Financial Supervision Authority (KNF) Poland

About the KNF

The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) is the financial regulatory authority in Poland, responsible for supervision of the financial market, which includes oversight over banking, capital markets, insurance, pension schemes, and electronic money institutions.

The KNF acts in concert with the European Banking Authority (EBA), 'an independent EU authority, which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.” To that end, the EBA has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU, Recommendations on outsourcing to cloud services providers.

There are several requirements and guidelines that financial institutions in Poland should be aware of when moving business functions and data to the cloud:

  • The Banking Act of 1997 (Polish and English) does not regulate cloud services directly but instead sets out legal requirements for outsourcing banking operations including how personal information can be processed. Cloud services could be subject to Banking Act provisions if the outsourced services are of key significance for the bank, or if outsourcing involves giving the service provider access to sensitive data that is subject to banking secrecy requirements.
  • The Announcement, issued by the KNF Office in 2017, provides a detailed checklist and action plan for regulated institutions that intend to move business functions to the cloud.
  • Recommendation D: Management of Information Technology and ICT Environment Security at Banks defines KNF expectations for prudent IT security management by banks, particularly as to how they manage risk. The KNF makes 22 recommendations for best security practices and has issued comparable guidelines for insurance companies, investment firms, and general pension companies.

In addition, the use of cloud services by financial institutions must comply with Poland's Personal Data Protection Act of 1997, which is fundamental to the processing of personal data. To align with the GDPR, it was amended in late 2018 by the Act on Facilitation of Performance of Business Activity (Polish) and will take effect 1 January 2019.

Microsoft and the KNF

To help guide financial institutions in Poland considering outsourcing business functions to the cloud, Microsoft has published Navigating your way to the cloud: A compliance checklist for financial institutions in Poland. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.

When financial institutions in Poland outsource business activities to the cloud, they must address requirements of the Banking Act of 1997 and the 2017 KNF Announcement regarding the use of data processing services in the cloud, both of which fall within the broad policy framework of the European Banking Authority. In addition, financial firms using cloud services must comply with the GDPR-aligned 2018 amendment to the Personal Data Protection Act of 1997, now updated to align with the GDPR.

The Microsoft checklist helps Polish financial firms conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud platforms & services

How to implement

Frequently asked questions

Is regulatory approval required?

No. However, under the Banking Act of 1997, if the service provider is based outside the European Economic Area (EEA) or if outsourced operations are to be implemented outside the EEA, banks must obtain KNF approval before entering into contracts.

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes. Part 2 of the Microsoft checklist (page 77) contains a comprehensive list of the requirements that should be included in contracts with cloud service providers.

Resources