Cloud outsourcing for banks
Bank Negara allows for outsourcing. They're strict about it, but it's allowed.
All banks that employ outsourcing services must obtain BNM's approval. All significant changes to outsourcing arrangements must also obtain approval.
Bank Negara's outsourcing policy.
Banks might want to outsource services for several reasons. They may not have the expertise for a particular service, to save cost, or simply have another party accountable for a service.
Cloud outsourcing have even higher requirements. Most cloud services do not have data centers in Malaysia and outsourcing outside Malaysia has it's own set of requirements as well.
@unsplash
| Cloud service provider | Nearest data center |
|---|---|
| Google Cloud | Singapore |
| AWS by Amazon | Singapore |
| Azure by Microsoft | Singapore |
| Aliyun by Alibaba | Malaysia |
| Oracle Cloud | Japan |
Regulation
Outsourcing outside Malaysia
Banks must ensure data recovery and business continuity are enabled. BNM must also be able to exercise its regulations in the jurisdiction of that country. This means that BNM should be able to request for data of a bank operating locally anytime. For example, HSBC, an international bank which (fictitiously) operates a data center in Hong Kong, should be able to produce data about customers that bank with HSBC Malaysia. Banks must account for geopolitical risks too.
Outsourcing involving cloud services
Cloud service providers are held to the same standards as other outsourced services. Cloud service providers must ensure data recovery and business continuity too. Banks must conduct audit wherever the data center is located. They can work through a third-party auditor. Cloud service providers also serve other customers too. So their databases would host data from other companies. This data must be logically separated from the rest.
Back