

The guidance also refers to possible facilitations for financial institutions. For example, conducting aggregate audits of multiple institutions that are with the same provider or relying on evidence from the provider based on common standards and audit reports from recognized third parties may be options to simplify the audit process.


High-availability security gateways, automatic failover and redundancy of critical system components are just a few items that regulators require for the secure regular operation of cloud services. This is a complex undertaking that banks without their own specialized IT departments are often unable to carry out themselves. Working with the right provider is therefore crucial for ensuring cloud security while at the same time making optimum use of the technology's potential.

Secure IT infrastructure: servers, data centers, networks

Server and network security are the foundation for secure data transfer in the cloud, as they are critical to preventing unauthorized access. Certain compliance regulations require that it must always be clear to banks where their data is physically located and how the data flows of different cloud customers are separated from each other.

The regional location of the infrastructure is also a critical point for data security, because it is often a premise that the data centers with the financial data of German banks are located within the EU area. This is the only way to ensure legal certainty with regard to the strict European data protection requirements and to rule out the possibility of moving critical data to less strictly regulated regions.

Compliance expertise and contract design

However, a suitable cloud provider for financial IT is characterized not only by secure server configuration, but also by a deep understanding of regulatory and security issues. Last but not least, the ability to integrate with existing systems can be the deciding factor in provider selection. Banks should rely on experienced service providers who are familiar with and able to comply with all industry-specific guidelines and who can connect existing systems in an uncomplicated manner.

Generally recognized certifications, especially for IT security, attest to the service provider's expertise. In addition, all aspects relevant to data protection and IT security must be contractually regulated between provider and customer so that they also satisfy regulatory requirements. Service descriptions are defined for ongoing process capability (service level agreements) which, among other things, regulate availability and response times in the event of a fault in detail and provide all parties with the necessary legal certainty.


Cloud computing is a multi-faceted topic, with the extensive guidelines for essential outsourcing at banks posing the greatest challenge for implementation. Because experienced banking solution service providers are intensively involved with industry-specific regulations, they can help meet security and compliance requirements without neglecting the individual requirements and specialist needs of financial institutions. Whether banks outsource individual applications that map specific aspects or business areas of banking, or rely on the data cloud as the basis for a digital reboot - the basic prerequisite for successful implementation is the correct adaptation of the legal requirements.

In the future, financial companies in particular will be increasingly dependent on a fast time-to-solution and the dynamics of innovative technologies in order to remain competitive on the market. Cloud computing promises shorter start-up times, lower initial costs and reduced maintenance effort: Optimizing existing systems with a cloud solution could provide many financial institutions with a suitable starting point for a future-oriented entry into the digitization of their company.