Malaysia is in the middle of accelerating digital technology and boosting the digital economy. The “Cloud First” strategy has been raised in Malaysia to promote adopting clouds in both the private and public sectors to enable rapid digital transformation in Malaysia. Malaysia's Digital Economy Corporation (MDEC) and regulators in sectors, such as banking and financial services, healthcare, and telecommunications, are reshaping the regulation and supervisory framework to keep up with the innovations and enable businesses to benefit from the use and adoption of cloud services.

Regulators:
The Department of Personal Data Protection (JPDP), an agency under the Ministry of Communications and Multimedia (KKMM), is responsible for enforcing and regulating PDPA in Malaysia.

General Privacy Laws:
The Personal Data Protection Act (PDPA) 2010 came into force in Malaysia on 15 November 2013 with the objective to regulate the processing of personal information to protect an individual’s personal data concerning commercial transactions.

Data Cross-Border Transfer Requirements:
Under PDPA, the transfer of personal data outside of Malaysia is restricted, unless that jurisdiction has been specified by the Minister. Currently, there is a proposed white list in the draft Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 ("Draft Order"). As the Draft Order is yet to be approved, cross-border data transfer can be performed based on a list of conditions:
1) The data subject has given consent to this transfer;
2) The transfer is necessary for the performance of a contract between the data subject and the data user;
3) The transfer is necessary to protect the vital interests of the data subject;
4) The data user has "taken all reasonable precautions and exercised all due diligence" to ensure that the personal data will not be processed in the recipient country in a way that would be a contravention of the PDPA.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with two Availability Zones in Malaysia. With proper solution design, it can meet the requirements of security, resilience, recoverability, and performance for regulated entities in the Financial Services industry. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.

Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements, including the initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.

Regulator:
Bank Negara Malaysia (BNM) is the central bank of Malaysia. It aims is to promote monetary and financial stability. The BNM is also responsible for maintaining financial system stability by developing a sound, resilient, progressive, and diversified financial sector.

Regulations/Guidelines to look at when using cloud computing services:
1.Risk Management in Technology

BNM issued the Risk Management in Technology (RMiT) Policy Document in June 2020, and updated it in June 2023. The RMiT has set out requirements for financial institutions regarding governance, technology risk management, operations management, and cybersecurity management. In the latest update of RMiT PD in June 2023, Appendix 10 on Key Risks and Control Measures for Cloud Services is added. This appendix provides additional guidance to financial institutions for the assessment of common key risks and considerations of control measures when financial institutions adopt public cloud for critical systems. The guidance is broadly applicable across various cloud service models and financial institutions should apply a risk-based approach in implementing the guidance.

2.Guidelines on Outsourcing

The BNM updated the Guidelines on Outsourcing arrangements for financial institutions in October 2019. The Guidelines on Outsourcing set out the requirements on management over outsourcing processes and risks for financial institutions. A comprehensive and robust due diligence process should be conducted by FIs over its outsourced service providers, including cloud service providers.

Is cloud permitted?
Yes.

Is there any additional approval needed?
BNM’s prior written approval needs to be obtained before entering into a new material outsourcing arrangement or making a significant change to an existing material outsourcing arrangement. For non-material outsourcing arrangements, financial institutions are required to maintain a complete, accurate and up-to-date register and make it available to BNM upon request.

Are offshore outsourcing arrangements allowed?
The BNM permits outsourcing outside of Malaysia on the conditions that the financial institutions address the additional risks (such as country risks) associated with overseas outsourcing arrangements, ensure the same level of abilities of monitoring service providers and business recovery in case of service providers’ failure, maintain BNM’s abilities of timely and unrestricted access to the systems, information or documents. Alibaba Cloud has two availability zones available in Malaysia, which is convenient for local financial institutions to utilize and manage to mitigate the risks associated with overseas outsourcing.