On 28th of September 2020 the State Bank of Pakistan issued a circular announcing that the financial institution in Pakistan may now use the Cloud services to store their non-core data to the cloud. In this article we will discuss why the banks in Pakistan use Microsoft 365 as their cloud service provider and how its fulfilling SBP’s all requirements.
The guidelines are applicable on all outsourcing arrangements entered into by Commercial banks, Islamic banks, and stand alone Islamic banking branches.
State Bank’s Requirements
4.4.2(a) FI(s) can use cloud services for non-core operations and business support processes such as HR Modules, Procurement Functions, Non-Production Environment, Sandboxing, Inventory Management, Supply Chain Management, Office Productivity, Customer Relationship Management Tools (WhatsApp, Facebook etc.), Communication Tools, Security Tools, Computation and Processing Services, Data Analytics and Risk Modeling, Middleware and Payments Processing Services/ Platforms etc.
Microsoft is providing all the tools and software to work securely and also fulfilling the compliance requirement of SBP. They are providing the complete solution for Banks. They have a special team which sees into the requirement and fulfillment of financial institution.
4.4.2(b) However, all other banking applications and allied infrastructure, which are used to store and process customers’ information relating to deposits, loans & credits, and details of balances & transactions in ledger accounts of customers/ borrowers, shall not be placed under cloud-based outsourcing arrangements.
You may create barrier between core operations and non-core operations data and only store the non-core operations data on the Microsoft cloud as per the requirement of SBP.
4.4.3(i) All cloud based outsourcing arrangements are undertaken through legally binding Service Level Agreements (SLAs)
Microsoft is providing guarantee of 99.999% uptime. Microsoft financial backing to their commitment to achieve and maintain the service levels for each service. If they do not achieve and maintain the service levels for each service as described in the Service Level Agreement, then you might be eligible for a credit towards a portion of your monthly service fees. To learn more about our Service Level Agreements for the services, download the Service Level Agreement for Microsoft Online Services.
4.4.3(ii) FI(s)’ data is encrypted at database level, storage level and during network transmission and shall be logically segregated from other data held by the CSPs
You can have multiple layers of encryption in place at the same time. For example, you can encrypt email messages and the communication channels through which your email flows. With Microsoft, your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPsec), and Advanced Encryption Standard (AES).
4.4.3(iii) The arrangement does not contain a lock-in clause. In case of exit from cloud services, FI(s) shall have contractual rights to continue with the arrangement until such time, an FI is able to switch to a substitute arrangement.
You may cancel your subscription or terminate your accounts at any time even before end of your commitment. Microsoft is not legally bounding you to complete your term.
4.4.3(iv) Data transferability and portability from one CSP to another and its purging/ deletion in case of exit.
At Microsoft, their approach to the cloud is that the customer’s data is always their data – you own the data, and retain all rights, title, and interest in the data you store in any Microsoft cloud-based offering. This means you are free to do whatever you see fit with your data at any time. They act as the “Data Processor” on the customer’s behalf, and the Customer remains the “data controller”. As such, Microsoft will only act upon customer instructions.
4.4.3(v) CSP complies with SBP’s requirement for provision of data/ information relating to FI(s)’ operations.
Microsoft is fulfilling the compliance and security requirement as per required by the SBP. Your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPsec), and Advanced Encryption Standard (AES).
4.4.3(vi) Disclosure of FI(s)’ data to any third-party by CSP is prohibited without approval of FI(s).
You trust that the privacy and confidentiality of the data you provide to Microsoft, data will be protected and that it will be used only in a way that is consistent with your expectations. To fulfill those expectations, Microsoft make these commitments to you and ground them in strong contractual guarantees.
The Impact of Cloud Computing on the Banking Sector
Due to security and organizational concerns the Banks are the first to stay at the front of technological advances. Despite many challenges Pakistani Banks are slowly starts to move toward cloud computing. The scalability on the cloud means that Banks may scan thousands of transactions per second, which will improve the ability of the industry. Some banks are heavily moving into this technology but still there is pretty much room for growth.
The three key drivers for banks to adopt cloud computing are:
Since SBP allows banks to store non-core application to the cloud, Pakistani banks may take real advantage of this opportunity and start saving much while keep all the data safe and secure using the Microsoft cloud.
Speaking to the Financial Times in April, Microsoft stated “It believed that the key to successful cloud adoption in financial services will be a tight partnership between regulators, financial institutions and cloud providers to ensure that the right frameworks, programs and processes are in place as financial services providers increase their usage of cloud services.”
Last Updated 1 month ago