National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA)
About the NBB and FSMA
The NBB is responsible for prudential supervision of credit institutions, insurers, stockbrokers, and other financial organizations. As the central bank of Belgium, the NBB conducts monetary policy for Belgium and contributes to the stability of its financial system. Alongside the NBB, the FSMA supervises Belgian financial markets, financial service providers including investment firms, and supplemental pensions. Its tasks include oversight of the financial information that companies disseminate and the products they offer to consumers and their compliance with the rules of business conduct.
The NBB and FSMA act in concert with the European Banking Authority (EBA), 'an independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector.' To that end, the EBA has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU, Recommendations on outsourcing to cloud services providers.
There are several requirements and guidelines that financial institutions in Belgium should be aware of when moving business functions to the cloud, including:
- NBB Circular PPB 2004/5, Sound management practices in outsourcing by credit institutions and investment firms (Dutch and French), and the broadly equivalent provisions of the FSMA Circular 05-06.2007 (French and Dutch) on organizational requirements for firms providing investment services.
- Circular NBB 2009-17, Financial services via the Internet: Prudential requirements (English), examines outsourcing risks and sets out the requirements for internal control and management of those risks. It also discusses compliance with the financial rules of conduct and the potential impact of cross-border transactions in the cloud.
- Circular NBB 2015-32, Additional prudential expectations regarding operational business continuity, and security of systemically important financial institutions (Dutch and English), sets out management and security processes for institutions that play a critical role in the financial system, and whose disruption could jeopardize its proper functioning.
Microsoft and the NBB and FSMA
To help guide financial institutions in Belgium considering outsourcing business functions to the cloud, Microsoft has published A compliance checklist for financial institutions in Belgium. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.
When financial organizations in Belgium outsource business functions to the cloud, they must comply with the rules and guidelines of the National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) within the broad policy framework of the European Banking Authority (EBA).
The Microsoft checklist helps financial firms in Belgium that are conducting due-diligence assessments of Microsoft business cloud services. It includes:
- An overview of the regulatory landscape for context.
- A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.
Microsoft in-scope cloud platforms & services
How to implement
- Compliance checklist: Belgium: Financial institutions can get help in conducting risk assessments of Microsoft cloud services.
- Risk Assessment & Compliance Guide: Create a governance model for risk assessment of Microsoft cloud services, and regulator notification.
- Financial use cases: Use case overviews, tutorials, and other resources to build Azure solutions for financial services.
Frequently asked questions
Is regulatory approval required?
No. However, financial institutions must notify the NBB and FSMA in the event of a disruption in an outsourcing arrangement that has the potential to materially impact the institution's business operations, reputation, or profitability, or its ability to manage risk and comply with applicable laws and regulations.
Are there any mandatory terms that must be included in the contract with the cloud services provider?
Yes. There are specific points that financial institutions must be sure to incorporate in their cloud services contracts. Part 2 of the Microsoft checklist (page 49) maps these against the sections in the Microsoft contractual documents where they are addressed.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.