Pathways to Regulatory Compliance in Your Cloud Journey - Malaysia

References for security and compliance professionals in the Financial Sector

The Regulatory Environment in Malaysia

Malaysia is one of the fastest growing economies in the Association of Southeast Asian Nations (ASEAN) and is adapting to the rapidly changing financial market. Bank Negara Malaysia (BNM), the central bank of Malaysia, has established the Financial Technology Enabler Group (FTEG) in June, 2016, to support the development of FinTech in Malaysia. Likewise, Malaysia's Digital Economy Corporation (MDEC), which is a government-owned institution, is also driving the digital economy of Malaysia.

The “Cloud First” strategy has been raised in Malaysia to promote adopting cloud in both the private and public sectors to accelerate Malaysia’s digital economy. The BNM is reshaping the regulation and supervisory framework from the technology risk management perspective to keep up with the innovations and FinTech solutions in the financial sector, which includes the guidelines regarding the use and adoption of cloud services.

Alibaba Cloud has already worked with Financial Institutions, helping them migrate to the cloud, demonstrating that Alibaba Cloud is ready to support customers from the financial sector by meeting the BNM’s security compliance requirements during the process of cloud adoption.

Bank Negara Malaysia (BNM)

The Bank Negara Malaysia (BNM) is the central bank of Malaysia. Its aim is to promote monetary and financial stability. BNM is also responsible for maintaining the financial system stability by developing a sound, resilient, progressive and diversified financial sector.

Risk Management in Technology

BNM issued Guidelines on Risk Management in Technology (RMiT) in July, 2019. RMiT has set out requirements for financial institutions regarding governance, technology risk management, operations management, and cybersecurity management. There is also information on the use of public cloud computing services in which it is described that financial institutions are required to conduct risk assessments prior to cloud adoption.

Alibaba Cloud well understands the focuses behind the requirements set out in RMiT guidelines and prepares our responses to the relevant conditions. For the details, refer to Alibaba Cloud User Guide – Financial Services Regulations & Guidelines in Malaysia below.

Guidelines on Outsourcing

BNM has issued the new Guidelines on Outsourcing arrangements for financial institutions in December 2018. The Guidelines on Outsourcing sets out the requirements on management over outsourcing processes and risks for financial institutions. A comprehensive and robust due diligence process is to be conducted by FIs over its outsourced service providers, including cloud service providers.

Alibaba Cloud helps financial institutions with the due diligence and risk management processes by responding to the outsourcing arrangement related risks identified in the Guidelines on Outsourcing from the cloud service provider’s perspective. For the detailed responses, refer to Alibaba Cloud User Guide – Financial Services Regulations & Guidelines in Malaysia below.

Financial Technology Enabler Group (FTEG)

The Financial Technology Enabler Group (FTEG) was established by the BNM, responsible for formulating and enhancing regulatory policies to facilitate the adoption of technological innovations in the Malaysian financial services industry. The FTEG established regulations with regards to technology risk to ensure the security, consumer trust and confidence in the financial system. Financial institutions are required to utilizing technology to manage the cyber risk from malware attacks, DDoS and hacks.

Department of Personal Data Protection (JPDP)

The Department of Personal Data Protection (JPDP) , an agency under the Ministry of Communications and Multimedia (KKMM), is responsible for enforcing and regulating PDPA in Malaysia.

Personal Data Protection Act 2010 (PDPA)

The Personal Data Protection Act (PDPA) 2010 came into force in Malaysia on 15 November 2013 with the objective to regulate the processing of personal information to protect an individual’s personal data concerning commercial transactions. Alibaba Cloud complies with the PDPA to secure the personal data of individuals.

Informational Resources

Alibaba Cloud provides resources to the customers on how Alibaba Cloud can help to facilitate compliance with the BNM’s requirements.

Frequently Asked Questions

1. Is a formal approval needed from BNM regarding the outsourcing arrangement?

Yes, BNM’s prior written approval needs to be obtained before entering into a new material outsourcing arrangement or making a significant change to an existing material outsourcing arrangement. For non-material outsourcing arrangement, financial institutions are required to maintain a complete, accurate and up-to-date register and make it available to BNM upon request.

2. Is offshore outsourcing allowed in Malaysia?

The BNM permits outsourcing outside Malaysia on the conditions that the financial institutions should address additional risks (such as country risks) associated with overseas outsourcing arrangements, ensure the same level of abilities of monitoring service providers and business recovery in case of service providers’ failure, maintain BNM’s abilities of timely and unrestricted access to the systems, information or documents. Alibaba Cloud has two availability zones available in Malaysia, which is convenient for local financial institutions to utilise and manage so as to mitigate the risks associated with overseas outsourcing.

3. For multi-tenanted solutions, how would a customer’s information and systems be segregated from other customers, such that security and availability is ensured between customers relying on the same infrastructure?

The isolation between multiple tenants in a cloud computing environment is realised through virtualization technology. Alibaba Cloud’s platform uses a virtualized environment that provides computing isolation at multiple levels to protect data and ensure the isolation at the storage and logical virtual networks layer between multiple tenants to prevent unauthorised access.