Lim Hng Kiang, Singapore minister for trade and industry and MAS deputy chairman made the announcement at a banking industry dinner last week.
"MAS recognises cloud services can offer various benefits such as scalability and advanced functionalities, and is amenable to banks leveraging on cloud services to fulfil their business and operational needs," the minister said. "MAS expects banks to ensure that their risk management measures are commensurate with the nature, scope and complexity of the cloud deployment models that they adopt."
In his speech Lim Hng Kiang said that the new guidance on cloud use would update existing guidance on outsourcing that MAS produced in 2004. The guidelines will place "a greater emphasis on safeguarding customer information" and also put "a greater focus on FIs’ outsourcing risk management framework", he said.
"MAS views seriously the responsibility of banks to safeguard the integrity and security of customer information held by the bank and its service providers," he said. "To enhance the protection of critical customer information, outsourcing arrangements involving certain customer information will be subject to a higher standard of care."
"FIs were previously expected to pre-notify MAS of any material outsourcing arrangements, and MAS would impose prudential requirements on the FI, where necessary. With the growing prevalence and complexity of outsourcing arrangements, such a case-by-case approach has become less tenable. Instead, MAS will continue to assess and monitor the robustness of FIs’ outsourcing risk management frameworks while FIs will continue to be responsible for ensuring the safety of all of their outsourcing arrangements. The revised guidelines will no longer require FIs to pre-notify MAS of any outsourcing arrangements."
Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said: "Banks in Singapore have been very conservative in cloud adoption. There have been recent moves to develop standards and guidelines for cloud users and service providers in Singapore such as the multi-tier cloud security standard, and cloud outage and incident response guidelines – the MAS guidelines will provide more guidance for financial institutions going to the cloud."
The Infocomm Development Authority of Singapore recently issued guidelines on cloud outage incident response (COIR) to help cloud providers and the businesses that use their services to manage data breaches in line with the country's data protection regime.