MAS issues new guidelines on cloud services

The Monetary Authority of Singapore (MAS) has issued new guidelines for financial institutions on risk management practices in outsourcing in general.
The Monetary Authority of Singapore (MAS) has issued new guidelines for financial institutions on risk management practices in outsourcing in general.ST PHOTO: LIM YAOHUI

SINGAPORE - Financial institutions using Internet cloud services will now have to check risk factors such as the integrity and confidentiality of the cloud service they use.

The Monetary Authority of Singapore (MAS) on Wednesday issued new guidelines for financial institutions on risk management practices in outsourcing in general - including a new section that covers the use of cloud services.

The move is timely as a growing number of financial institutions are turning to cloud technology to fulfil their business and operational requirements.

The MAS, in its guidelines, said it considers cloud services operated by service providers as a form of outsourcing - and that the types of risks in this regard are not distinct from those associated with other outsourcing arrangements.

"While outsourcing can bring about cost and other benefits, it may increase the risk profile of an institution," it said.

The MAS said that institutions should be aware of the typical characteristics of cloud services, such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations.

"Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing," it said.

"In particular, institutions should ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider should have in place robust access controls to protect customer information and such access controls should survive the tenure of the contract of the cloud services."

The MAS added that institutions are ultimately responsible and accountable for maintaining oversight of cloud services and managing its related risks.

"A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the cloud services," it said.

Other key changes to the guidelines include a revised definition of the term "material outsourcing arrangement" to include, under certain circumstances, an arrangement that involves customer information. Financial institutions are also not longer required to pre-notify the MAS of material outsourcing arrangements.

The new guidelines follow an industry and public consultation carried out in the latter half of 2014.

Association of Banks has expressed support to the MAS' guidance on cloud computing in the revised guidelines. "We welcome the clarity that MAS has provided on the increasingly popular practice of using remote computing resources hosted on the Internet to store, manage and process data," ABS director Mrs Ong-Ang Ai Boon said. "ABS, representing the financial services industry, has been working closely with the MAS on a set of operational cloud computing guidelines, and will be hosting an industry briefing next week."

tsjwoo@sph.com.sg