A practical guide for Malaysian financial institutions

Navigating your way to the cloud

Navigating a path to the cloud

New technologies. New opportunities 4Four essential steps to a successful cloud adoption and deployment 5

Step 1: Full, informed stakeholder involvement 6 Step 2: Targeted Cloud Service Provider selection criteria 8Step 3: A compliant contract 11Step 4: Appropriate engagement with Bank Negara Malaysia 12

Settling common misconceptions: the two most common regulatory concerns 14

Contents

Navigating your way to the cloud 32 Navigating your way to the cloud

The financial services sector in the Asia-Pacific region is in the midst of a digital transformation – and nowhere more so than in Malaysia. A shift in customer expectations driven by improving connectivity, a surge in smartphone adoption, growing competition from disruptive market entrants and a challenging macroeconomic landscape, have caused financial services institutions (FSIs) in Malaysia to reassess their technology strategies.

Powering this digital transformation is cloud technology. FSIs in Malaysia are increasingly partnering with cloud services providers (CSPs), such as Microsoft, to support innovative mobile services and new business models. However, recent research by Forrester, commissioned by Microsoft, reveals that despite a strong interest, the pace of cloud adoption in Malaysia has been slowed by common misconceptions that there may be barriers or even absolute prohibitions on the use of public cloud services1. In fact, there are no published prohibitions (from Bank Negara Malaysia (BNM) or otherwise) and many FSIs in Malaysia have already adopted cloud services or are taking steps towards doing so.

Having worked with a number of FSIs in Malaysia moving to the cloud, Microsoft has deep experience in helping to deliver solutions that meet the compliance requirements of the financial services sector. Working in close co-operation with stakeholders, Microsoft recognises the need for a CSP to actively facilitate compliance through full, transparent, proactive engagement with the FSI and, on request, with BNM. Through this process of collaboration over a number of years, Microsoft has developed a pool of practical resources to assist FSIs to move to the cloud in a way that meets the highest compliance, risk and security standards.

This paper shares our experience, addresses common misconceptions and steps you through the procurement stages of a cloud adoption, explaining when and how to engage with BNM and what to look out for in the cloud contract itself.

By following the practical steps outlined in this paper, FSIs in Malaysia can navigate their way to the Microsoft cloud with confidence and enjoy the benefits of digital transformation.

New technologies New opportunities

Four essential steps to a successful cloud adoption and deploymentMicrosoft’s experience of working with FSIs in Malaysia has shown that a successful cloud adoption has four interrelated and interdependent steps. BNM will require evidence that the key stakeholders (namely the board of the FSI) have approved the cloud adoption. Similarly, assurances made by CSPs in response to selection criteria will need to translate into binding commitments set out in a compliant contract.

1. Forrester Consulting, Ensuring Agility and Trust in a Rapidly Changing Financial Services Market, published April 2016.

The path to the cloud in Malaysia is open – and Microsoft has deep experience in helping our most regulated customers make the move.

Cloud Adoption

1. Full, informed stakeholder involvement

3. A compliant contract

2. Targeted CSP selection criteria

4. Appropriate engagement with BNM

4 Navigating your way to the cloud Navigating your way to the cloud 5

1. Build the core stakeholder team and develop the business case

Establish a multidisciplinary team from day one.

Put your technology and procurement teams in charge of developing the business case, with a focus on the operational and commercial factors driving the decision to adopt cloud services.

Ensure your legal, risk and compliance teams are involved early in these discussions. They’ll need to map proposed solutions against legal and regulatory requirements and determine the time frames required to engage with regulators. Many technology projects have been delayed by engaging legal and compliance people too late in the process.

The board and senior management will typically require early reassurance regarding the business case for cloud services and how the cloud services will meet compliance requirements. They’ll also want to understand the proposed oversight, review, reporting and response arrangements with your CSP. And finally, they’ll need to provide final sign-off, both as a matter of good corporate governance, and because BNM requires evidence of board ratification as part of the regulatory approvals process.

2. Obtain detailed product and service information

In addition to understanding the technical solutions, BNM expects FSIs to demonstrate a deep knowledge of the specific cloud product being considered. This is to ensure that FSIs approach a cloud adoption with full awareness of the implications for their particular organisation. In Microsoft’s experience, reaching this knowledge threshold will be greatly assisted by CSPs’ willingness and ability to share relevant and specific technical information.

3. Understand the technical solutions available

To support your core team and assist with the early scoping of any cloud project, Microsoft has prepared a summary of the different types of cloud delivery and cloud deployment models.

Definition Cloud Computing, Cloud Services or Cloud means on-demand network access to a shared pool of configurable computing resources. In other words, cloud services provide FSIs with on-demand access, using a network connection, to information technology or software services, all of which a CSP configures to the needs of the FSI.

Cloud delivery models

1. Software as a Service (SaaS) Where the CSP makes software available applications to customers.

2. Platform as a Service (PaaS) Where the CSP provides a computing platform for customers to develop and run their own applications.

3. Infrastructure as a Service (IaaS) Where the CSP delivers IT infrastructure; e.g., storage space or computing power.

Cloud deployment models

1. Public Cloud Infrastructure is owned and managed by the CSP and not located on the customer’s premises. Although each customer’s data and services are protected from unauthorised access, the infrastructure is accessible by multiple customers. Given the operational and commercial benefits to customers, public cloud is increasingly seen as the de facto deployment model.

2. Private Cloud Infrastructure is usually managed by the CSP (but sometimes by the customer). The infrastructure is located either on customer premises or, more typically, on the CSP’s premises. The data and services are able to be accessed only by the particular customer.

3. Community Cloud Serves members of a community of customers with similar computing needs or requirements. The infrastructure may be owned and managed by members of the community or by a CSP. The infrastructure is located either on customer premises or the CSP’s premises. The data and services are accessible only by the community of customers.

4. Hybrid Cloud A combination of two or more of Private Cloud, Public Cloud or Community Cloud.

Step 1: Full, informed stakeholder involvementA smooth cloud adoption requires informed stakeholder involvement from the outset. A broad, multidisciplinary team needs to be established and its members fully informed so that their decisions are founded on a complete understanding of the proposed cloud solution. Microsoft takes responsibility for providing such decision makers with detailed product and service information.

Key actions A summary of cloud delivery and deployment models

How Microsoft helpsMicrosoft's expert team is on hand to support you throughout your cloud project, from initial stakeholder engagement through to assisting with the BNM notification process. Our cloud services span all of the above delivery and deployment models. Each of these services is supported with a range of materials, including product fact sheets, online trust centres and BNM checklists, to help FSIs make an informed decision. In addition, we have subject-matter experts available to meet with you and your core stakeholders. They’ll provide specific and detailed information on the technical, contractual and practical aspects of your proposed cloud project.

6 Navigating your way to the cloud Navigating your way to the cloud 7

Step 2: Targeted CSP selection criteriaTo verify that your proposed CSP can meet the applicable compliance, risk and security requirements, you’ll need to develop selection criteria.

FSIs should ensure that their CSP selection criteria include the six criteria listed below.

1. CSP’s ability to deliver compliant solutions in Malaysia

It’s essential to work with a CSP that has a deep understanding of the FSI regulatory landscape in Malaysia and extensive experience in achieving BNM regulatory approval for FSI customers. This experience will help facilitate a smoother regulatory approvals process.

• Ask the CSP if they have a specific FSI cloud compliance program designed to foster collaboration and compliance with regulatory requirements.

• Determine if and to what extent the CSP has previously engaged with BNM on cloud projects in Malaysia.

2. CSP’s track record in Malaysia

Carefully consider the CSP’s longevity and track record in the local market. Not only can this help ensure a successful long-term relationship, but also, part of the approval process, BNM will want to be satisfied with the CSP’s track record.

• Complete thorough due diligence on the CSP. This includes evaluating their track record and Investigate sites where they have delivered cloud projects across the region.

• Assess the CSP’s capabilities, expertise, experience, technical competence and the adequacy of its personnel as part of your due diligence. A competent CSP will make all of the required information readily available.

3. CSP’s understanding of the FSI’s strategic and business objectives

It’s important to conduct detailed discussions with the proposed CSP to ensure they understand your strategic and business objectives.

• Schedule a briefing session and ask the CSP to respond with a detailed proposal as to how their services can meet your objectives.

4. CSP’s financial strength and resources

Contractual promises carry little weight if the CSP cannot stand behind them financially. You need to be confident your chosen CSP is in a position to provide continuity of operations and compensation for any service failures or breaches of contract.

• Review the financial position of the CSP and (to the extent not publicly available) request audited financial statements for the last three years at a minimum.

5. CSP’s security, standards and ability to meet the FSI Safe Cloud Principles

With a growing acceptance that cloud services can meet or even exceed the highest on-premises security practices, ensure your chosen CSP demonstrates high levels of protection.

• Ask your CSP to demonstrate compliance with industry standards ISO 270012 and ISO 270183 at the minimum.

• Partner with a CSP that can meet the Safe Cloud Principles for the Financial Services Industry4 developed by the Asia Cloud Computing Association.

6. CSP’s commitment to tracking and implementing new cloud security and privacy standards

New cloud security and privacy standards are under constant development. For example, ISO will soon release its 19086 standard for cloud service level agreements. Similarly, the FIDO Alliance is working with many of the world’s leading banks, payment providers and government regulators to develop new device-to-cloud authentication standards based on public key encryption and flexible biometrics.

• Ensure that your chosen CSP has active, well-funded programs to implement new standards in a timely and effective manner.

Recommended selection criteria

How Microsoft helpsMicrosoft confirms its ability to meet all of the criteria specified above. Based on our close working relationship with FSIs and BNM, Microsoft is also confident that its understanding of the FSI environment is market-leading in Malaysia and across the region, with a proven track-record of successful cloud deployments that comply with financial services regulatory requirements and global security and risk standards such as ISO 27001 and ISO 27018.

Microsoft’s financial services compliance program extends the compliance features of Microsoft Azure®, Office 365®, Dynamics™ CRM Online and Intune™ by providing:

• Customer access to additional information from Microsoft subject matter experts (SMEs). • Access to additional compliance-related information developed by Microsoft.• The opportunity for one-to-one discussions with Microsoft’s third-party auditors.• Participation in webcast walk-throughs of ISO and SSAE audit reports with Microsoft SMEs.• The ability to view the Microsoft control framework for online services. • The opportunity to recommend future additions to the audit scope of the service.• Access to detailed reports on the external audit penetration tests conducted on the service.

2. http://www.microsoft.com/en-us/TrustCenter/Compliance/iso-iec-270013. https://www.microsoft.com/en-us/TrustCenter/Compliance/iso-iec-270184. https://www.asiacloudcomputing.org/images/research/2014_-_Safe_Cloud_Principles_for_FSI.pdf

8 Navigating your way to the cloud Navigating your way to the cloud 9

Step 3: A compliant contractBNM regulations and guidance stipulate a number of terms that FSIs should include in a binding cloud contract. These are listed below with explanations to assist you.

1. Privacy The CSP should agree to protect and maintain the confidentiality of the FSI's data and help the FSI to continue to meet its Malaysian Personal Data Protection Act (PDPA) obligations.

2. CSP Responsibilities

The contract should be clear as to the CSP's responsibilities, covering matters such as service scope, delivery and duration.

3. Service Availability There should be a service level agreement (SLA) specifying the service levels the CSP is required to meet, with defined consequences (e.g. service credits) if performance falls below the agreed standard.

4. Rights of the Regulator

The cloud contract should permit the FSI's regulator to independently assess the CSP based on agreed parameters.

5. Transparency, Reporting and Monitoring

The CSP should agree to provide regular reports on performance of the cloud services against agreed standards.

6. Data Ownership The cloud contract should clearly state that the FSI's data remains the property of the FSI. The CSP should not gain any ownership rights of FSI data.

7. Data Use The FSI's data should be used only for the purposes of providing the services.

8. Data Access The FSI must have the right to access its data at any time.

9. Termination / Exit The cloud contract should specify what happens on termination of the cloud contract. The CSP must agree to delete the FSI's data from its systems after a specified period once the contract is ended..

10. Resolving Disputes

There should be a clear legal process for resolving disputes.

Terms to address in your cloud contract

How Microsoft helpsMicrosoft extends all of the terms above to its FSI customers in Malaysia and around the world.

Microsoft has developed a checklist that maps its contractual terms to each of the terms required under applicable regulations. This is available from your Microsoft contact upon request.

Navigating your way to the cloud 1110 Navigating your way to the cloud

Step 4: Appropriate engagement with BNMA successful cloud adoption requires that both the FSI and CSP engage openly with BNM. To streamline this process, we have provided details on the BNM regulatory environment along with practical steps you can take.

Overview of the FSI Regulatory Environment in Malaysia

1. Who is the regulator?

Bank Negara Malaysia (BNM).

2. Are cloud services permitted?

Yes. There are no blanket prohibitions on the use of cloud services by FSIs in Malaysia. All cloud service delivery and deployment models (including public cloud) are permitted.

3. What regulations and guidance are relevant?

The primary reference is BNM's Outsourcing Guidelines. In addition, other relevant requirements are set out in:

• BNM’s Guidelines on Data Management and MIS Framework for FSIs. • BNM’s Guidance on Business Continuity Management. • BNM’s Guidelines on Management of IT Environment. • BNM’s Guidelines on the Provision of Electronic Banking Services by FSIs. • The Financial Services Act 2013.

4. Are transfers of data outside of Malaysia permitted?

Yes. Transfer of data outside of Malaysia is permitted provided two requirements are met:

• First, the FSI should ensure that it will continue to comply with the general requirements under the PDPA (for example, the FSI should be comfortable that the data will be processed by the CSP according to standards that are at least equivalent to the PDPA).

• Second, approval from BNM is required. (see point 5.)

5. Is regulatory approval required?

Yes. Approval is required where the FSI wishes to use a CSP with data centres located outside of Malaysia. Microsoft has considerable experience in helping FSIs in Malaysia to obtain BNM approval for the use of offshore public cloud.

6. When should the FSI engage with BNM?

Once the FSI has satisfied all of the requirements outlined in this paper, and obtained a full understanding of the solution proposed, it should engage with BNM as soon as possible.

7. Are there particular forms or questionnaires the FSI needs to complete?

No. There are no mandatory forms or questionnaires for approval from BNM. However, Microsoft has developed a checklist that maps the BNM requirements against Microsoft’s contractual terms and conditions.

How Microsoft helpsMicrosoft’s expert team is on hand to support you throughout your cloud project, from initial stakeholder engagement through to assisting with the BNM notification process. Our cloud services span all of the delivery and deployment models. Each of these services is supported with a range of materials, including product fact sheets, online trust centres and BNM checklists, to help FSIs make an informed decision. In addition, we have subject-matter experts available to meet with you and your core stakeholders. They’ll provide specific and detailed information on the technical, contractual and practical aspects of your proposed cloud project.

Navigating your way to the cloud 1312 Navigating your way to the cloud

Whilst there are no prohibitions on the use of cloud services in Malaysia, some prevailing misconceptions have slowed adoption.

Settling common misconceptions: the two most common regulatory concerns

Concern 1: Prohibition on data transfer outside Malaysia

Concern 2: Sensitive personal data and the cloud

Misconception: I cannot use cloud services when the data centres are located outside of Malaysia.

Misconception: FSIs cannot move to the cloud and maintain PDPA compliance in relation to sensitive personal data.Reality:

Use of offshore cloud services is permitted. In fact, many Malaysian FSIs are using Microsoft cloud services, having satisfied the BNM approval process.

Reality: FSIs can use Microsoft’s cloud services for sensitive personal data and comply with PDPA obligations.

Since cloud services from most major providers, including Microsoft, will typically involve some level of data processing outside of Malaysia, the belief that offshore cloud cannot be used has caused some FSIs in Malaysia to dismiss cloud as an option.

The reality is that neither published BNM regulation nor the PDPA prevents Malaysian FSIs from using data centres located outside Malaysia. The misconception appears to come from:

• A misreading of the PDPA – the PDPA in fact does permit the transfer of personal data outside Malaysia, provided that the data will be processed by the CSP according to standards that are at least equivalent to the PDPA.

• A misunderstanding of BNM requirements – BNM in fact permits data transfer outside Malaysia, provided satisfactory safeguards are in place. BNM has approved the use of Microsoft’s overseas data centres.

• Misplaced concerns regarding security standards in overseas jurisdictions – Microsoft’s processes, contractual terms and the location of its data centres helps demonstrate that data standards comparable to those of Malaysia can be maintained.

Some FSIs in Malaysia believe that cloud services put them at risk of breaching privacy obligations, particularly in relation to sensitive personal data. While regulators rightly wish to ensure that security arrangements are in place to protect sensitive personal data, there are no barriers to the use of cloud for sensitive personal data. However, FSIs do need to work closely with CSPs to make sure that appropriate safeguards are in place.

Microsoft works with FSIs in Malaysia to help them understand the data protection measures applicable to the cloud services they are considering. We can also help identify solutions with protections that are on par with, if not superior to, on-premises solutions currently used by FSIs.

Microsoft’s core cloud services are certified compliant with international standards such as ISO 27018. We also provide contractual commitments that can be mapped to the applicable ISO 27001 and Malaysian privacy regulations. Microsoft has engaged in depth with BNM and the Personal Data Protection Commission to demonstrate the appropriateness of its cloud services for all categories of personal data.

14 Navigating your way to the cloud Navigating your way to the cloud 15

Find out moreTrust Center microsoft.com/trustcenter

Service Trust Portal aka.ms/trustportal

Financial Services Amendment Contact your Account Manager

Online Services Terms microsoft.com/contracts

Compliance program for regulated financial services customers Contact your Account Manager

Service Level Agreements microsoft.com/contracts

SAFE Handbook aka.ms/safehandbook

© 2016 Microsoft Corporation. All rights reserved. This document is provided “as is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This paper is not intended to be a comprehensive analysis of all regulations and their requirements, nor is it legal advice; rather it is intended to be a summary and to provide guidance to FSIs in Malaysia on the types of issues they should consider. Microsoft, the Microsoft logo, Azure, Dynamics and Office 365 are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.