Pathways to Regulatory Compliance in Your Cloud Journey - Singapore

References for security and compliance professionals to adhere to for Financial Sector cloud transformation

The Regulatory Environment in Singapore

Singapore, as one of the international financial hub, has shown its openness to innovative Fintech solutions and its ambition to become a Smart Financial Centre. Digital transformation powered by cloud services is one of the critical phases of the development for Financial Institutions.

The Monetary Authority of Singapore (MAS), Singapore's central bank, regulates financial institutions, both banking and non-banking institutions. MAS formed a Financial Technology & Innovation Group (FTIG) in 2015 to drive the Fintech initiatives. Specifically for the banks, the Association of Banks in Singapore (ABS) has released a set of guidelines as an industrial standard to supplement the MAS guidelines. Infocomm Media Development Authority (IMDA) is a statutory board in the Singapore government, which promotes the adoption of technology innovation with various sectors including finance. IMDA also regulates data protection in Singapore through the Personal Data Protection Commission.

MAS considers the cloud as a form of outsourcing and issues a green light for the use of the public cloud. Alibaba Cloud, as a public cloud service provider, understands its role under requirements and standards set out by various regulators, no matter binding or nonbinding. Alibaba Cloud is committed to assuring the Financial Institutions and confirming our compliance with the financial industry specific regulatory requirements in order to help them to smoothly transit from the on-premise infrastructure to cloud infrastructure.

MAS (Monetary Authority of Singapore)

Singapore's central bank, the Monetary Authority of Singapore (MAS) regulates financial institutions, including banking and non-banking institutions.

Technology Risk Management Guidelines

The MAS Guidelines on Technology Risk Management set out principles and best practices for Financial Institutions (FIs) to establish a sound and robust technology risk management framework to make sure that IT systems and networks are capable of supporting the FI’s business transactions as well as protect the consumer data and payments.

Alibaba Cloud, as a Cloud Services Provider, adheres to the TRM guidelines where the governed areas are relevant to the Cloud Services provided to the FIs or the requirements are applicable to Alibaba Cloud in the provision of Cloud Services. Alibaba Cloud has listed out the information pertinent to each of the applicable requirements in the TRM guidelines. For the detailed information, please refer to Alibaba Cloud User Guide – MAS Technology Risk Management Guidelines below.

Guidelines on Outsourcing

The MAS Guidelines on Outsourcing provide guidance and recommendations on prudent practices on risk management of outsourcing. An adequate outsourcing risk management framework is expected to be in place for the risk-mitigating purpose during the oversight and management of outsourcing arrangements.

In addressing the concerns that FIs may have during the risk management processes, Alibaba Cloud has laid out the measures and controls in mitigating the associated risks, especially for those risks associated with Cloud Services which have been denoted by MAS. For the detailed information, please refer to Alibaba Cloud User Guide – MAS Guidelines on Outsourcing below.

Business Continuity Management Guidelines

The Business Continuity Management Guidelines encourages FIs to adopt sound Business Continuity Management frameworks to minimize the impact to business due to operation disruptions and to ensure the continuity of the critical business functions. With IT outsourcing, the FIs business continuity should not be compromised or hindered.

Alibaba Cloud facilitates various options to enable flexible solutions that fit FIs’ different contingency planning requirements. Alibaba Cloud can work with the FIs to establish a viable contingency plan for multiple contingency scenarios and perform tests to ensure functionality.

IMDA (Infocomm Development Authority of Singapore)

Infocomm Media Development Authority regulates the converging infocomm and media sectors in Singapore.

MTCS Multi-Tier Cloud Security

The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the world’s first cloud security standard that covers multiple tiers of cloud security. Cloud Service Providers can apply MTCS to meet a variety of cloud user requirements, ensuring the security of sensitive data and continuity of critical business functions. MTCS has three levels of security, Level 1 being the base and Level 3 being the most stringent. Alibaba Cloud obtained the highest level of security: Level 3.

Cloud Outage Incident Response Guidelines

Following the Cloud Outage Incident Response (COIR) Guidelines driven by IMDA, Alibaba Cloud discloses its commitment on the business continuity management and disaster recovery capabilities/practices in case of a cloud outage.

COIR Disclosure Form

PDPC (Personal Data Protection Committee)

The Personal Data Protection Commission regulates the personal data protection in Singapore.

Personal Data Protection Act 2012 (PDPA)

Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. Alibaba Cloud complies with all PDPA requirements.

ABS (The Association of Banks in Singapore)

The Association of Banks in Singapore is a non-profit organisation that represents the interests of the commercial and investment banking community in Singapore.

Guidelines on Control Objectives and Procedures for Outsourced Service Providers (OSPAR)

ABS has established the Guidelines on Control Objectives and Procedures for Outsourced Service Providers since 2015 to help FIs to assess whether their service providers maintain the same level of the governance over entity-level controls, general IT controls as well as service controls as if the FIs managed the services on their own. It is a practical guide based on the MAS Guidelines on Outsourcing for the banks in Singapore to follow when they implement and use outsourcing services.

Alibaba Cloud has engaged with qualified auditors for the audit over the control objectives set out in the guidelines.

Cloud computing implementation Guide

ABS Cloud Computing Implementation Guide has been established to assist FIs and Cloud Service Providers to understand the materiality of cloud outsourcing arrangement further to the MAS Guidelines on Outsourcing, perform a due diligence based on the shared security responsibility model, and address specific risks that are associated with the cloud services including encryption, tokenisation, virtualised environment security, collaborative disaster recovery testing, security events monitoring and etc. Alibaba Cloud partners with the FIs on their cloud journey and digital transformation.

Informational Resources

Alibaba Cloud informational user guides intend to explain the MAS Technology Risk Management Guidelines and Guidelines on Outsourcing to help FIs understand the applicability of the MAS requirements to the use of cloud services and how Alibaba Cloud addresses each of the regulatory requirements.

Frequently Asked Questions

1. Do we need to obtain a formal approval from MAS regarding the outsourcing arrangement?
FIs needs to maintain an updated register of all existing outsourcing arrangements in the format as per the template available from MAS website. The updated register has to be submitted to MAS on an annual basis or upon request. MAS will assess the adequacy of the FIs observance of the outsourcing guidelines.
2. Are we allowed to enter into outsourcing arrangements outside of Singapore?
MAS does not restrict the FIs from outsourcing services to service providers in a foreign country. However, more risks including country risks - political, social, economic conditions as well as the level of legal and regulatory requirements in the foreign country need to be taken into consideration during the due diligence process. Moreover, though the information and data could be moved to a foreign country, it should not hinder the MAS’s right to retrieve such information or to perform audit/supervising over the FIs business operations.
3. For multi-tenanted solutions, how would customer’s information and systems be segregated from other customers, such that security and availability are ensured between customers relying on the same infrastructure?
The isolation between multiple tenants in a cloud computing environment is realised via virtualization technology. Alibaba Cloud platform uses a virtualized environment which provides computing isolation at multiple levels to protect data and ensures the isolation at the storage and logical virtual networks layer between multiple tenants to prevent unauthorised access.
4. How would data be securely removed from the respective infrastructure and rendered inaccessible upon cessation of services or account termination?
Upon the contract termination, the storage instances will be released, the original disk space and memory space will be reliably scrubbed to ensure user data security. Also the customer has the right to delete their account online when the services are terminated.
5. Will customer data be transferred outside of Singapore without the customer’s consent?
Alibaba Cloud will not move the customer’s data and application from the selected AZ to any other AZs as Alibaba Cloud does not have access to the customer content unless with customer’s authorization.