Singapore has been dedicated to Smart Nation transformation since 2014 by developing technologies and encouraging innovations in key domains, including health, transport, urban solutions, finance, and education. In the digital era, the government agencies together with every industry took initiatives from regulatory perspectives to support and drive digital technology adoption. A strong infrastructure will be the foundation of all the plans and projects, which makes cloud computing technologies one of the critical enablers in the digital revolution journey.

Regulators:
The Personal Data Protection Commission regulates personal data protection in Singapore.

General Privacy Laws:
PDPA - Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPC). The PDPC establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. The PDPC released a guide on the use of cloud services in October 2019 (revised May 2022). Please click here to read the guidelines on Cloud Services topic.

Data Cross-Border Transfer Requirements:
The PDPA contains offshore personal data transfer restrictions. The requirements include
1) The receiving organization has “comparable protection” in place as set in the Act, and;
2) There are written data transfer agreements in place, so that the recipient is bound by legally enforceable obligations, and;
3) The individual has given deemed or express consent to such transfer.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with three Availability Zones in Singapore. With proper solution design, it can meet the requirements of security, resilience, recoverability, and performance for regulated entities in the Financial Services industry. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.
Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements, including the initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.

Regulator:
Singapore's central bank, the Monetary Authority of Singapore (MAS), regulates financial institutions, including banking and non-banking institutions.

Regulations/Guidelines to look at when using cloud computing services:

The MAS Guidelines on Technology Risk Management set out principles and best practices for Financial Institutions (FIs) to establish a sound and robust technology risk management framework to make sure that IT systems and networks are capable of supporting the FI’s business transactions as well as protecting the consumer data and payments.

The MAS Guidelines on Outsourcing provide guidance and recommendations on prudent practices on risk management of outsourcing. An adequate outsourcing risk management framework is expected to be in place for the risk-mitigating purpose during the oversight and management of outsourcing arrangements. This is applicable only to financial institutions that are banks and merchant banks in Singapore.

The MAS Guidelines on Outsourcing provide guidance and recommendations on prudent practices on risk management of outsourcing specifically targetted at all Financial Institutions with the exceptions of banks and merchant banks.

The Business Continuity Management Guidelines encourage FIs to adopt sound Business Continuity Management frameworks to minimize the impact on businesses due to operation disruptions and to ensure the continuity of the critical business functions. With IT outsourcing, the FIs business continuity should not be compromised or hindered.

Is cloud permitted?
Yes.

Is there any additional approval needed?
FIs need to maintain an updated register of all existing outsourcing arrangements in the format as per the template available on the MAS website. The updated register has to be submitted to MAS annually or upon request. MAS will assess the adequacy of the FIs observance of the outsourcing guidelines.

Are offshore outsourcing arrangements allowed?
The MAS does not restrict the FIs from outsourcing services to service providers in a foreign country. However, more risks, including country risks (political, social, economic conditions), as well as the level of legal and regulatory requirements in the foreign country, need to be taken into consideration during the due diligence process. Moreover, though the information and data can be moved to a foreign country, it should not hinder the MAS’s right to retrieve such information or to perform auditing/supervising over the FIs business operations

Overview:
Singapore government announced the plan to revamp existing IT infrastructure to embrace cloud computing technologies in 2018, and built Government Commercial Cloud System (GCCS) since then. Less sensitive government’s IT systems have been moving to GCCS, taking advantages of the cloud infrastructure and delivering better digital services to the public.

GCCS is a commercial cloud computing platform designed for less sensitive (aka, up to Restricted classification) Government systems. Yet agencies have the option to subscribe cloud computing platform other than GCCS for official open systems or data.

Are Government Agencies Allowed to Use Alibaba Cloud?
Agencies can subscribe to Alibaba Cloud services for Official-Open systems with Non-Sensitive data used by agency offices. Alibaba Cloud provides solutions of tokenization to prevent moving your sensitive data to public cloud computing environment.

What are the Relevant Government Policies When Agencies Using Public Cloud Services?
Agencies are required to comply with the estipulate clauses in Policy for Systems using Commercial Cloud and the list of clauses indicated in ANNEX C - Applicable IM8 clauses for commercial cloud. Alibaba Cloud is able to comply with the applicable requirements or provides security features to help agencies in complying the relevant requirements.

How does Alibaba Cloud Comply with Government Policies?
Alibaba Cloud complies with applicable requirements in Policy for Systems Using Commercial Cloud. Meanwhile, Alibaba Cloud provides security measures enabling agencies in complying with the requirements. Please refer to FAQs about Public Cloud Services for Singapore Government Agencies for details.