Financial Supervisory Authority (FSA) Denmark

About the FSA

The Financial Supervisory Authority (Finanstilsynet), under the Ministry of Industry, Business, and Financial Affairs, is the financial regulatory authority of the Danish government. Its principal role is to prepare regulatory guidelines for financial institutions in Denmark and monitor their compliance, as well as cooperate with regional and international authorities and regulators.

The FSA acts in concert with the European Banking Authority (EBA), 'an independent EU authority, which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.' To that end, the EBA has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU, Recommendations on outsourcing to cloud services providers.

There are several guidelines that financial institutions in Denmark should be aware of when moving business functions to the cloud. In general, they prescribe contractual requirements for both financial institutions and cloud service providers to help ensure that financial organizations can adequately monitor and audit the outsourced functions. These include guidelines issued by the Ministry of Industry, Business, and Financial Affairs:

  • The Danish Act on Financial Institutions (Danish)
  • The Executive Order 1304 on outsourcing of significant areas of activity (Danish and English) and the accompanying Guideline (Danish)
  • Guidance on the use of cloud services as part of IT–outsourcing (Danish) issued by the FSA.

Microsoft and the FSA

To help guide financial institutions in Denmark considering outsourcing business functions to the cloud, Microsoft has published a compliance checklist for financial institutions in Denmark. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they're complying with applicable regulatory requirements.

When Danish financial institutions outsource business activities they must comply with the requirements of the Financial Supervisory Authority (FSA), and work within the broad policy framework of the European Banking Authority (EBA). Specifically, those requirements focus on how contractual agreements between financial services and cloud providers can ensure adequate control of outsourced activities.

The Microsoft checklist helps Danish financial firms conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud platforms & services

How to implement

  • Compliance checklist: Denmark: Financial firms can get help in conducting risk assessments of Microsoft business cloud services.
  • Financial use cases: Use case overviews, tutorials, and other resources to build Azure solutions for financial services.

Frequently asked questions

Is regulatory approval required?

No. The FSA doesn't approve outsourcing and the outsourcer (or cloud service provider) is, therefore, not required to obtain advance approval from the FSA. However, the FSA does specify that the outsourcer must notify it no later than eight business days after entering into an outsourcing agreement. The notification must be made in writing using a form specified by the FSA.

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes. The Executive Order on Outsourcing of Significant Areas of Activity (and the accompanying Guideline) stipulates some specific points that financial institutions must incorporate in their cloud services contracts. Part 2 of the Microsoft checklist (page 48) maps these points against the sections in the Microsoft contractual documents where they're addressed.