Oracle Fusion Cloud Applications Suite achieved a Type 2 attestation for BaFin on October 7, 2022.

Schellman & Company, LLC completed an examination to assess Oracle Fusion Cloud internal controls against the criteria within the Bundesanstalt für Finanzdienstleistungsaufsicht (“BaFin ”) regulations for information security and risks related to outsourcing (“BaFin regulations”). The examination covers the period from July 1, 2021 to June 30, 2022. The examination focused on Oracle’s information security program supporting Oracle Fusion Cloud Applications Suite, including Oracle Fusion Cloud Enterprise Performance Management (EPM), and Oracle European Union Restricted Access (EURA) Cloud Service for Oracle Fusion Applications and Oracle Cloud EPM and related Oracle controls that assist Oracle customers in meeting their own requirements set forth in the BaFin regulations. Oracle itself is not directly subject to compliance with BaFin requirements.

Schellman conducted the examination in accordance with attestation standards established by the AICPA SSAE 18, Attestation Standards: Clarification and Recodification and in accordance with ISAE 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Standards Board. Based on the examination, Schellman did not identify any testing exceptions for Oracle’s controls related to how customers subject to the BaFin regulations may be compliant when using the Oracle Fusion Applications, Oracle Cloud EPM, and Oracle EURA Cloud Service for Oracle Fusion Applications and Oracle Cloud EPM, as noted in their opinion dated October 7, 2022. Schellman compiled a formal report following the examination.

The report covers selected requirements of the following regulations:

• Banking Act of the Federal Republic of Germany (KWG);
• Insurance Supervision Act of the Federal Republic of Germany (VAG);
• Guidance on outsourcing to cloud service providers;
• Minimum Requirements for Risk Management (MaRisk);
• Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings (MaGO);
• Supervisory Requirements for IT in Financial Institutions (BAIT);
• Supervisory Requirements for IT in German Asset Managers (KAIT); and
• Supervisory Requirements for IT in Insurance Undertakings (VAIT).

Customers are solely responsible for determining the suitability of a cloud service in the context of BaFin. The information in the report compiled by Schellman is provided to aid German financial services customers in their evaluation of Oracle Fusion Applications. The reports are available both in English and German.

Please reach out to your Sales Representative and/or Account Manager to request access to the attestation report. To learn more of our compliance activities, check out the Compliance page on our website and Compliance Considerations for Cloud Services blogpost.