MAS issues new guidelines on cloud services

The logo of the Monetary Authority of Singapore is seen on its main building in Singapore on May 24.
The logo of the Monetary Authority of Singapore is seen on its main building in Singapore on May 24. PHOTO: REUTERS

Financial institutions to be accountable for maintaining oversight of such services and managing related risks

Financial institutions using Internet cloud services will now have to check risk factors such as the integrity and confidentiality of the cloud service they use.

The Monetary Authority of Singapore (MAS) yesterday issued new guidelines for financial institutions on risk management practices in outsourcing in general - including a new section that covers the use of cloud services.

The move is timely as a growing number of financial institutions are turning to cloud technology to fulfil their business and operational requirements.

The MAS, in its guidelines, said it considers cloud services operated by service providers as a form of outsourcing - and that the types of risks in this regard are not distinct from those associated with other outsourcing arrangements.

"While outsourcing can bring about cost and other benefits, it may increase the risk profile of an institution," it said.

The MAS said that institutions should be aware of the typical characteristics of cloud services and take steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing.

In particular, institutions should ensure that the service provider has the ability to clearly identify and segregate customer data using strong physical or logical controls, along with robust access controls to protect customer information.

The MAS added that institutions are ultimately responsible and accountable for maintaining oversight of cloud services and managing its related risks.

"A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the cloud services," it said.

Other key changes to the guidelines include a revised definition of the term "material outsourcing arrangement" to include, under certain circumstances, an arrangement that involves customer information. Financial institutions are also no longer required to pre-notify the MAS of material outsourcing arrangements.

The new guidelines follow an industry and public consultation carried out in the latter half of 2014 .

MAS deputy managing director Ong Chong Tee said the new guidelines build on existing ones to "better capture evolving threats such as offshoring business models and heightened cyber risks".

Mr Rohit Joshi, managing director and head of global liquidity and cash management at HSBC Singapore, noted that the new guidelines from MAS mark the "latest in a string of measures to facilitate an increasingly digitalised Singapore economy".

"The move towards support of responsible cloud solutions adoption will spur more innovation and speed of delivery for corporates which will ultimately assist them in cost efficiencies and potentially better profit margins," he said.

Separately, DBS Bank yesterday announced it has inked an agreement with leading infrastructure provider Amazon Web Services (AWS) to use its cloud technology to improve the bank's existing data centres. The bank will be using AWS' cloud technology in its treasury and markets business for the pricing and valuing of financial instruments for risk management, which requires extensive computing power. It expects to shift up to 50 per cent of its computer workload to the cloud in the next two years, which will bring about "dramatic cost savings, increased resilience and the ability to rapidly respond to customer demand".

A version of this article appeared in the print edition of The Straits Times on July 28, 2016, with the headline 'MAS issues new guidelines on cloud services'. Print Edition | Subscribe