Pathways to Regulatory Compliance in Your Cloud Journey - Malaysia

References for security and compliance professionals in Financial Sector

The Regulatory Environment in Malaysia

Malaysia is one of the fastest growing economies in ASEAN and is adapting to the rapidly changing financial market. The Bank Negara Malaysia (BNM), the central bank of Malaysia, has established the Financial Technology Enabler Group (FTEG) in June 2016 to support the development of FinTech in Malaysia and Malaysia's Digital Economy Corporation (MDEC) is a government-owned institution, driving the digital economy in Malaysia.

The “Cloud First” strategy has been raised to promote adopting cloud in both private and public sectors in Malaysia to accelerate its digital economy. The BNM is reshaping the regulation and supervisory framework from technology risk management perspective to keep up with the innovations and FinTech solutions in the financial sector, which includes the guidelines over the use and adoption of cloud services.

Alibaba Cloud has worked with Financial Institutions to migrate to the cloud, demonstrating that we are ready to support customers from the financial sector by meeting the BNM’s security compliance requirements during cloud adoption.

Bank Negara Malaysia (BNM)

The Bank Negara Malaysia (BNM) is the central bank of Malaysia, aiming to promoting monetary and financial stability. The BNM is also responsible for maintaining the financial system stability by developing a sound, resilient, progressive and diversified financial sector.

Risk Management in Technology

The BNM issued an Exposure Draft on Risk Management in Technology (RMiT) in September 2018 with the guidelines on management over technology-related risks and enhancement of technology resiliency for Financial Institutions (FIs). The RMiT will come into effect on 1 June 2019.

The RMiT has set out requirements for Financial Institution's (FI) regarding governance, technology risk management, operations management, and cybersecurity management. There is also clarification on the use of public cloud computing services where FIs are required to perform comprehensive risk management over outsourced cloud service providers.

While the RMiT guidelines have not yet been finalized, Alibaba Cloud well understands the ultimate goal behind the requirements set out in RMiT guidelines and prepares our responses to the relevant conditions. For the details, please refer to Alibaba Cloud User Guide – Financial Services Regulations & Guidelines in Malaysia below.

Guidelines on Outsourcing

The BNM has issued the new Guidelines on Outsourcing arrangements for Financial Institutions (FI) in December of 2018, which is valid from January 1st, 2019. The Guidelines on Outsourcing sets out the requirements on management over outsourcing processes and risks for FIs. A comprehensive and robust due diligence process is to be conducted by FIs over its outsourced service providers, including cloud service providers.

Alibaba Cloud helps FIs with the due diligence and risk management processes by responding to the outsourcing arrangement related risks identified in the Guidelines on Outsourcing from the cloud service provider’s perspective. For the detailed responses, please refer to Alibaba Cloud User Guide – Financial Services Regulations & Guidelines in Malaysia below.

Financial Technology Enabler Group (FTEG)

The Financial Technology Enabler Group (FTEG) was established by the BNM, responsible for formulating and enhancing regulatory policies to facilitate the adoption of technological innovations in the Malaysian financial services industry. The FTEG established regulations regards to technology risk to ensure the security, consumer trust and confidence in the financial system. FIs are required to utilizing technology to manage the cyber risk from malware attacks, DDoS and hacks.

Department of Personal Data Protection (JPDP)

The Department of Personal Data Protection (JPDP) , an agency under the Ministry of Communications and Multimedia (KKMM), is responsible for enforcing and regulating PDPA in Malaysia.

Personal Data Protection Act 2010 (PDPA)

Personal Data Protection Act (PDPA) 2010 came into force in Malaysia on 15 November 2013 with the objective to regulate the processing of personal information to protect an individual’s personal data concerning commercial transactions. Alibaba Cloud complies with the PDPA to safeguard that same data.

Informational Resources

Alibaba Cloud provides resources to the customers on how Alibaba Cloud can help to facilitate compliance with the BNM’s requirements.

Frequently Asked Questions

1. Do FIs need to obtain formal approval from the BNM regarding the outsourcing arrangement?
Yes, the BNM’s prior written approval needs to be obtained before entering into a new material outsourcing arrangement or making a significant change to an existing material outsourcing arrangement. For non-material outsourcing arrangement, FIs are required to maintain complete, accurate and up-to-date register and make it available to the BNM upon request.
2. Can FIs enter into outsourcing arrangement outside of Malaysia?
The BNM permits the outsourcing outside Malaysia on the conditions that the FIs should address additional risks (e.g. country risk) associated with overseas outsourcing arrangements, ensure the same level of abilities of monitoring service providers and business recovery in case of service providers’ failure, maintain the BNM’s abilities of timely and unrestricted access to the systems, information or documents. Alibaba Cloud has two availability zones available in Malaysia which is convenient for the FIs to utilise and manage so as to mitigate the risks associated with overseas outsourcing.
3. For multi-tenanted solutions, how would customer’s information and systems be segregated from other customers, such that security and availability is ensured between customers relying on the same infrastructure?
The isolation between multiple tenants in a cloud computing environment is realised via virtualization technology. Alibaba Cloud platform uses a virtualized environment which provides computing isolation at multiple levels to protect data and ensures the isolation at the storage and logical virtual networks layer between multiple tenants to prevent unauthorised access.