ANL 36.16 Decreased By ▼ -0.39 (-1.07%)
ASC 14.70 Decreased By ▼ -0.10 (-0.68%)
ASL 25.80 Decreased By ▼ -0.30 (-1.15%)
AVN 89.25 Decreased By ▼ -1.65 (-1.82%)
BOP 7.80 No Change ▼ 0.00 (0%)
BYCO 10.15 Decreased By ▼ -0.06 (-0.59%)
DGKC 124.05 Decreased By ▼ -1.15 (-0.92%)
EPCL 57.60 Increased By ▲ 0.10 (0.17%)
FCCL 24.25 Decreased By ▼ -0.10 (-0.41%)
FFBL 28.93 Increased By ▲ 0.13 (0.45%)
FFL 15.89 Decreased By ▼ -0.16 (-1%)
HASCOL 9.68 Decreased By ▼ -0.11 (-1.12%)
HUBC 78.80 Decreased By ▼ -0.20 (-0.25%)
HUMNL 6.53 Decreased By ▼ -0.24 (-3.55%)
JSCL 21.41 Decreased By ▼ -0.40 (-1.83%)
KAPCO 39.95 Decreased By ▼ -0.15 (-0.37%)
KEL 3.79 Decreased By ▼ -0.04 (-1.04%)
LOTCHEM 16.60 Decreased By ▼ -0.01 (-0.06%)
MLCF 46.57 Decreased By ▼ -0.58 (-1.23%)
PAEL 35.50 Increased By ▲ 0.27 (0.77%)
PIBTL 10.30 Decreased By ▼ -0.05 (-0.48%)
POWER 9.24 Decreased By ▼ -0.01 (-0.11%)
PPL 86.25 Increased By ▲ 0.23 (0.27%)
PRL 25.16 Decreased By ▼ -0.16 (-0.63%)
PTC 9.88 Decreased By ▼ -0.13 (-1.3%)
SILK 1.25 Increased By ▲ 0.01 (0.81%)
SNGP 42.40 Increased By ▲ 0.35 (0.83%)
TRG 163.25 Decreased By ▼ -1.50 (-0.91%)
UNITY 30.40 Decreased By ▼ -0.36 (-1.17%)
WTL 1.58 Increased By ▲ 0.10 (6.76%)
BR100 4,866 Decreased By ▼ -7.29 (-0.15%)
BR30 25,724 Decreased By ▼ -123.86 (-0.48%)
KSE100 45,261 Decreased By ▼ -50.6 (-0.11%)
KSE30 18,525 Decreased By ▼ -19.23 (-0.1%)

Pakistan Deaths
Pakistan Cases
Business & Finance

SBP introduces modification in cloud-based outsourcing arrangements for FIs

  • The Board IT Committee shall approve all cloud-based outsourcing arrangements in line with the policy approved by the board.
28 Sep 2020

In order to enhance scope of outsourcing to Cloud Service Providers (CSPs) for Banks/DFIs/Microfinance Banks, the State Bank of Pakistan has made further modifications in the ‘Enterprise Technology Governance and Risk Management Framework for Financial Institutions (FIs)’ circular.

Under the substituted section 4.4.2 of the circular, the Board IT Committee shall approve all cloud-based outsourcing arrangements in line with the policy approved by the board. Further, FI(s) can avail all types of cloud service models including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) etc. from domestic and off-shore CSPs keeping in view the following parameters:

FI(s) can use cloud services for non-core operations and business support processes such as HR Modules, Procurement Functions, Non-Production Environment, Sandboxing, Inventory Management, Supply Chain Management, Office Productivity, Customer Relationship Management Tools (WhatsApp, Facebook etc.), Communication Tools, Security Tools, Computation and Processing Services, Data Analytics and Risk Modeling, Middleware and Payments Processing Services/ Platforms etc.;

However, all other banking applications and allied infrastructure, which are used to store and process customers’ information relating to deposits, loans & credits and details of balances & transactions in ledger accounts of customers/ borrowers, shall not be placed under cloud-based outsourcing arrangements.

Furthermore, under the internal controls in cloud outsourcing arrangements, while entering into outsourcing arrangement with CSPs, FI(s) shall ensure that:

All cloud based outsourcing arrangements are undertaken through legally binding Service Level Agreements (SLAs). 1. FI(s)’ data is encrypted at database level, storage level and during network transmission and shall be logically segregated from other data held by the CSPs. 2. The arrangement does not contain a lock-in clause. In case of exit from cloud services, FI(s) shall have contractual rights to continue with the arrangement until such time, an FI is able to switch to a substitute arrangement. 3. Data transferability and portability from one CSP to another and its purging/ deletion in case of exit. 4. CSP complies with SBP’s requirement for provision of data/ information relating to FI(s)’ operations. 5. Disclosure of FI(s)’ data to any third-party by CSP is prohibited without approval of FI(s).

SBP has allowed subcontracting in outsourcing arrangements with CSPs provided they shall comply with all relevant laws and SBP’s regulations.

FI(s) shall ensure that their internal/ external auditors and SBP have right to conduct audit and on-site inspection of the CSP or its subcontractor. Further, there should be no restriction or prohibition on visit by audit or SBP staff or such visits are otherwise not impractical. In case, where audit cannot be conducted for a valid reason(s), FI(s) may rely on internationally recognized third party certifications and reports made available by CSP.

However, reliance on these third-party certifications and reports shall be supported by adequate understanding and review of the scope, the methodology applied therein and the ability of third party and CSP to clarify matters relating to the audit. These reports shall be shared with SBP as and when required.”