Please refer to BPRD Circular No. 05 of 2017 on ‘Enterprise Technology Governance and Risk Management Framework for Financial Institutions’, BPRD Circular No. 06 of 2019 on ‘Framework for Risk Management in Outsourcing Arrangements by Financial Institutions’ and BPRD Circular No. 04 of 2020 on ‘Outsourcing to Cloud Service Providers (CSPs)’.
2. In this regard, in order to enable SBP’s Regulated Entities – REs (Banks, Digital Banks – DBs, Microfinance Banks – MFBs, Development Finance Institutions – DFIs, Electronic Money Institutions – EMIs, Payment System Operators – PSOs and Payment System Providers – PSPs) to design and offer innovative products and services by embracing the cloud technology and effectively manage the risks arising out of these arrangements, SBP has developed ‘Framework on Outsourcing to Cloud Service Providers’ (enclosed). The framework sets out minimum requirements for SBP’s REs to outsource their material and non-material workloads to CSPs through a risk-based approach in a safe and secure manner. Henceforth, all cloud outsourcing arrangements shall be governed under this framework.
3. REs may outsource their workloads to CSPs in the manner as prescribed in Section E of attached framework. Further, REs shall ensure that all existing cloud outsourcing arrangements are compliant with the requirements of the framework by December 31, 2023.
4. Please acknowledge receipt.
Enclosure: Framework on Outsourcing to Cloud Service Providers