Certain banking applications: SBP restricts FIs from using cloud-based outsourcing arrangements

KARACHI: The State Bank of Pakistan (SBP) has restricted financial institutions (FIs) from using cloud-based outsourcing arrangements for certain banking applications and allied infrastructure, which are used to store and process customers' information relating to deposits, loans & credits, etc.

Enterprise Technology Governance and Risk Management Framework for Financial Institutions (FIs) was issued in 2017 and later in 2019, Framework for Risk Management in Outsourcing Arrangements by Financial Institutions was resealed.

Now, the SBP has decided to enhance the scope of outsourcing to Cloud Service Providers (CSPs) for Financial Institutions (banks, DFIs and microfinance banks) and accordingly some sections of Enterprise Technology Governance and Risk Management Framework for Financial Institutions (FIs) has been substituted.

As per fresh directives, the Board IT Committee will approve all cloud-based outsourcing arrangements in line with the policy approved by the board. Further, FIs can avail all types of cloud service models including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), etc, from domestic and offshore CSPs.

As per parameters, FIs can use cloud services for non-core operations and business support processes such as HR Modules, Procurement Functions, Non-Production Environment, Sandboxing, Inventory Management, Supply Chain Management, Office Productivity, Customer Relationship Management Tools (WhatsApp, Facebook, etc), Communication Tools, Security Tools, Computation and Processing Services, Data Analytics and Risk Modeling, Middleware and Payments Processing Services/Platforms etc.

However, all other banking applications and allied infrastructure, which are used to store and process customers' information relating to deposits, loans & credits and details of balances & transactions in ledger accounts of customers/borrowers, will not be placed under cloud-based outsourcing arrangements.

Under the Internal Controls in Cloud Outsourcing arrangements, while entering into outsourcing arrangement with CSPs, FIs will ensure that all cloud based outsourcing arrangements are undertaken through legally binding Service Level Agreements (SLAs) and FIs' data is encrypted at database level, storage level and during network transmission and shall be logically segregated from other data held by the CSPs.

In addition CSP complies with SBP's requirement for provision of data/information relating to FIs' operations and disclosure of FIs' data to any third-party by CSP is prohibited without approval of FIs.

According to the SBP, notwithstanding the instruction contained in section IX (h) of 'Framework for Risk Management in Outsourcing Arrangements by Financial Institutions', subcontracting is allowed in outsourcing arrangements with CSPs provided they will comply with all relevant laws and the SBP's regulations.

FIs will ensure that their internal/external auditors and SBP have right to conduct audit and on-site inspection of the CSP or its subcontractor. Further, there should be no restriction or prohibition on visit by audit or SBP staff or such visits are otherwise not impractical.

In case, where audit cannot be conducted for a valid reason, FIs may rely on internationally recognized third party certifications and reports made available by CSP. However, reliance on these third party certifications and reports shall be supported by adequate understanding and review of the scope, the methodology applied therein and the ability of third party and CSP to clarify matters relating to the audit. These reports will be shared with SBP as and when required.

The SBP said that henceforth, all outsourcing arrangements to cloud service providers by FIs will be governed under the substituted sections of 'Enterprise Technology Governance and Risk Management Framework for Financial Institutions'."

Copyright Business Recorder, 2020