Earlier this year, Cantilan Bank became the first financial institution in the Philippines to fully leverage cloud computing technology. After an 18-month pilot funded by the Asian Development Bank (ADB) and closely monitored by the Bangko Sentral ng Pilipinas (BSP), the rural bank transferred its core banking services and data onto a community cloud service provided by Europe-based Oradian. This milestone was the result of a cautious but forward-looking application of BSP’s “test-and-learn” approach to financial sector innovations. BSP’s experience with Cantilan and Oradian offers lessons for regulators in other emerging markets where financial services providers (FSPs) are looking at cloud computing as a way to improve data security, reduce costs and grow their businesses, thereby contributing to financial inclusion.
How the Philippines regulates cloud computing in the financial sector
BSP issued guidelines on IT risk management for supervised financial institutions in 2013, against a backdrop of rapidly evolving technology and growing numbers of financial institutions that were outsourcing their IT systems and processes. While these guidelines allow FSPs to use public clouds (i.e., cloud services accessed by the general public via the internet or other computer network) only for their noncore banking operations and business processes, they permit the overall use of private clouds (operated solely for an FSP) subject to compliance with existing BSP rules and regulations on outsourcing. Community clouds (for users with a common affiliation) and hybrid clouds (comprising two or more cloud models) must be approved by BSP and are subject to certain requirements, which include:
- Compliance with BSP outsourcing rules and regulations.
- Implementation of more robust risk management systems and controls.
- Adoption of security controls.
- Onsite inspection by BSP before implementation of cloud arrangements, if necessary.
- BSP’s right to audit a cloud service provider.
- Consultation with BSP before making any significant commitment on cloud computing.
Based on our conversations with BSP officers, we learned that BSP sees the potential for cloud computing to increase financial inclusion in the Philippines by enabling FSPs to reduce costs, increase efficiencies, improve IT/data security and scale their outreach. It also sees potential to streamline risk-based supervision of the nearly 450 rural banks with 3,000 branches spread across the country. If multiple FSPs share a community cloud service, BSP needs audit access to only a single cloud provider to access FSP data during supervision. There is also potential for cloud computing to improve regulatory reporting. (Oradian is planning to integrate its cloud-based core banking solution, Instafin, directly with BSP’s API for reporting.) Of course, BSP is also concerned about risks posed by cloud computing in areas like data security and privacy, data ownership and localization, business continuity, legal and regulatory compliance and others.
Unlike countries that have imposed data localization rules, the Philippines allows FSPs to enter into outsourcing agreements with cloud service providers outside the country. Given the high incidence of natural disasters in the Philippines, overseas data centers make FSPs more resilient. In 2016, however, BSP amended its guidelines on outsourcing to stipulate that financial institutions may outsource their domestic operations only to offshore providers in jurisdictions that uphold confidentiality and privacy. FSPs are now also required to continuously monitor government policies in their cloud service provider’s host country.
BSP’s test-and-learn approach to financial sector innovation involves evaluating a proposed new product or service, allowing it to be offered to consumers within a controlled environment following minimum safeguards and authorizing its market roll out upon the completion of a successful pilot. For any significant commitment on cloud computing, such as the move of core operations to the cloud, BSP set up a process whereby an FSP submits a letter of intent before switching to the cloud. The letter must include a detailed presentation of the cloud service’s business model. Then, the FSP submits various documents required by outsourcing and e-banking regulations, questionnaires filled out by the FSP and its prospective cloud provider and an external “service organizations control” report that covers operational security standards. If an FSP has difficulty meeting any of these requirements, BSP can still allow it to move forward provided it meets other safeguards.
Lessons from the test-and-learn approach with Cantilan Bank
When Cantilan decided in 2016 to explore cloud computing services as a way to cut costs and focus on its mission of financial inclusion, it submitted all required documents to BSP and received their conditional approval to pilot a community cloud solution in close coordination with the central bank. With funding from ADB, the 18-month pilot began in June 2017 and concluded with the full migration of Cantilan’s 24 branches and 19 extension offices to the community cloud-based core banking system Instafin. This system is hosted and managed by Oradian, which makes it accessible and available to Cantilan over the internet, using a software-as-a-service distribution model. After a successful BSP onsite audit in December 2018, the legacy system that had been running in parallel to the cloud pilot was discontinued earlier this year.
Some important lessons emerged from BSP’s experience with Cantilan and Oradian, which may be instructive to regulators in other countries.
The first is that the test-and-learn approach enabled BSP and Cantilan to better understand the features, opportunities and risks associated with the use of cloud computing, especially for core operations and processes. The pilot helped BSP uncover and address regulatory and supervisory issues, such as the need to identify instances when certain FSPs may lack sufficient technical expertise to audit cloud providers and ensure compliance with outsourcing regulations. In such instances, BSP opted to directly review and approve key changes proposed by cloud providers to material outsourcing solutions. The pilot also helped Cantilan improve its ability to identify and manage vulnerabilities introduced by using the cloud — for example, by adopting the use of multifactor authentication to prevent unauthorized access to the system.
The second is that strong, open and continuous collaboration among the regulator, FSP and cloud provider is essential for success. BSP, Cantilan and Oradian aligned their strategic visions and maintained an open dialogue throughout the process. Funders such as ADB can also play a key role by investing in pilots, measuring results and helping FSPs hedge the risk of engaging with fintech start-ups. (As a result of this pilot, ADB is working with BSP to develop a matching grant technology fund to enable FSPs to undertake similar projects.)
The third lesson is that this test-and-learn approach helps improve the process of implementing new cloud solutions. Building on the pilot, BSP has set up a more streamlined approval process and further clarified the level of information and quality of services expected from cloud providers.
Cantilan Bank Executive Vice President Tanya Hotchkiss told ADB that she believes her company’s transition to the cloud will be good for its business and for the financially excluded people it aims to reach:
“By moving to the cloud, we will be able to mitigate various IT, strategic and operational risks. Oradian’s software-as-a-service model enables us to reduce major IT capital expenses, allowing us to spend less annually for a faster system with superior data security — and we just need an internet connection. This has given Cantilan more capacity to focus on our core business and financial inclusion mission.”
Regulators have a unique opportunity to enable the safe use of cloud computing solutions that may significantly contribute to financial inclusion. By combining caution and openness, like BSP did, regulators can support FSPs in leveraging the cloud to reduce costs and expand responsible outreach while enhancing their own regulatory and supervisory capacity. Jurisdictions aiming to take a big leap in financial inclusion should not be afraid to reach for the cloud.