Banks in Asia are increasingly aware of the potential of cloud computing to reduce the costs and enhance the flexibility of their information technology infrastructure, and many are turning to cloud solutions in areas such as software development or customer relationship management. However, the security concerns and regulatory restrictions surrounding sensitive customer and financial data make service-based IT approaches to governance, finance, risk and compliance (GFRC) less common.
While these concerns will remain top of mind for most banks, MAS has helped dispel some of the uncertainty around outsourcing and cloud-based models in the GFRC context, with the inclusion of guidance on cloud computing services in its updated guidelines on managing the risks associated with outsourcing. This is a welcome development that should pave the way for greater adoption of these services - and hence a more efficient and cost-effective approach to GFRC - among financial institutions.
A blueprint for safer outsourcing
MAS’s new guidelines on cloud computing services are the result of an extensive two-year consultation process and are designed to better reflect the increasing prevalence and complexity of outsourcing arrangements since standards were first introduced in 2004. Among the key changes are the removal of the expectation for financial institutions to notify MAS in advance of any material outsourcing arrangement. This is an outsourcing arrangement that in the event of a failure or security breach has the potential to significantly affect a bank’s operations, reputation, profitability, or risk and compliance practices - and also, under the updated guidelines, control over some kinds of customer information.
The guidelines call for senior management to evaluate the risks associated with outsourcing arrangements and develop policies in response. They also instruct banks to:
conduct comprehensive due diligence on service providers;
put outsourcing agreements in place that clearly define responsibilities as well as dispute resolution, incident reporting and disaster recovery procedures;
allow for audits and inspections, including by MAS;
avoid outsourcing via providers in jurisdictions where MAS may be denied access to relevant information, or that are subject to significant political or economic risks.
Institutions should also maintain a register of current outsourcing arrangements based on a MAS template that could serve as a ‘checklist’ for the risk management process, with sections covering the above areas and for the assessment of service provider substitutability (please see diagram 1 for our interpretation of the data points that may be needed).
Diagram 1: A potential MAS outsourcing ‘checklist’
Source: Wolters Kluwer
Recognition for cloud computing
Significantly, the updated guidelines contain a new section on cloud computing services. These make it clear that MAS considers cloud services a form of outsourcing that institutions can use to enhance their operations and efficiency. The guidelines also state that the risks posed by cloud computing are similar to those inherent in other outsourcing arrangements, and that institutions should adhere to the same mitigation principles in working with cloud providers, maintaining a degree of oversight and ensuring external partners are capable of identifying, segregating and securing customer data.
Given the recent global and regional proliferation of regulatory requirements, the temptation may be to view the updated guidelines as just another compliance framework banks have to contend with. But in our view they represent sound best practices to follow in any outsourcing case, and are more forward-looking and potentially transformative than restrictive.
According to recent research by the Asia Cloud Computing Association, the region leads the world in terms of cloud readiness, based on factors such as international connectivity, broadband Internet quality and datacentre risk1. And within Asia, Singapore stands out for its focus on and investments in a platform for the safe and efficient delivery of cloud and ‘on-demand’ technology services, evident in the establishment of its new Cyber Security Agency and the Smart Nation Singapore initiative.
There is therefore no doubt that Asia, and Singapore in particular, has the technical infrastructure for financial institutions to adopt cloud computing services for GFRC as well as other processes - and therefore reduce IT costs via a ‘pay-per-use’ model that allows them to rapidly scale resources up or down depending on demand. However, up to this point the corresponding regulatory understanding and infrastructure has been lacking. MAS’s move is one step in addressing this gap and demonstrates an openness to the cloud model that other regulators are likely to emulate.
Research carried out by Wolters Kluwer suggests that about 30% of financial institutions in Singapore now hope to leverage cloud-based technology for GFRC within the next three years - vs close to 0% in 2013. The new MAS guidelines will provide the impetus for more institutions to act on this ambition.