There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.
The MAS doesn’t use the word “cloud” expressly in its consultation. However, the MAS has made important changes to the outsourcing guidelines. The changes are relevant to cloud services and, most importantly, there are positive references to cloud services. Cloud is OK provided you follow MAS’s rules.
- An OK for SaaS, PaaS and IaaS. In Annex 1 of the proposed updated guidelines, the MAS expressly lists “SaaS, PaaS and IaaS” as kinds of services that, when performed by a third party, would be regarded as outsourcing arrangements (and therefore subject to the MAS’s notice and guidelines on outsourcing). Therefore, the MAS is saying that cloud is a type of service that falls within outsourcing. The implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.
- An OK to multi-tenancy arrangements. In sections 5.6.2 and 5.7.2 of the updated guidelines, the MAS makes express reference to “multi-tenancy arrangements”. In a footnote the MAS explains that “Multi-tenancy generally refers to a mode of operation adopted by service providers where a single computing infrastructure (e.g. servers, databases etc.) is used to serve multiple customers (tenants).” The MAS goes on to say that if a financial institution is using a multi-tenancy arrangement then it should pay particular attention to the ability of the arrangement to isolate and clearly identify the financial institution’s documents, data, information etc. Again, therefore, the implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. In sections 5.6.2 and 5.7.2, the MAS has picked out certain areas where the financial institutions should pay particular attention if they are using cloud services. So this isn’t a “no” to cloud services but rather a “yes, but be careful”.
- An OK to transfers of customer information. The definition of a “material outsourcing arrangement” in the updated guidelines now expressly includes an arrangement “which involves customer information”. Most cloud services will involve customer information. The implication is that financial institutions can enter into outsourcing transactions that involve customer information and, therefore, can use cloud services, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. This means that the MAS will consider most cloud services as a “material outsourcing arrangement” and so the additional requirements will apply to cloud services (e.g. notification to the MAS, prior to committing to the cloud services).
- An OK to outsourcing outside of Singapore. In section 5.10 of the updated guidelines the MAS deals with outsourcing outside of Singapore. This section has not really changed but it is noteworthy that the MAS recognises that “the engagement of a service provider in a foreign country… exposes an institution to country risk”. The MAS does not say that a financial institution cannot outsource outside of Singapore. The MAS points out that an outsourcing outside of Singapore carries additional risks that the financial institution must address. Many cloud services will (to varying extents) be provided from locations outside of Singapore. The implication is that a financial institution can carry out outsourcing outside Singapore, and therefore can use cloud services that are provided from locations outside of Singapore, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing. This means that financial institutions must address the additional “country risks”.
In summary, these are positive steps for customers and service providers of cloud services. As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail. Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment. This is good news.
Apart from cloud, the new notice and update guidelines should be welcomed. There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog. However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.