Can Banks move to Branchless Banking in Pakistan?

4.4.2(a) FI(s) can use cloud services for non-core operations and business support processes such as HR Modules, Procurement Functions, Non-Production Environment, Sandboxing, Inventory Management, Supply Chain Management, Office Productivity, Customer Relationship Management Tools (WhatsApp, Facebook etc.), Communication Tools, Security Tools, Computation and Processing Services, Data Analytics and Risk Modeling, Middleware and Payments Processing Services/ Platforms etc.

Microsoft is providing all the tools and software to work securely and also fulfilling the compliance requirement of SBP. They are providing the complete solution for branchless banking in Pakistan. They have a special team which investigates the requirement and fulfillment of financial institutions.

4.4.2(b) However, all other banking applications and allied infrastructure, which are used to store and process customers’ information relating to deposits, loans & credits, and details of balances & transactions in ledger accounts of customers/ borrowers, shall not be placed under cloud-based outsourcing arrangements.

You may create barrier between core operations and non-core operations data and only store the non-core operations data on the Microsoft cloud as per the requirement of SBP.

4.4.3(i) All cloud based outsourcing arrangements are undertaken through legally binding Service Level Agreements (SLAs)

4.4.3(ii) FI(s)’ data is encrypted at database level, storage level and during network transmission and shall be logically segregated from other data held by the CSPs

You can have multiple layers of encryption in place at the same time. For example, you can encrypt email messages and the communication channels through which your email flows. With Microsoft, your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPsec), and Advanced Encryption Standard (AES).

4.4.3(iii) The arrangement does not contain a lock-in clause. In case of exit from cloud services, FI(s) shall have contractual rights to continue with the arrangement until such time, an FI is able to switch to a substitute arrangement.

You may cancel your subscription or terminate your accounts at any time even before end of your commitment. Microsoft is not legally bounding you to complete your term.

4.4.3(iv) Data transferability and portability from one CSP to another and its purging/ deletion in case of exit.

At Microsoft, their approach to the cloud is that the customer’s data is always their data – you own the data, and retain all rights, title, and interest in the data you store in any Microsoft cloud-based offering. This means you are free to do whatever you see fit with your data at any time.  They act as the “Data Processor” on the customer’s behalf, and the Customer remains the “data controller”.  As such, Microsoft will only act upon customer instructions.

4.4.3(v) CSP complies with SBP’s requirement for provision of data/ information relating to FI(s)’ operations.

Microsoft is fulfilling the compliance and security requirement as per required by the SBP. Your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPsec), and Advanced Encryption Standard (AES).

4.4.3(vi) Disclosure of FI(s)’ data to any third-party by CSP is prohibited without approval of FI(s).

You trust that the privacy and confidentiality of the data you provide to Microsoft, data will be protected and that it will be used only in a way that is consistent with your expectations. To fulfill those expectations, Microsoft make these commitments to you and ground them in strong contractual guarantees.