Financial Crime World

Denmark’s Financial Institutions Must Comply with Regulatory Requirements for Cloud Services

=====================================================

The use of cloud services by financial institutions in Denmark must comply with a range of legal and regulatory requirements, according to the Danish Financial Supervisory Authority (Finanstilsynet).

European Banking Authority Guidelines

The European Banking Authority (EBA) issued guidelines on outsourcing arrangements in February 2019. These guidelines apply to EU-regulated credit institutions, investment firms, electronic money institutions, and payment institutions. The guidelines provide guidance on contractual and operational areas such as:

  • Audit rights
  • Security of data and systems
  • Location of data and data processing
  • Sub-outsourcing
  • Contingency plans and exit strategies

Local Regulations

In addition to the EBA Guidelines, financial institutions in Denmark must also comply with local regulations, including:

  • Consolidating Act no. 937 of 6 September 2019 (Financial Business Act) with later amendments
  • Executive Order no. 877 of 12 June 2020 on Outsourcing for credit institutions etc.
  • Executive Order no. 723 of 28 May 2020 on Outsourcing for Group 2 Insurance Companies, ATP and LD

AWS Compliance Framework

AWS, a leading cloud services provider, is committed to offering financial institutions in Denmark a strong compliance framework and advanced tools and security measures that enable them to evaluate, meet, and demonstrate compliance with applicable legal and regulatory requirements. The company encourages its customers to obtain appropriate advice on their compliance with all relevant regulatory and legal requirements.

Using Cloud Services

Financial institutions in Denmark are permitted to use cloud services, provided they comply with applicable legal and regulatory requirements. However, the regulatory landscape is rapidly changing, and AWS advises its customers to proactively respond to new rules and guidelines.

Data Privacy and Protection Requirements

In addition to complying with regulatory requirements, financial institutions in Denmark using AWS services must also consider applicable data privacy and protection requirements, including:

  • General Data Protection Regulation (GDPR)
  • Danish Data Protection Act (DDPA)

Compliance Needs Assessment

To better understand their compliance needs, financial institutions can take several steps, including:

  • Considering the purpose of the workload and relevant categories of data
  • Assessing the materiality or criticality of the workload
  • Reviewing the AWS Shared Responsibility Model
  • Mapping AWS responsibilities and customer responsibilities

Resources for Compliance

AWS offers a range of resources to help its customers navigate regulatory requirements and ensure compliance, including:

  • AWS Compliance Quick Reference Guide
  • Implications of the Code of Conduct for Cloud Infrastructure Service Providers in Europe
  • Navigating GDPR Compliance on AWS
  • Using AWS in the Context of Common Privacy and Data Protection Considerations