Pathways to Regulatory Compliance in Your Cloud Journey - Singapore

References for security and compliance professionals in the Financial Sector

The Regulatory Environment in Singapore

Singapore, as one of the world’s international financial hubs, has shown a great openness to innovative Fintech solutions and an ambition to become a Smart Financial Centre. Singapore understands that a path towards digital transformation powered by the cloud is one of the critical phases of the further development of financial institutions in the digital era.

The Monetary Authority of Singapore (MAS), Singapore's central bank, regulates financial institutions, including both banking and non-banking institutions. MAS formed a Financial Technology & Innovation Group (FTIG) in 2015 to drive Fintech initiatives. Specifically for banking institutions, the Association of Banks in Singapore (ABS) has released a set of guidelines as an industrial standard to supplement the MAS guidelines. Infocomm Media Development Authority (IMDA) is a statutory board in the Singapore government, which promotes the adoption of technological innovations in various sectors including finance. IMDA also regulates data protection in Singapore through the Personal Data Protection Commission.

MAS considers cloud as a form of outsourcing and issues a green light for the use of the public cloud. Alibaba Cloud, as a public cloud service provider, understands its role under the requirements and standards set out by various regulators, no matter whether these requirements and standards are binding or nonbinding. Alibaba Cloud is committed to facilitating the compliance with the financial industry specific regulatory requirements in order to help our customers to smoothly transit from an on-premises infrastructure to cloud infrastructure.

Monetary Authority of Singapore (MAS)

Singapore's central bank, the Monetary Authority of Singapore (MAS) regulates financial institutions, including banking and non-banking institutions.

Technology Risk Management Guidelines

The MAS Guidelines on Technology Risk Management set out principles and best practices for financial institutions to establish a sound and robust technology risk management framework to make sure that IT systems and networks are capable of supporting the financial institution’s business transactions as well as protecting the consumer data and payments.

Alibaba Cloud, as a cloud service provider, adheres to the guidelines where the governed areas are relevant to the cloud services provided to the FIs or the requirements are applicable to Alibaba Cloud in the provision of cloud services. Alibaba Cloud has listed out the information pertinent to each of the applicable requirements in the TRM guidelines. For the detailed information, refer to Alibaba Cloud User Guide – MAS Technology Risk Management Guidelines below.

Guidelines on Outsourcing

The MAS Guidelines on Outsourcing provide guidance and recommendations on prudent practices on risk management with outsourcing. An adequate outsourcing risk management framework is expected to be in place for the risk-mitigating purpose during the oversight and management of outsourcing arrangements.

In addressing the concerns that financial institutions may have during the risk management processes, Alibaba Cloud has laid out the measures and controls in mitigating the associated risks, especially for those risks associated with Cloud Services which have been denoted by MAS. For the detailed information, refer to Alibaba Cloud User Guide – MAS Guidelines on Outsourcing below.

Business Continuity Management Guidelines

The Business Continuity Management Guidelines encourages financial instituions to adopt sound Business Continuity Management frameworks to minimize the impacts to business due to operation disruptions and to ensure the continuity of the critical business functions. With IT outsourcing, the business continuity of an financial institution should not be compromised or hindered.

Alibaba Cloud facilitates various options to enable flexible solutions that fit the various contingency planning requirements of different financial insitutions. Alibaba Cloud can work with financial instituions to establish viable contingency plans for multiple contingency scenarios and perform tests to ensure functionality.

Infocomm Development Authority of Singapore (IMDA)

Infocomm Media Development Authority regulates the converging infocomm and media sectors in Singapore.

Multi-Tier Cloud Security Standard (MTCS)

The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the world’s first cloud security standard that covers multiple tiers of cloud security. Cloud Service Providers can apply MTCS to meet a variety of cloud user requirements, ensuring the security of sensitive data and the continuity of critical business functions. MTCS has three levels of security, Level 1 being the basic level, and Level 3 being the most stringent of security levels. Alibaba Cloud obtained the highest level of security: Level 3.

The Data Protection Trustmark (DPTM)

DPTM is a voluntary enterprise-wide certification framework launched by IMDA for organisations to demonstrate accountable data protection practices. It is developed based on adopting and aligning it with Singapore’s PDPA and incorporating elements of international benchmarks and industry best practices. Alibaba Cloud (Singapore) is certified with the Data Protection Trustmark. For details, please refer to IMDA website.

Cloud Outage Incident Response Guidelines

Following the Cloud Outage Incident Response (COIR) Guidelines driven by IMDA, Alibaba Cloud discloses its commitment on the business continuity management and disaster recovery capabilities/practices in case of a cloud outage.

COIR Disclosure Form

Personal Data Protection Committee (PDPC)

Following the Cloud Outage Incident Response (COIR) Guidelines driven by IMDA, Alibaba Cloud discloses its commitment on the business continuity management and disaster recovery capabilities/practices in case of a cloud outage.

Personal Data Protection Act 2012 (PDPA)

Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. Alibaba Cloud complies with all PDPA requirements.

The Association of Banks in Singapore (ABS)

The Association of Banks in Singapore (ABS) is a non-profit organisation that represents the interests of the commercial and investment banking community in Singapore.

Guidelines on Control Objectives and Procedures for Outsourced Service Providers (OSPAR)

The Association of Banks in Singapore (ABS) has established the Guidelines on Control Objectives and Procedures for Outsourced Service Providers since 2015 to help FIs to assess whether their service providers maintain the same level of the governance over entity-level controls, general IT controls as well as service controls as if the FIs managed the services on their own. It is a practical guide based on the MAS Guidelines on Outsourcing for the banks in Singapore to follow when they implement and use outsourcing services.

Alibaba Cloud has engaged with the ABS approved auditors to perform an OSPAR audit over the control objectives set out in the guidelines and it has confirmed full compliance by Alibaba Cloud. For more details, refer to the ABS website.

Cloud computing implementation Guide

ABS Cloud Computing Implementation Guide has been established to assist financial institutions and cloud service providers to understand the materiality of cloud outsourcing arrangement further to the MAS Guidelines on Outsourcing, perform a due diligence based on the shared security responsibility model, and address specific risks that are associated with the cloud services including encryption, tokenisation, and virtualised environment security, as well as collaborative disaster recovery testing, and security events monitoring. Alibaba Cloud follows the best practices outlined in the guidelines to empower the financial institutions along their cloud journey and journey towards their digital transformation.

Frequently Asked Questions

1. Is a formal approval needed from MAS regarding the outsourcing arrangement?

Financial institutions need to maintain an updated register of all existing outsourcing arrangements in the format as per the template available on the MAS website. The updated register has to be submitted to MAS on an annual basis or upon request. MAS will assess the adequacy of the financial institution’s observance of the outsourcing guidelines.

2. Is offshore outsourcing allowed in Singapore?

MAS does not restrict financial institutions from outsourcing services to service providers in a foreign country. However, several risks including country risks, which include varying political, social, or economic conditions as well as the level of legal and regulatory requirements in a foreign country need to be taken into consideration during the due diligence process. Moreover, though information and data could be moved to a foreign country, it should not hinder the MAS’s right to retrieve such information or to perform audits and supervising over the financial institution’s business operations.

3. For multi-tenanted solutions, how would a customer’s information and systems be segregated from other customers, such that security and availability are ensured between customers relying on the same infrastructure?

The isolation between multiple tenants in a cloud computing environment is realised through virtualization technology. Alibaba Cloud’s platform uses a virtualized environment that provides computing isolation at multiple levels to protect data and ensure the isolation at the storage and logical virtual networks layer between multiple tenants to prevent unauthorised access.

4. How would data be securely removed from the respective infrastructure and rendered inaccessible upon cessation of services or account termination?

Upon the contract termination, the storage instances will be released, the original disk space and memory space will be reliably scrubbed to ensure user data security. Also the customer has the right to delete their account online when the services are terminated.