Financial Crime World

Polish Financial Institutions Must Comply with Stringent Regulatory Requirements When Moving to Cloud Computing

Warsaw, Poland - As Polish financial institutions consider outsourcing business functions and data to the cloud, they must be aware of the various regulatory requirements that apply.

Regulatory Requirements for Cloud Computing in Poland

The Polish Financial Supervision Authority (KNF) has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU. The Banking Act of 1997 does not directly regulate cloud services but sets out legal requirements for outsourcing banking operations, including how personal information can be processed.

Compliance Checklist and Action Plan

The KNF has issued an announcement providing a detailed checklist and action plan for regulated institutions that intend to move business functions to the cloud. The authority also recommends prudent IT security management by banks, with 22 recommendations for best security practices.

Personal Data Protection Act of 1997

In addition, financial institutions must comply with Poland’s Personal Data Protection Act of 1997, which was amended in late 2018 to align with the General Data Protection Regulation (GDPR). The amended act took effect on January 1, 2019.

Microsoft Compliance Checklist

Microsoft has published a compliance checklist for financial institutions in Poland, “Navigating your way to the cloud: A compliance checklist for financial institutions in Poland.” The checklist helps financial organizations adopt Microsoft business cloud services while ensuring compliance with applicable regulatory requirements.

Key Requirements

  • Address requirements of the Banking Act of 1997 and the KNF announcement regarding the use of data processing services in the cloud.
  • Comply with the GDPR-aligned amendment to the Personal Data Protection Act of 1997.
  • Conduct risk assessments of business cloud services, such as Azure, Dynamics 365, and Microsoft 365.
  • Ensure compliance with regulatory obligations.

Mandatory Terms

Contracts with cloud services providers must include mandatory terms, such as those outlined in Part 2 of the Microsoft checklist. The KNF requires approval for banks that intend to outsource operations to service providers based outside the European Economic Area (EEA) or implement outsourced operations outside the EEA.

Additional Resources

Financial institutions in Poland can access additional resources on Microsoft’s Financial Services Compliance Program website, including information on Microsoft business cloud services and financial services compliance in Azure.