Dutch Authority for the Financial Markets and the Central Bank of the Netherlands

About the AFM and DNB

The primary financial regulators in the Netherlands are the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, AFM) and the Central Bank of the Netherlands (De Nederlandsche Bank, DNB). The AFM, whose role is comparable to the SEC in the United States, is the independent supervisory authority for the savings, lending, investment, and insurance markets.” The DNB, within the European System of Central Banks, determines, and implements monetary policy and exercises prudential supervision of financial organizations for the Netherlands.

Both of these institutions act in concert with the European Banking Authority (EBA), “an independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector.” To that end, the EBA has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU, Recommendations on outsourcing to cloud services providers.

In general, the laws and guidelines support the point of view that cloud computing involving third-party services qualifies as a form of outsourcing, and financial institutions in the Netherlands must address the associated risks before moving business activities to the cloud. These include:

  • The Financial Supervision Act (FSA) (Dutch and English), issued by the Dutch legislature in 2018, attaches conditions for financial institutions to control the risks associated with outsourcing and ensure that it doesn’t impede regulatory supervision.
  • The Circulaire Cloud Computing (Dutch and English), issued by the DNB, requires that before supervised Dutch institutions engage in cloud computing, they must inform the DNB of their prospective outsourcing arrangements to ensure that operational processes and risks are under control.

Using a template that the DNB provides, they must submit a mandatory risk analysis that includes:

  • An assessment regarding: compliance with current legislation, mutual understanding between the parties regarding the services offered, the stability and reliability of the service provider, where the services are to be provided, and the importance of and degree of reliance on the outsourced services.
  • Explicit attention to addressing risks associated with data integrity, confidentiality, and availability.

The Commission Delegated Regulation EU 2017/565 describes at great length the requirements for an outsourcing agreement between investment firms and cloud service providers.

Microsoft and the AFM and DNB

To help guide financial institutions in the Netherlands considering outsourcing business functions to the cloud, Microsoft has published a compliance checklist for financial institutions in the Netherlands. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.

When financial institutions in the Netherlands outsource business activities to the cloud, they must comply with the rules and guidelines of the Dutch Authority for Financial Markets (AFM) and the Central Bank of the Netherlands (DNB) within the broad policy framework of the European Banking Authority (EBA).

The Microsoft checklist helps financial firms in the Netherlands conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud services

How to implement

Frequently asked questions

Is regulatory approval required?

No. However, the Circulaire Cloud Computing states that the DNB expects supervised Dutch institutions to submit a risk analysis concerning prospective outsourcing arrangements before engaging in cloud computing.

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes. The provisions and arrangements to be included in cloud contracts depend on the type of financial institution. Requirements, such as those described in Art. 31 of the Commission Delegated Regulation (EU) 2017/565, are set out in Part 2 of the checklist.

Resources