Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft

21 views

Published on

1 Sep 2020 Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft https://www.bnm.gov.my/index.php?ch=en_announcement&pg=en_announcement&ac=816&lang=en

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft

  1. 1. Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 1 of 3 Pengarah Jabatan Pemantauan Pembayaran Bank Negara Malaysia Jalan Dato' Onn 50480 Kuala Lumpur Submitted via email to pdpolicy@bnm.gov.my 1 September 2020 Dear Sir/Madam, Re: Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft The ACCA appreciates the efforts of Bank Negara Malaysia (BNM) to clarify regulations for Merchant Acquiring Services to account for technological change. As financial institutions increasingly shift to digital environments, particularly due to challenges brought on by the COVID-19 pandemic, we believe that clear and enabling regulations for technology use such as cloud computing are key to helping meet customer needs while ensuring proper protections are in place. As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders. The ACCA’s mission to accelerate the adoption of cloud computing throughout Asia Pacific by helping to create a trusted and compelling market environment, and a safe and consistent regulatory environment for cloud computing products and services. We are committed to strengthening digital resilience, and to the development of a safe and secure ecosystem where data is protected by the best technology and regulatory frameworks, in support of a better world for all. Following discussions with our member companies, we are submitting the following comments to the Merchant Acquiring Services Exposure Draft. Should you have any questions on our comments, I would be pleased to arrange for a videoconference discussion with our members. Thank you, and I look forward to hearing from you on the issues raised. Yours sincerely, Lim May-Ann Executive Director Asia Cloud Computing Association mayann@asiacloudcomputing.org
  2. 2. Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 2 of 3 Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft The ACCA thanks Bank Negara Malaysia (BNM) for the opportunity to submit feedback on the Merchant Acquiring Services Exposure Draft (the “Exposure Draft”). 1. General Comments a. As a general comment, we would like to encourage consistency between the Merchant Acquiring Services Exposure Draft and the current BNM Outsourcing Guidelines to help avoid confusion. b. In addition, we would also like to suggest a consultation on operational issues related to Risk Management in Technology (RMiT) to align regulatory expectations with current international best practices. 2. Comments on Section 16.5(c) This provision stipulates that as part of their outsourcing agreements, acquirers must have provisions for on-site inspection of service providers, which would include cloud service providers (CSPs). a. The ACCA would like to highlight that for CSPs, requiring on-site customer access poses a security risk due to the multi-tenanted environment of the public cloud model. Physical access rights would allow acquirers to access the same physical environment used by many other companies, and also presents potential for property damage or personal injury. b. In addition, such access rights also conflict with international security best practices and standards for public cloud. c. We would also like to note that this audit right also runs counter to BNM’s Outsourcing Guidelines (the “Outsourcing Guidelines”), which recognize alternative means of exercising audits and inspections of CSPs, such as relying on third party audit reports (Section 11.3 of the Outsourcing Guidelines). d. Recommendation: To align with the Outsourcing Guidelines, we suggest that BNM revise Section 16.5(c) to explicitly state that service providers can provide regular audit reports certifying that they are compliant with global security standards. We therefore recommend that this section be amended per the below, which is substantively the same as the Outsourcing Guidelines: “The acquirer may rely on third party certifications and reports made available by a cloud service provider to exercise its access rights under this section, provided such reliance is supported by an adequate understanding and review of the scope of the audit and methods employed by the third party, and access to the third party and service provider to clarify matters relating to the audit.”
  3. 3. Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 3 of 3 3. Comments on Section 16.6 a. This section contains a requirement for outsourced parties such as CSPs to provide a written undertaking to comply with additional privacy requirements set by BNM, which is not compatible with the shared responsibility framework under which CSPs operate. In this framework, CSPs work in tandem with customers, such as acquirers, to assure data security, privacy, and reliability. Customers maintain governance over the entire IT control environment and retain full control and ownership over data and other content when using a CSP’s services. The customer is also responsible for determining the levels of security they wish to adopt for data storage and processing. When a customer retains control of security processes to protect their own content, applications, systems and networks, the level of oversight and control that they exercise is no different from applications run by an entity in an on-site data centre. The ACCA highlights that the CSP does not have access to customer data nor does it have visibility over the content of customer data. The CSP also does not have any control over the security controls that the customer has chosen to apply to that content. Any proposal to extend the visibility of CSPs to customer data handling would breach security and privacy best practices, and invalidate multiple security certifications. b. This stipulation for an undertaking is also not contained in the Outsourcing Guidelines, which have provisions to ensure that CSPs maintain confidentiality. c. Recommendation: We recommend amending Section 16.6, as shown below: “In addition to the requirements in paragraph 16.5(b), where the outsourced party will have access to documents or information relating to the affairs or account of any customer of the acquirer, the acquirer shall ensure that the outsourced party has appropriate controls to safeguard the security, confidentiality and integrity of any information shared with the Outsourced Party. The acquirer shall also ensure that the service provider is bound by adequate confidentiality provisions stipulated under the outsourcing agreement.” 4. Comments on Section 16.8 a. As the extent to which service providers may use subcontractors and the roles of subcontractors can vary greatly, the requirement for acquirers to implement controls for subcontractors to comply with all relevant regulatory requirements may be interpreted as overly prescriptive and may not be feasible for hyperscale CSPs. b. However, adequate controls should be put in place for subcontractors that correspond to the subcontractor’s role in the delivery of services to the acquirer. As Section 9.6 of the Outsourcing Guidelines recognize, the key issue with subcontracting is to ensure that service providers do not diminish the ultimate responsibility of the primary service provider. c. Recommendation: We recommend that Section 16.8 be amended as shown below: “The requirement in paragraph 16.7 is also applicable when an outsourced party engages a subcontractor to undertake the activities that were outsourced by the acquirer, whereby the acquirer shall implement proper controls to ensure the accountability of the primary outsourced party over the performance and conduct of the subcontractor in relation to the outsourcing arrangement. that the subcontractor complies with the relevant requirements based on standards issued by the Bank to acquirers from time to time.”

×