A practical guide for financial institutions in Sri Lanka

Navigating your way to the cloud

Navigating your way to the cloud

Introduction 3

Overview: The four essential steps to a successful cloud adoption 4

About this paper 4

Step 1: Full understanding of CBSL requirements 6

Step 2: Full, informed stakeholder involvement 9

Step 3: Targeted CSP selection criteria 11

Step 4: A compliant contract 13

Contents

2 Navigating your way to the cloud

Navigating your way to the cloud 3

Sri Lanka is benefiting from a rapid economic transformation, fuelled in part by the growth of its digital economy. The financial services industry has been at the forefront of this transformation, as financial services institutions (FSIs) reassess their technology strategies to address shifting customer expectations, growing competition from disruptive new market entrants, and a challenging macroeconomic landscape.

FSIs in Sri Lanka are increasingly partnering with cloud services providers (CSPs) such as Microsoft to empower their organisations to achieve more. However, recent research1 (published by Forrester and commissioned by Microsoft) reveals that, despite a strong interest in cloud technology, the pace of cloud adoption in Sri Lanka and other markets has been slowed by misconceptions about regulation. Contrary to these misconceptions, there are no outright regulatory barriers to the adoption of cloud in Sri Lanka. For a broad range of expressly permitted activities, no regulatory approval is required. Indeed, the digital revolution is supported by clear and transparent directions from the Central Bank of Sri Lanka (CBSL), which has continued to look outwards to bring industry best practices to Sri Lanka from experienced service providers in the region and globally. For example, the

Outsourcing Direction in 2012 (see Step 1, below) brought welcome clarity to Banks wishing to adopt cloud services.

We believe that no other CSP has more experience delivering compliant cloud solutions to FSIs in Sri Lanka than Microsoft. Having helped several FSIs move to the cloud and engage directly with CBSL to understand their priorities for security and cloud computing for FSIs, Microsoft recognises that a CSP needs to actively facilitate compliance through full, transparent, proactive engagement with the financial services community. Through this process of collaboration over several years, Microsoft has developed excellent experience and a pool of practical resources to help FSIs move to the cloud in a way that meets the highest compliance, risk and security standards. Microsoft is delighted to share the full benefit of these experiences, in part by this paper, with a view to addressing the common misconceptions and setting new standards in the rapidly evolving FSI sector in Sri Lanka. From the initial procurement stages of a cloud adoption through to an understanding of CBSL’s regulatory requirements and what to look out for in the cloud contract itself, this paper will act as a practical guide to help Sri Lankan FSIs successfully adopt Microsoft cloud services2.

By following the practical steps outlined in this paper, Sri Lankan FSIs can navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation that is happening in Sri Lanka.

Introduction

1. Forrester Consulting, Ensuring Agility and Trust in a Rapidly Changing Financial Services Market, published April 2016.2. This paper is not intended to be a comprehensive analysis of all regulations and their requirements, nor is it legal advice; rather, it is intended to be a summary

and to provide guidance to FSIs in Sri Lanka on the types of issues they should consider.

There are no outright regulatory barriers to the adoption of cloud in Sri Lanka… For a broad range of expressly permitted activities, no regulatory approval is required.

4 Navigating your way to the cloud

Overview:The four essential steps to a successful cloud adoptionBased on Microsoft’s experience of working with FSIs in Sri Lanka, a successful cloud adoption rests on four steps, as shown below. Importantly, Microsoft recognises that each of these steps is inter-related and inter-dependent.

Cloud Adoption

1. Full understanding of CBSL requirements

2. Full, informed stakeholder involvement

4. A compliant contract

3. Targeted CSP selection criteria

About this paper

FSIs in Sri Lanka are regulated separately as Banks, Finance Businesses and Insurance Companies. (See Step 1, below.) Although the majority of the rules on outsourcing are a requirement for Banks only, good practice would be for Finance Businesses and Insurance Companies also to follow the rules and the recommendations as set out in this paper.

Navigating your way to the cloud 5

6 Navigating your way to the cloud

Who is the regulator? CBSL acting through its monetary board (Monetary Board) is the overarching regulator for Banks and Finance Businesses (each as defined below) and may issue directions on operational aspects.

Specific supervisory functions over Banks and Finance Businesses are exercised by the Director of the CBSL Department for Supervision of Banks and the Director of the CBSL Department for Supervision of Non-Bank FSIs, respectively (each ‘the Director’ as applicable).

The Insurance Board of Sri Lanka regulates Insurance Companies.

Are cloud services permitted?

Yes. CBSL issued the Outsourcing Direction (see below), which anticipates and permits the use by Banks of certain outsourced IT services, including typical cloud computing services.

Microsoft has partnered with a number of FSI customers who have successfully deployed Microsoft cloud services in Sri Lanka.

What regulations and guidance are relevant?

‘Licensed commercial banks’ and ‘licensed specialised banks’ (Banks) are regulated by the Banking Act, No. 30 of 1988.

‘Finance businesses’ (Finance Businesses) undertake a similar business to Banks but, for example, cannot maintain current accounts, cannot use ‘bank’ in their name and are subject to separate capital adequacy requirements. Finance Businesses are regulated by the Finance Business Act, No. 42 of 2011.

Insurance Companies are regulated under the Regulation of Insurance Industry Act, No. 43 of 2000.

For Banks: Outsourcing by Banks is governed by the ‘Direction on Outsourcing of Business Operations of Licensed Commercial Banks and Licensed Specialised Banks’, Direction, No. 2 of 2012 (Outsourcing Direction).

For Finance Businesses: Outsourcing by Finance Businesses is governed by the Finance Companies (Structural Changes) Direction, No. 1 of 2013 (the Direction).

For Insurance Companies: There are no specific requirements relating to Insurance Companies applicable to the use of Microsoft cloud services.

Step 1: Full understanding of CBSL requirements In Microsoft’s experience, a successful cloud adoption in Sri Lanka requires a full understanding of CBSL requirements, not just by the FSI but also by the CSP. Below, we set out further detail on the CBSL regulatory environment as well as some practical suggestions.

Overview of the regulatory environment for FSIs in Sri Lanka

Navigating your way to the cloud 7

How would the use of Microsoft cloud services be classified?

For Banks: ‘Outsourcing arrangements’ are subject to the application of the Outsourcing Direction and most (if not all) Microsoft cloud services would qualify, if used by a Bank.

Outsourcing of any the following broad range of ‘IT-related services’, which includes many typical Microsoft cloud services, are expressly permitted, subject to the Outsourcing Direction conditions, as described in this paper:

Outsourcing of other IT activities would technically require an exception from CBSL. In practice, several Sri Lankan FSIs have obtained this approval without difficulty and have successfully deployed Microsoft cloud solutions for non-listed IT services.

For Finance Businesses: Under the Direction, outsourcing is subject to the written approval of the Director. ‘Outsourcing’ is not defined in the Direction, which provides little detail. The Direction is concerned primarily with ‘structural change’ affecting Finance Businesses and it is typical practice in Sri Lanka to engage with the Director early to seek clarification on the applicability of the Direction to a proposed outsourcing.

For Insurance Companies: There are no specific requirements relating to Insurance Companies applicable to the use of Microsoft cloud services.

Are transfers of data outside of Sri Lanka permitted?

Yes. CBSL envisages outsourcing outside of Sri Lanka and specifically instructs Banks, under the Outsourcing Direction, to ensure in their security policies, procedures and controls that the service provider exercises a high standard of care and diligence to protect the confidentiality and security of Banks’ sensitive information. Banks are also required to have a comprehensive outsourcing policy in place. (See ‘Obtain detailed product and service information’ in Step 2, below.)

There are no specific requirements relating to non-Bank FSIs applicable to data transfer outside of Sri Lanka.

(i) Application/system development, testing, maintenance and support.

(ii) Technology infrastructure management, maintenance and support and help desks.

(iii) Maintenance and support to data centre operations;

(iv) Network administration.

(v) Disaster recovery support services.

(vi) Data entry operations.

(vii) Database maintenance and support.

(viii) Data warehousing.

(ix) Statements printing.

(x) Electronic banking systems development, maintenance and support.

(xi) Web hosting and maintenance.

(xii) Credit/debit/ATM card printing.

8 Navigating your way to the cloud

Is regulatory approval required?

No, for Banks outsourcing expressly permitted activities.

Yes, for Banks outsourcing activities that are not expressly permitted. Several Sri Lankan FSIs have obtained this approval without difficulty and have successfully deployed Microsoft cloud solutions for these IT services.

Yes, for Finance Businesses if the Director confirms the use of the proposed Microsoft cloud services constitutes ‘outsourcing’ under the direction, No, if not.

No, for Insurance Companies.

When should the FSI engage with the regulator?

The Outsourcing Direction requires Banks to inform CBSL of the proposed outsourcing arrangements for each calendar year by 31 January of that year.

For Finance Businesses, as above, it is typical practice in Sri Lanka to engage with the Director early to seek clarification on the applicability of the Direction to a proposed outsourcing.

There are no specific requirements relating to Insurance Companies on engagement with the Insurance Board of Sri Lanka.

Are there particular forms or questionnaires the FSI needs to complete?

No. However, for Banks, the form of the annual notice to CBSL of outsourcing arrangements (see above) is provided in the Annex to the Outsourcing Direction.

How Microsoft helpsMicrosoft has engaged directly with CBSL to understand their priorities on security and cloud computing for FSIs and has a detailed understanding of the regulatory framework and process. Issuing this paper is part of Microsoft’s commitment to its FSI customers to help them navigate and comply with the regulatory framework as it applies to cloud services.

To streamline the process, Microsoft has developed a set of checklists for Banks that build on the Outsourcing Direction by mapping to its requirements in Sri Lanka. These checklists are regularly used by FSIs as part of their transition to the cloud and are available from your Microsoft contact upon request.

Navigating your way to the cloud 9

A smooth cloud adoption depends on full, informed stakeholder involvement from the outset, with decisions being based on a thorough understanding of the proposed cloud solution. Microsoft believes that it is the responsibility of a CSP to provide detailed product and service information to ensure that the key decision makers have all of the materials they need to make an informed decision and comply with CBSL regulatory requirements.

1. Build the core stakeholder team; develop the business case

CBSL requires that Banks place overall responsibility for outsourcing activities on the board and senior management. The Bank must also take into consideration the cost/benefit of the solution.

In Microsoft’s experience, the most successful adoptions of new technology depend on the involvement of stakeholders from across the institution. The best way to achieve this is to put in place a multi-disciplinary team from day one.

The technology and procurement teams should take the lead in developing the business case, with a focus on the operational and commercial factors driving the decision to adopt cloud services.

The legal, risk and compliance teams should be involved in these discussions from the outset, to map the proposed solutions against legal and regulatory requirements and to build in the necessary time frames. Many technology projects have been delayed by involving the legal and compliance functions too late in the process.

The board and senior management will typically require early reassurance in general terms regarding the business need for the use of cloud services and the oversight, review, reporting and response arrangements to be put in place with the CSP.

The information and analysis captured in developing the business case will also form a critical part of the CSP selection criteria (see Step 3, below) and will assist the Bank in assessing how it complies with the CBSL regulatory requirements. (See Step 1, above.)

2. Obtain detailed product and service information

In Microsoft’s experience, understanding the CSP’s products and services is very much dependent on the CSP’s willingness and ability to share relevant and specific technical information.

This is important in Sri Lanka as CBSL requires Banks to have a comprehensive outsourcing policy in place to guide the assessment as to how its operations are to be outsourced (Outsourcing Policy). The Outsourcing Policy must include a framework for risk identification and effective risk management. The Bank should therefore obtain detailed product and service information from the CSP at an early stage.

3. Understand the technical solutions available

Any technology procurement project requires that all of the key decision makers have a full understanding of the technology solution to be deployed. This is certainly the case with cloud adoption in Sri Lanka, where CBSL requires that Banks place overall responsibility for outsourcing activities on the board and senior management and take into consideration the costs/benefits of the solution (see above). An early and thorough understanding of the solution and the specific impact on the Bank’s business is therefore necessary.

In Microsoft’s experience, understanding begins by ensuring that the core team has a clear understanding of the proposed cloud service and deployment models. Microsoft has prepared the following summary of the different types of cloud service and cloud deployment models to assist with the early scoping aspect of any cloud project.

Recommendations

Step 2: Full, informed stakeholder involvement

10 Navigating your way to the cloud

Definition Cloud Computing, Cloud Services or Cloud means on-demand network access to a shared pool of configurable computing resources. In other words, cloud services provide FSIs with on-demand access, using a network connection, to information technology or software services, all of which a CSP configures to the needs of the FSI.

Cloud delivery models

1. Software as a Service (SaaS) Where the CSP makes software applications available to customers.

2. Platform as a Service (PaaS) Where the CSP provides a computing platform for customers to develop and run their own applications.

3. Infrastructure as a Service (IaaS) Where the CSP delivers IT infrastructure; e.g., storage space or computing power and may include delivery of the operating system.

Cloud deployment models

1. Public Cloud Infrastructure is owned and managed by the CSP and not located on the customer’s premises. Although each customer’s data and services are protected from unauthorised access, the infrastructure is accessible by multiple customers. Given the operational and commercial benefits to customers, public cloud is increasingly seen as the de facto deployment model.

2. Private Cloud Infrastructure is usually managed by the CSP (but sometimes by the customer). The infrastructure is located either on customer premises or, more typically, on the CSP’s premises. The data and services are able to be accessed only by the particular customer.

3. Community Cloud Serves members of a community of customers with similar computing needs or requirements. The infrastructure may be owned and managed by members of the community or by a CSP. The infrastructure is located either on customer premises or the CSP’s premises. The data and services are accessible only by the community of customers.

4. Hybrid Cloud A combination of two or more of Private Cloud, Public Cloud or Community Cloud.

A summary of cloud delivery and deployment models

How Microsoft helpsMicrosoft’s expert team is on hand to support you throughout your cloud project, right from the earliest stages of initial stakeholder engagement through to entering into the contract and beyond. Our cloud product range spans all of the above cloud service and deployment models and we have developed a range of materials3, including product fact sheets, online trust centres and CBSL checklists (including Outsourcing Policy requirements), designed to ensure that you have access to all the information needed to make an informed decision. In addition, we have subject-matter experts available to meet with you and your core stakeholders to provide specific and detailed information on the technical, contractual and practical aspects of your proposed cloud project.

3. Materials are available via the Microsoft website and from your Microsoft contact directly.

Navigating your way to the cloud 11

Banks must ensure that their Outsourcing Policy includes a tender process and a procedure to assess the CSP’s capacity and capability to perform the obligations in the cloud contract. Although not mandatory, good practice would be for all FSIs to develop selection criteria to identify a CSP that can meet the applicable compliance, risk and security requirements.

Step 3: Targeted CSP selection criteria

RecommendationsCBSL does not provide specific criteria that FSIs must use to assess the CSP’s capacity and capability. In the table below, we set out the CSP selection criteria that our customers have informed us are most important to them. Unless otherwise indicated, the information below reflects Microsoft’s recommendation, based on our experience of best practice.

1. Technical capability

When it comes to assessing technical competence, industry standards are a useful objective tool for the FSI to use. ISO/IEC 270014 and ISO/IEC 270185 have become an expected minimum within the financial services industry around the world.

A core aspect of technical capability is the security of the proposed cloud solution. There is now a growing acceptance that cloud services can meet or even exceed the highest on-premises security practices. In addition to measuring compliance with international industry standards as described above, FSIs can measure CSPs against the ‘FSI Safe Cloud Principles’, a set of ten principles developed by the Asia Cloud Computing Association6.

2. Financial stability

In any technology procurement, the financial strength of the supplier provides comfort as to its ability to provide continuity of operations and to compensate the FSI for any service failures or breaches of contract. Contractual promises carry little weight if the CSP cannot stand behind them financially. Accordingly, the FSI will want to carefully consider the financial position of the CSP. It is common for FSIs to request audited financial statements for at least each of the last three years and CSPs should be in a position to provide these.

3. Reputation FSIs should carefully consider the CSP’s longevity and track record in the industry, not just in Sri Lanka but around the world. This would typically include asking CSPs for information as to their track record on delivering cloud projects to FSIs in the market and around the world, along with case studies. A competent CSP will have all of the required information readily available.

4. CSP experience A key question for the FSI to ask the CSP is if they have a specific cloud compliance program for FSIs, designed to foster collaboration and compliance with regulatory requirements. The FSI may also ask whether or not, and to what extent, the CSP has previously provided cloud solutions for FSIs in Sri Lanka. Finally, FSIs may also expect their CSP to be able to demonstrate their understanding of, and how their solution is compatible with, the FSI’s culture and requirements. In Microsoft’s experience, all of these factors will help to facilitate smoother compliance with CBSL requirements and a successful cloud adoption.

4. microsoft.com/en-us/TrustCenter/Compliance/iso-iec-270015. microsoft.com/en-us/TrustCenter/Compliance/iso-iec-270186. asiacloudcomputing.org/images/research/2014_-_Safe_Cloud_Principles_for_FSI.pdf

12 Navigating your way to the cloud

7. microsoft.com/en-us/trustcenter/Compliance/due-diligence-checklist

5. Capacity First, it makes practical sense that the cloud solution is readily scalable to meet the FSI’s requirements as they scale up or scale down. Scalability is, of course, a core benefit of cloud technology.

Second, CSPs need to be able to keep up with a changing risk and regulatory environment. One aspect of this is developments in cloud security and privacy standards, which are under constant development by bodies such as ISO as well as industry groups.

6. Business continuity

It is a CBSL mandatory requirement for Banks that the CSP must have a satisfactory (and regularly tested) business continuity plan.Although not a CBSL mandatory requirement, CSPs should also offer contractually guaranteed uptime and provide robust physical redundancy.

How Microsoft helpsMicrosoft confirms its ability to meet all of the criteria specified above and CBSL is already familiar with Microsoft’s offerings, which should make for a much smoother engagement process when engagement is required.

Microsoft is confident that its understanding of the FSI environment, based on experience of working closely with FSIs and CBSL, is market-leading in Sri Lanka and around the world. It has 40 years of IT experience, including decades as a CSP, and has a proven track record of successful cloud rollouts in Sri Lanka and elsewhere, in compliance with the highest financial services regulatory requirements and global security and risk standards such as ISO/IEC 27001 and ISO/IEC 27018.

Microsoft has large dedicated teams consisting of hundreds of lawyers, software engineers and policy experts whose sole mission is to identify and implement new cloud security and privacy standards across Microsoft’s portfolio of cloud services. Microsoft has a long and consistent history of being the first CSP to implement major new cloud standards, including recent examples such as ISO/IEC 27018.

In addition, Microsoft has created the Cloud Services Due Diligence Checklist (available via the Microsoft Trust Centre7). The checklist is based on the recent ISO/IEC 19086 standard. The ISO/IEC 19086 standard offers a unified set of considerations for organisations to help them make decisions about cloud adoption, as well as create a common ground for comparing cloud service offerings. Because it is grounded in the new standard, the checklist is service- and provider-neutral, applying to any organisation requiring cloud services and any cloud service provider.

Navigating your way to the cloud 13

In practice, the CSP should help to facilitate compliance by demonstrating how their contract meets CBSL’s requirements.

Step 4: A compliant contract

RecommendationsCBSL suggests that, at a minimum, the following headings are addressed in the cloud contract. Microsoft has expanded upon these below, based on what our customers have informed us is important and with reference to ISO/IEC 19086.

1. Service standards The contract should include a service level agreement that specifies and clarifies performance expectations as well as establishes accountability for the outsourced activity.

2. Rights, responsibilities and expectations of all parties

The contract should be clear as to the nature of the service, covering matters such as type of service, availability and location of facilities.

3. Dispute resolution mechanism

There should be a clear legal process for resolving disputes. In the event of a dispute relating to a service disruption, the resolution process should be set out in the contract.

4. Confidentiality and security of information

The contract should include provisions on security, confidentiality, data access and data ownership. It should also set out the procedures for the protection of data and include consequences for breach of data or confidentiality provisions.

5. Termination of contract The contract should include details of the duration of the contract, termination rights and post-termination provisions.

6. Subcontracting (if involved)

The contract should include a mechanism to disclose all subcontractors that are involved in the delivery of the cloud services. The contract should include provisions to ensure that, where the CSP uses a subcontractor, the subcontractor is also bound by the key contractual commitments. Ultimate responsibility for performance should rest with the CSP.

7. Business continuity management

The contract should include plans for business continuity and dealing with emergencies.

How Microsoft helpsMicrosoft understands that commitments made during the due diligence and supplier assessment stages are worth little unless backed up by binding contractual commitments. To make the contract review process easier for you, Microsoft provides a contract checklist. This lists the contractual terms that CBSL expects to be covered and explains where these terms are addressed in the Microsoft contract. This is available from your Microsoft contact upon request. This checklist provides an FSI with the confidence that its contract with Microsoft enables it to meet the applicable regulatory requirements.

14 Navigating your way to the cloud

Microsoft finacial service compliance program

In addition, Microsoft’s financial services compliance program, developed specifically for FSIs, extends the compliance features of Microsoft Azure, Office 365, Dynamics and Windows Intune to provide deeper, ongoing engagement with Microsoft, including:

• Access to additional information from Microsoft subject-matter experts (SMEs);

• Access to additional compliance-related information developed by Microsoft over time;

• The opportunity for one-to-one discussions with Microsoft’s third-party auditors;

• Participation in webcast walk-throughs of ISO and SSAE audit reports with Microsoft SMEs;

• The ability to view the Microsoft control framework for the cloud services;

• The opportunity to recommend future additions to the audit scope of the cloud service; and

• Access to detailed reports of external audit penetration tests conducted on the cloud service.

Navigating your way to the cloud 15

Find out moreTrust Center microsoft.com/trustcenter

Service Trust Portal aka.ms/trustportal

Financial Services Amendment Contact your Account Manager

Online Services Terms microsoft.com/contracts

Compliance program for regulated financial services customers Contact your Account Manager

Service Level Agreements microsoft.com/contracts

SAFE Handbook aka.ms/safehandbook

© 2017 Microsoft Corporation. All rights reserved. This document is provided “as is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This paper is not intended to be a comprehensive analysis of all regulations and their requirements, nor is it legal advice; rather it is intended to be a summary and to provide guidance to FSIs in Sri Lanka on the types of issues they should consider. Microsoft, the Microsoft logo, Azure, Dynamics, Office 365 and Windows Intune are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.1906

6-06

17/M

icro

soft