Compliance for Financial Services (Asia Pacific and Japan)- VMware Cloud on AWS
The global financial services industry is in a phase of significant transformation, shaped by increased consumer demand for online and mobile banking services and competition from traditional and disruptive financial services. Keeping up with these challenges requires multitude of changes the existing IT infrastructure including modernizing the underlying systems and designing systems for high security and resiliency. Cloud Computing is playing a major role in this transformation journey to deliver services in a secure, reliable and cost-effective manner. While the benefits of cloud computing are enormous, the increase in use of cloud computing has also attracted scrutiny from regulators and has put more pressure on financial institutions to deliver services in a compliant manner, protect the critical data and all in all keep up consumer’s trust in the banking industry.
Financial Services is one of the most significant industries in the Asia Pacific region, serving as backbone of economy. As such regulators across various Asia Pacific countries are increasingly creating compliance frameworks to address the challenges associated with cloud computing. In this blog, we explore some of the key compliance frameworks in the Asia Pacific region and discuss how VMware is responding to the cloud compliance needs of both regulators and financial institutions.
Singapore:
The Monetary Authority of Singapore (MAS) is the financial services regulator in Singapore. MAS permits the use of cloud computing by the financial institutions and have published various guidelines such as the MAS guidelines on outsourcing, Technology Risk Management Guidelines and Cloud Implementation Guidelines which provide guidance on sound risk management practices for outsourcing including cloud. VMware Cloud on AWS has built in industry leading security and compliance features to enable financial institutions adopt the MAS guidelines. Our controls are evaluated by internal and external auditors to provide assurance to our customers over security and compliance controls built in VMware Cloud on AWS.
The Outsourced Service Provider Auditor Report (OSPAR) prescribed by the Association of Banks in Singapore (ABS) is an industry recognized compliance framework for the Singapore financial institutions engaged in outsourcing. VMware Cloud on AWS has undergone a rigorous external audit and successfully completed the OSPAR framework. Financial institutions wishing to migrate workloads to VMware Cloud on AWS can use our OSPAR report to evaluate VMware Cloud on AWS’ controls and processes and assess how we address the relevant security and compliance risks and support customers in seamlessly migrating workloads to cloud. For a copy of the OSPAR report please contact your account manager.
Since achieving OSPAR, VMware Cloud on AWS has now included the Singapore MTCS (Multi-Tier Cloud Security Standard) compliance certification on roadmap which will provide further assurance to our customers over our security and availability controls.
Japan
The Japanese Financial Services Agency (FSA), the regulator of financial institutions in Japan has permitted the usage of cloud computing provided they comply with applicable legal and regulatory requirements.
The Center for Financial Industry Information Systems (FISC), a government agency under the Ministry of Finance together with the Japan FSA have established a set of security controls and guidelines to promote information security measures for financial institutions. These are called the FISC Security Guidelines on Computer Systems for Financial Institutions. The FISC guidelines are a comprehensive set of requirements to enable financial institutions to strengthen the security posture of their system and implement measures to prevent and manage cyber security risks.
VMware Cloud on AWS has published a whitepaper on FISC which describe our security controls and processes to address the FISC Security Guidelines on Computer Systems for Financial Institutions. Financial institutions can utilize this information to assess the service risk in terms of security, privacy and business value and establish an informed risk profile when moving workloads to VMware Cloud on AWS. See the whitepaper at VMC Japan FISC Guidelines Whitepaper
In addition to FISC, VMware Cloud on AWS is currently in process of obtaining the Information System Security Management and Assessment Program (ISMAP) certification which is a Japanese government program for assessing the security of public cloud services.
Australia
The Australian Prudential Regulatory Authority (APRA) is the financial services regulator in Australia. APRA permits the use of cloud computing and has an open stance on adoption of cloud computing by financial institutions.
The Australia Prudential Regulation Authority (APRA) released the “Information Paper: Outsourcing involving cloud computing services” in September 2018 to provide guidance to regulated financial entities about cloud computing. VMware Cloud on AWS has published a whitepaper describing we address APRA guidelines and how Australian financial services organizations can leverage VMware Cloud Services to meet APRA’s requirements for outsourcing. See VMC APRA Guidelines on Outsourcing Whitepaper
In addition to APRA guidelines, another prime cloud security framework in Australia is The Information Security Registered Assessors Program (IRAP) Cloud Security Assessment. While this is more focussed on public sector, the controls and guidelines are comprehensive to address a variety of cloud compliance requirements for financial institutions. VMware has successfully undergone the IRAP assessment demonstrating compliance against some of the robust security requirements.
Conclusion
Regulatory compliance is a key concern for financial institutions when adopting cloud as it requires addressing several national and international legal and regulatory requirements. To support our customers in meeting these requirements VMware continuously evolves its practices in line with leading legal and security frameworks and obtained several globally recognized compliance certifications such as the ISO 27001/17/18, SOC2, PCI-DSS, HIPAA, GDPR, CSA Level1 and Cyber Essentials Plus.
VMware Cloud on AWS has supported a wide variety of financial institutions ins Singapore in modernizing their banking platforms, enable innovation and digital transformation by exploiting the flexibility of the Software-Defined Data Center (SDDC) and support customers stay compliant and secure their data. For more information of VMware Cloud on AWS compliance visit VMware Cloud Trust Center or reach out to your account manager.
If you would like to learn more about VMware Cloud on AWS, here are some learning resources for you: