Financial institutions and cloud service providers should be relieved following the release of MAS’ consultation on the proposed new outsourcing notice and updated guidelines.
The message to take from the consultation is that cloud services are OK, provided you follow MAS’ rules.
Background: why is this important?
MAS regulates the financial industry in Singapore. One of its main aims is to promote the financial industry in Singapore. This includes managing and regulating associated risks. Banks are some of the heaviest users of third party services (in particular third party IT services).
These services bring risks for banks. MAS (in its previous outsourcing guidelines, dating back to 2004) dealt with these risks by imposing requirements on banks to ensure that the services are secure, resilient, reliable and confidential (to name just some of the main areas).
Then came cloud services. Cloud services provide clear advantages for the financial industry (like any other industry): scaleable IT solutions, cost and efficiency savings and (if using the right solution) high security standards. However, financial regulators in Singapore and in the region have been concerned about the risks associated with cloud services and banks have been reluctant to adopt cloud services because they believe their regulators might not approve. It isn’t clear how the existing regulations rules apply to cloud services. Are cloud services secure enough? Is it OK to transfer customer data to service providers? Can banks use cloud service providers that are located overseas? What about a public cloud service provider/a multi-tenanted solution?
It is significant that one of the biggest users of IT services (the financial industry) isn’t fully adopting cloud.
Enter the new MAS guidelines (currently subject to public consultation)
MAS doesn’t use the word “cloud” expressly in its consultation. However, MAS has made important changes that are relevant to cloud services and, most importantly, are positive references to cloud services:
- An OK for SaaS, PaaS and IaaS: In Annex 1 of the proposed updated guidelines, MAS expressly lists “SaaS, PaaS and IaaS” as kinds of services that, when performed by a third party, would be regarded as outsourcing arrangements (and therefore subject to the MAS’s notice and guidelines on outsourcing). Therefore, MAS is saying that cloud is a type of service that falls within outsourcing. The implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.
- An OK to multi-tenancy arrangements: In sections 5.6.2 and 5.7.2 of the updated guidelines, MAS makes express reference to “multi-tenancy arrangements”. In a footnote MAS explains that “Multi-tenancy generally refers to a mode of operation adopted by service providers where a single computing infrastructure (e.g. servers, databases, etc.) is used to serve multiple customers (tenants).” MAS goes on to say that if a financial institution is using a multi-tenancy arrangement then it should pay particular attention to the ability of the arrangement to isolate and clearly identify the financial institution’s documents, data, information, etc. Again, therefore, the implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. In sections 5.6.2 and 5.7.2, MAS has picked out certain areas where the financial institutions should pay particular attention if they are using cloud services. So this isn’t a “no” to cloud services but rather a “yes, but be careful”.
- An OK to transfers of customer information: The definition of a “material outsourcing arrangement” in the updated guidelines now expressly includes an arrangement “which involves customer information”. Most cloud services will involve customer information. The implication is that financial institutions can enter into outsourcing transactions that involve customer information and, therefore, can use cloud services, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. This means that MAS will consider most cloud services as a “material outsourcing arrangement” and so the additional requirements will apply to cloud services (e.g. notification to MAS, prior to committing to the cloud services).
- An OK to outsourcing outside of Singapore: In section 5.10 of the updated guidelines MAS deals with outsourcing outside of Singapore. This section has not really changed, but it is noteworthy that MAS recognises that “the engagement of a service provider in a foreign country… exposes an institution to country risk”. MAS does not say that a financial institution cannot outsource outside of Singapore. MAS points out that an outsourcing outside of Singapore carries additional risks that the financial institution must address. Many cloud services will (to varying extents) be provided from locations outside of Singapore. The implication is that a financial institution can carry out outsourcing outside Singapore, and therefore can use cloud services that are provided from locations outside of Singapore, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. This means that financial institutions must address the additional “country risks”.
Where Singapore goes…
These proposals are good news for cloud and good for the financial services industry in Singapore. If these positive messages are implemented in the final MAS guidelines, this should stem the reluctance of the financial industry to adopt cloud services. Of course, the rest of the MAS guidelines must be followed but at least it should become a question of how to do it rather than whether to do it.
If Singapore moves in this direction, this could be further good news for the rest of the region. It is often said that MAS acts as an unofficial lead financial regulator in the region. So other countries in the region, where cloud has also been slow to take off, will, hopefully, follow suit.