The updated guide offers best practices to ensure resiliency and recoverability while maximising the benefits FIs derive from cloud outsourcing arrangements, including for ‘critical systems’.
The ABS (Association of Banks in Singapore) has updated its implementation guide for use by FIs when entering into and managing cloud outsourcing arrangements.
The updated guide follows 18 months of research and three months of cross-industry consultation with cloud service providers, FIs and the MAS (Monetary Authority of Singapore), which saw the review of 365 individual pieces of feedback.
It represents a “substantial revision” from the June 2016 guide, taking into account advancements in technology and the evolution of market practices since the initial release, the ABS said in a statement.
“As one of the top financial hubs in the region, it is crucial that the financial industry seizes the cost and risk reduction opportunities offered by cloud computing services,” said ABS director Mrs Ong–Ang Ai Boon.
She added that partnerships with cloud service providers strengthen the technology and operational resilience of individual institutions, due to their ability to scale on demand to support fluctuating workloads.
The updated guide seeks to further support the migration of material workloads to the cloud – including for systems of record and those classified by the MAS as ‘critical systems’ – and to help service providers better understand what is required in their arrangements with FIs.
The guiding principle is that “controls in the Cloud must be at least as strong as those which the FIs would have implemented had the operations been performed in-house,” it says.
The guide sets out the key characteristics for categorising material and non-material cloud outsourcing arrangements, allowing FIs to assess the inherent risk profile of a cloud outsourcing arrangement and ensure appropriate controls are in place.
It also contains enhanced guidance for conducting due diligence of cloud service providers and their sub-contracting arrangements, specifying that expectations should be contractually agreed regarding operational contract and SLA management, technology risk, business continuity and exit plans.
Contracts with service providers should also include provisions relating to data confidentiality, control and ownership, and policies regarding data transfers and retention, particularly where multi-tenancy and/or data commingling arrangements or practices are adopted by the provider.
The guide also details approaches and considerations for FIs to help them govern, design, secure and operate cloud-based systems. This includes best practices around risk oversight, accountability, governance, staff skills management – to ensure resiliency and recoverability, while maximising the benefits derived from outsourcing cloud arrangements.
The implementation guide is available here.
While the guide is not mandatory, the MAS has recently proposed revisions that would allow it to impose requirements on banks and merchant banks in relation to the way they enter into, govern and report on outsourcing arrangements.
Under the proposals, the MAS would also have the right to inspect or audit service providers and their sub-contractors, and terminate outsourcing agreements under specified circumstances.
<!– MANESH ADDED, LINKEDIN DOESNT WORK