Featured Product

    HKMA Sets Out Guidance on Adoption of Cloud Computing

    August 31, 2022

    The Hong Kong Monetary Authority (HKMA) has set out guidance for authorized institutions on supervisory expectations with respect to the adoption of cloud computing.

    Given the increasing trend of the adoption of cloud computing and the risks it presents, HKMA considers it appropriate to set out its supervisory expectations on this area in a holistic manner. The supervisory expectations on cloud computing, as outlined below, have been developed with reference to the results of a round of on-site examinations by HKMA between 2021 and 2022: 

    • Governance framework. Institutions should put in place an effective governance framework, overseen by the Board of Directors and senior management, for cloud computing to enable them to formulate a cloud strategy suitable for their circumstances and have it updated from time to time. A proper due diligence process should be established to assess the capabilities and suitability of a cloud service provider before the engagement and regularly during the engagement.
    • Ongoing risk management and controls. Institutions should clearly understand their roles and responsibilities under the agreement with the cloud service provider and put in place corresponding controls to ensure the effective discharge of their responsibilities. A comprehensive set of risk management procedures should be developed to enable the institution to continually identify, monitor, and mitigate the risks posed by cloud computing. Also, effective controls should be established to ensure the security of the information assets and their compliance with relevant statutory requirements regarding customer data confidentiality. A viable and effective contingency plan should be developed to cope with situations involving a disruption of cloud computing services.
    • Protection of access and other legal rights. There should be suitable arrangements to guarantee audit rights of institutions, along with the supervisory access to information stored in the cloud and relevant risk management controls for the purposes of undertaking on-site examinations. A clear and enforceable cloud service provider engagement agreement should be in place to protect institutions’ interests, risk management needs, and ability to comply with supervisory expectations.
    • Risk management capabilities. Institutions should equip staff overseeing cloud operations with the knowledge and skills required to securely use and manage the risks associated with cloud computing. 

    Authorized institutions should apply this guidance proportionately and in a way that is commensurate with the criticality of their cloud adoption and the potential impact that cloud computing may have on their risk profile. Institutions should note that the below principles serve to complement, and should be read in conjunction with, the relevant existing HKMA guidance, including SPM Modules SA-2 on “Outsourcing,” OR-2 on “Operational Resilience,” and TMG-1 on “General Principles for Technology Risk Management.”



    Keywords: Asia Pacific, Hong Kong, Banking, Regtech, Cloud Computing, Operational Resilience, Operational Risk, Basel, Outsourcing Risk, HKMA

    Featured Experts
    Related Articles

    EBA Finalizes Templates for One-Off Climate Risk Scenario Analysis

    The European Banking Authority (EBA) has published the final templates, and the associated guidance, for collecting climate-related data for the one-off Fit-for-55 climate risk scenario analysis.

    November 28, 2023 WebPage Regulatory News

    EBA Mulls Inclusion of Environmental & Social Risks to Pillar 1 Rules

    The European Banking Authority (EBA) recently published a report that recommends enhancements to the Pillar 1 framework, under the prudential rules, to capture environmental and social risks.

    October 31, 2023 WebPage Regulatory News

    BCBS Consults on Disclosure of Crypto-Asset Exposures of Banks

    As a follow on from its prudential standard on the treatment of crypto-asset exposures, the Basel Committee on Banking Supervision (BCBS) proposed disclosure requirements for crypto-asset exposures of banks.

    October 19, 2023 WebPage Regulatory News

    BCBS and EBA Publish Results of Basel III Monitoring Exercise

    The Basel Committee on Banking Supervision (BCBS) and the European Banking Authority (EBA) have published results of the Basel III monitoring exercise.

    October 18, 2023 WebPage Regulatory News

    PRA Updates Timeline for Final Basel III Rules, Issues Other Updates

    The Prudential Regulation Authority (PRA) recently issued a few regulatory updates for banks, with the updated Basel implementation timelines being the key among them.

    October 18, 2023 WebPage Regulatory News

    US Treasury Sets Out Principles for Net-Zero Financing

    The U.S. Department of the Treasury has recently set out the principles for net-zero financing and investment.

    October 17, 2023 WebPage Regulatory News

    EC Launches Survey on G7 Principles on Generative AI

    The European Commission (EC) launched a stakeholder survey on the draft International Guiding Principles for organizations developing advanced artificial intelligence (AI) systems.

    October 14, 2023 WebPage Regulatory News

    ISSB Sustainability Standards Expected to Become Global Baseline

    The finalization of the two sustainability disclosure standards—IFRS S1 and IFRS S2—is expected to be a significant step forward in the harmonization of sustainability disclosures worldwide.

    September 18, 2023 WebPage Regulatory News

    IOSCO, BIS, and FSB to Intensify Focus on Decentralized Finance

    Decentralized finance (DeFi) is expected to increase in prominence, finding traction in use cases such as lending, trading, and investing, without the intermediation of traditional financial institutions.

    September 18, 2023 WebPage Regulatory News

    BCBS Assesses NSFR and Large Exposures Rules in US

    The Basel Committee on Banking Supervision (BCBS) published reports that assessed the overall implementation of the net stable funding ratio (NSFR) and the large exposures rules in the U.S.

    September 14, 2023 WebPage Regulatory News
    RESULTS 1 - 10 OF 8938