The Philippines is one of the most vibrant economies in Southeast Asia. The fast-growing economy in the Philippines benefits from its innovation-friendly regulatory environment. Cloud services are the key to digital transformation. It empowers organizations across all industries in the Philippines to adapt to new business models efficiently and economically while enjoying cloud-native security and privacy features. Like many other countries in Southeast Asia, the laws and regulations regarding cloud adoption are categorized into generally applicable regulatory requirements, such as privacy laws, and industry-specific requirements, such as the ones issued by Bangko Sentral ng Pilipinas (BSP) governing the financial institutions.

Regulators:
The National Privacy Commission (NPC) is an independent body mandated to govern and monitor the compliance of privacy protection in the Philippines.

General Privacy Laws:
The Data Privacy Act of 2012 (DPA) regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data. The NPC further promulgated the Implementing Rules and Regulations (IRR) of the DPA to facilitate the implementation and governance of provisions. The DPA and IRR of DPA impose obligations on all organizations and individuals that are dealing with personal information in or associated with the Philippines, regarding personal data protection matters, such as notice, consent, disclosures, sharing and transfer, security, data retention, data subjects' rights, and subcontracting.

Data Cross-Border Transfer Requirements:
The DPA and IRR of DPA do not impose specific restrictions on the cross-border transfer of personal data. The cross-border transfer activities shall comply with the relevant provisions of DPA and IRR of DPA. The Personal Information Controller remains responsible and accountable for personal information under its control or custody that has been transferred to a third party (domestically or internationally) for processing. It is subject to cross-border arrangement and cooperation.

Overview:
The financial institutions (FIs) in the Philippines are undergoing significant digital transformations to stay competitive in the fast-changing business environment. The cloud works as a foundation for digitalization to empower FIs with strong capabilities in computing and analyzing, while letting FIs enjoy cloud-native security features. Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud. It can meet the requirements of high security, resilience, recoverability and performance for the regulated entities in financial services industry with proper solution design. Alibaba Cloud is committed to facilitating customers in compliance with financial industry-specific regulatory requirements. Alibaba Cloud provides a full suite of offerings that can help with the initial due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. The full suite includes responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, and third-party assurance over the design and operational effectiveness of internal controls.

Regulator:
The Bangko Sentral ng Pilipinas (BSP) is the primary financial service industry regulator in the Philippines to govern the banks and non-bank financial institutions, including quasi-banks, finance companies and non-stock savings and loan associations. Some institutions are subject to licensing requirements issued by the Securities and Exchange Commission (SEC) and/or the Insurance Commission (IC).

Regulations/Guidelines to Consider When Using Cloud Services:
BSP has established a set of regulations and circulars to oversee BSP supervised institutions (BSIs) on any technology risk management associated with cloud adoption. It enables financial institutions to enjoy the benefits of cloud technology while addressing any associated the risks. The regulations and circulars issued by BSP pertaining to cloud adoption include:
1. Circular No. 808, Series of 2013, Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions
2. Circular No. 982, Series of 2017, Enhanced Guidelines on Information Security Management
3. Circular No. 951, Series of 2017, Guidelines on Business Continuity Management
4. Circular No. 1019 Series of 2018, Technology and Cyber-Risk Reporting and Notification Requirement
5. Manual of Regulations for Banks (MORB)
6. Manual of Regulations for Non-Bank Financial Institutions (MORNBFI)

Are clouds permitted?
Yes.

Is there any additional approval needed?
Financial institutions need to obtain prior approval from the BSP for cloud adoption as an IT outsourcing activity.

Are offshore outsourcing arrangements allowed?
Offshore outsourcing is permitted by the BSP only when the service provider operates in jurisdictions that uphold confidentiality. The financial institutions should develop a comprehensive risk management process to manage and monitor outsourcing, the outsourced services, and the local regulations in countries where the service provider is based during the risk assessment process. The financial institutions must make sure the BSP still has supervisory power and access rights to the data.