[Pakistan] AIC Commends SBP on BPRD Circular No. 04 of 2020 on Outsourcing to Cloud Service Providers (CSPs) (Oct 2020)

Download: [Pakistan] AIC Commends SBP on BPRD Circular No. 04 of 2020 on Outsourcing to Cloud Service Providers (CSPs) (Oct 2020)

The Asia Internet Coalition (AIC) would like to take this opportunity to commend the State Bank of Pakistan (SBP) recent decision to allow financial institutions to use cloud services through BPRD Circular No. 04 of 2020 on Outsourcing to Cloud Service Providers.

First and foremost, we congratulate your leadership and the vision on drafting the Circular which is seen as a progressive and positive step for financial institutions to outsource hosting on the cloud to both domestic and international cloud service providers (CSPs). While, the Circular updates part of the language of two earlier circulars issued in 2017 and 2019, to do with the ‘Enterprise Technology Governance and Risk Management Framework for Financial Institutions (FIs)’, the underlying decision by SBP will provide access to a much needed FinTech infrastructure in Pakistan. The progressive policy measure, which will empower financial institutions to leverage cloud services to a significant extent, demonstrates the commitment of the SBP towards enhancing the cybersecurity and consumer protection of Pakistan’s digital financial ecosystem.

The Circular aims to simplify the government’s stance on data sovereignty, which is confused with the concept of data residency. It also emphasizes on the importance of security as one of the objectives in migrating workload and data onto the cloud to mitigate the risks and vulnerabilities associated with their adoption of the chosen cloud deployment model. It also enhances the concept of data ownership, thereby ensuring the transfer, storage, or processing of data in cloud infrastructure. FIs and technology-dependent companies, rely on cloud storage solutions for their data management because it allows an affordable and scalable way to deploy the latest technology and tools across the network to make it secure. This is not possible with data localization.