SBP Sets Criteria for Outsourcing Regulated Entities’ Workload to Cloud Providers

The State Bank of Pakistan (SBP) has rolled out a framework to set out minimum requirements for Regulated Entities (Res) to outsource their material and non-material workloads to Cloud Service Providers (CSPs).

This framework will apply to all Res including Banks, Digital Banks (DBs), Microfinance Banks (MFBs), Development Finance Institutions (DFIs), Electronic Money Institutions (EMIs), Payment System Operators (PSOs) and Payment System Providers (PSPs).

The framework will cover all types of cloud service models (i.e. SaaS, PaaS and IaaS) and will be applicable on all types of cloud deployment models (i.e. public, private, community, and hybrid).

The objectives of the framework is to facilitate REs to design and offer innovative products and services by embracing cloud technology and effectively managing the risks arising out of these arrangements.

The framework sets out minimum requirements for SBP’s REs to outsource their material and non-material workloads to CSPs through a risk-based approach in a safe and secure manner. Henceforth, all cloud outsourcing arrangements shall be governed under this framework.

All types of workloads (i.e. material and non-material) may be outsourced to reputable onshore (i.e. domestic) CSPs. EMIs, non-designated PSOs/ PSPs may outsource their material and non-material workloads to offshore (i.e. outside Pakistan) CSPs.

Banks, MFBs, DBs, DFIs and designated PSOs/PSPs may outsource their non-material workloads to offshore CSPs. However, outsourcing of their material workloads to offshore CSPs will be subject to SBP approval.

REs will exercise reasonable care before entering into cloud outsourcing arrangements, REs will conduct reasonable due diligence of the CSPs and their material sub-contracting arrangement to ensure effective management of the associated risks.

REs will develop a contingency plan for their cloud outsourcing workloads in order to deal with any disruption/degradation of cloud-related services. The contingency plan will take into account all possible scenarios regarding the unavailability of cloud service providers’ related services due to various reasons such as technical/connectivity issues, the inability of CSP to provide services due to legal actions in their respective jurisdictions.

REs will ensure that cloud outsourcing does not hinder SBP in conducting its supervisory functions. In this regard, the REs will ensure that their internal & external auditors/ independent assessors and SBP have right to conduct audits and onsite assessments of the CSP and its sub-contractors if required.

Further, there should be no restriction or prohibition on access to REs’ cloud-related information assets and services for the RE, its auditors, independent assessors or SBP’s authorized staff or such visits are otherwise not impractical.

REs will implement a complete life cycle of user access management for their cloud-related workloads Further, REs will ensure that all existing cloud outsourcing arrangements are compliant with the requirements of the framework by December 31, 2023.