Cloud Computing System for Banks Should Be Located in Pakistan: SBP

State Bank of Pakistan (SBP) has directed banks to utilize cutting-edge Cloud Computing technology. However, their systems and service providers shall be located in Pakistan along with all physical servers and services that are also operable from within Pakistan.

The central bank made strict its condition for using Cloud Computing services by the banks though previously up to 30 percent of services could be availed from outside the country through foreign service providers that have an edge on local companies.

SBP rolled out a draft of “Framework on IT Governance and Risk Management in Financial Institutions” for commercial banks, microfinance banks and DFIs in which it touched upon various aspects of IT applications in the banking industry.

Cloud Computing Services

SBP directed that banks shall perform an enhanced level of due diligence for all forms of outsourcing arrangements involving cloud environment. Specifically, these financial institutions shall be aware of cloud computing’s unique attributes and risks especially in areas of data integrity, sovereignty, commingling, platform multi-tenancy, recoverability and confidentiality, regulatory compliance and auditing.

Banks shall segregate their data and applications into core and non-core categories to ensure that the core applications and business processes (which use customer’s identification and/or transactional data) are not used in public cloud computing.

They shall ensure that applications/systems which use customer’s identification (KYC/CDD) data and/or transactional data/information shall not be placed in a cloud environment.

The central bank directed that commercial banks shall ensure strict adherence to the principles while entering into an arrangement with vendors and service providers involving cloud computing.

Commercial banks should maintain complete transparency as to where data will be physically processed and stored under Cloud Computing setup.

Customers’ data must be segregated from other data held by the Service Provider while their data will not be used for any other purpose other than that which is necessary to provide.

Role of Banks’ BoD on IT Strategy

SBP, in its draft framework, directed that bank’s board of directors shall approve overall Enterprise IT strategy in line with the business strategy of the organization and monitor and update the same on regular basis keeping in view upcoming opportunities and threats.

Banks BoD shall approve an IT governance framework to ensure that organization’s IT infrastructure supports and enables the achievement of the corporate strategies and objectives.

BoD shall approve all IT Management and Information/cyber Security policies and review report on the effectiveness of the information security program at least on annual basis. They will oversee a safe, sound, controlled and efficient IT operating environment that supports the institution’s goals and objectives.

Cyber Security Action Plan

Banks shall formulate Cyber Security Action Plan in order to anticipate, withstand, detect, and respond to cyber attacks in line with international standards and best practices. They shall implement appropriate controls to prevent any cyber security incident depending on the size and complexity of its IT environment.

Board-level and senior management-level engagement is critical to the success of firms’ cyber security programs, along with a clear chain of accountability. Banks shall establish and maintain a robust and properly implemented cyber security awareness program, and ensure that end-users are aware of the importance of protecting sensitive information and the risks of mishandling information.

Banks management shall be aware of and mitigate risks associated with IT operations. Banks and its service providers may have one or more IT operations groups. Common examples of IT operations are data center or computer operations, network services, distributed computing, personal or desktop computing, change management, project management, security, resource management, and contingency and resiliency planning. Many operations functions have significant risk factors that shall be addressed through effective management and control.

SBP has developed this framework to keep abreast with the aggressive and widespread adoption of technology in the financial service industry and consequently strengthen existing regulatory framework for IT risk supervision. The framework is broadly based on COBIT framework that shall be integrated with the financial institutions’ overall enterprise risk management program.

All commercial and microfinance banks are directed to upgrade their systems, controls and procedures to ensure compliance with these instructions latest by December 31, 2017.


  • ZAHID

    Oracle provide on your own premises cloud to meet the regulatory requirement.

    • Asad Khan

      ROFL

    • ximian

      No Sir. That’s a glorified virtualization box running on commodity hardware and software and bought by gullible customers for a premium for who could get fired in this day and age for buying Oracle. Spare us the marketing.

      • Asad Khan

        Correctly said. Their so called cloud solution is only a hypervisor at best!

  • SBP Launch One Bank Andriod Apps for all Bank account in Pakistan :
    If anyone have bank account then you can access all facilities (unless the permission your bank) in one places.

  • Hamay to Roz Her Bank Account Se Fake Email Ati Rehti Hai :
    Your Bank account has been blocked click to the link :
    Halank aj tak mere apne bank se nahi aye baki tamam bank se ati rehti hai jaha account he nahi :

    • Abid Ali

      Aapko aati hongi, hamein kabhi nhi, 4 banks me accounts hain aur.

      • Hotmail Main Spammer emails ati rehti hai : Uski bat kar raha ho

        • Abid Ali

          Read your own comment again. You said her bank account se aati hain. Spammers send krtay hain banks nhi.

          • *Correction* Spammer Se Ati Hai Or Wo Her Bank Ka Naam Use Karta Hai

  • Nasir Amin

    RapidCompute is well positioned here. They have ISO 27001 and PCI DSS security certifications so far ahead of the pack.

    Now just to see if their team can execute…

  • Binte Islaam

    Asalam o alaikum, Can anyone guide me how many banks operate on cloud after State Bank of Pakistan new centralized data policy? and security risks banks might have to face on cloud computing?