Asia's Financial Services: Ready for the Cloud

The primary purpose of this report is to equip CSPs with an understanding of the current regulatory landscape in APAC and their FSI customers’ key regulatory challenges to adopting Cloud Services and to help CSPs to develop and provide solutions to these challenges.

Executive Summary

A Report on FSI Regulations Impacting Cloud in Asia Pacific Markets




  1. Cloud Services offer substantial benefits to FSIs. However, FSIs in APAC have generally been slow to adopt Cloud Services because of (at least in part) the perceived regulatory challenges.
  2. There are regulatory requirements that must be addressed in order for an FSI to adopt Cloud Services but, when it comes to the scale of these challenges, there is often a misalignment between perception and reality. The analysis carried out in developing this report confirms that there are no “blanket bans” or similarly broad prohibitions or restrictions that should prevent FSIs in APAC from adopting (and, therefore, benefiting from) the use of Cloud Services. On the contrary, some jurisdictions are developing new regulations, which are not specific to Cloud Services but which clearly enable adoption of Cloud Services by FSIs, and several others are allowing cloud adoption under current regulations for outsourcing.
  3. CSPs can contribute to the growth of Cloud Services in APAC by ensuring that they have a good understanding of the regulatory requirements. This report will equip CSPs with an understanding of the current regulatory landscape in APAC and their FSI customers’ key regulatory challenges to the adoption of Cloud Services and it will help CSPs to develop and provide solutions to these challenges.
  4. Regulators in APAC also have a key role to play in the growth of Cloud Services in APAC. This report identifies where and how Regulations currently allow FSIs to adopt Cloud Services and where there is room to improve the current regulatory landscape across APAC to promote the development of Cloud Services. It makes recommendations to Regulators to improve the current regulatory landscape. The top five recommendations are:

    • Regulations should be technology neutral. There should not be separate regulations for the use of Cloud Services.
    • Regulations should set out a clear process that should be followed for the adoption of Cloud Services (as if it were any other form of outsourcing) and approval for the use of Cloud Services should not be required.
    • The transfer of Data to other jurisdictions should be permitted, subject to appropriate safeguards (e.g. security, business continuity, access and audit).
    • Regulations should only identify the key issues that should be addressed in outsourcing contracts that include Cloud Services. They should not be prescriptive of the terms of an outsourcing contract that includes Cloud Services.
    • The use of independent third party audits should be an acceptable alternative to audits carried out by FSIs and the Regulators.
  5. Finally, FSIs can maximise the benefits on offer from the use of Cloud Services by ensuring that they are familiar with the regulatory landscape, and able to assess the degree to which the CSP’s offering fits into the regulatory landscape. This report will provide FSIs with a clear understanding of the regulatory landscape and what they can, and should, expect from their CSPs.

The structure of this report

Part 1 of this report is the introduction.

Part 2 of this report compares the laws and regulations that impact the adoption by FSIs of Cloud Services (“Regulations”) in 14 jurisdictions across nine different topics. For each topic, there is: (a) an introduction to the topic; (b) an overview of the Regulations in the 14 jurisdictions; (c) a commentary on the general issues, trends and deviations for the topic; (d) a list of recommendations for CSPs, to help CSPs to comply with current Regulations; and (e) a list of recommendations for Regulators to improve current Regulations. The nine topics were selected on the basis that they represent the most important regulatory issues that must be addressed for the adoption of Cloud Services.

Part 3 of this report lists all of the recommendations made by this report for CSPs.

Part 4 of this report lists all of the recommendations made by this report for Regulators.

Part 5 of this report includes annexes covering each of the 14 jurisdictions in more detail. Each annex contains: (a) an overview of the regulatory approach taken to Cloud Services in the jurisdiction; (b) a list of the Regulations in the jurisdiction; and (c) a summary of the key requirements in the Regulations.

Part 6 of this report is a glossary of defined terms that are used in this report.

ACCA offers a very specific forum for stakeholders – hardware and software developers, carriers, enterprise users, policy makers and researchers – to collaborate on the requirements of the Asia market from within, with expertise born of local knowledge. As a collaborative forum, ACCA will accelerate the growth of the cloud market regionally by helping remove obstacles and leveraging opportunities. Our membership is a mix of large and small companies, enterprises, governments and other associations.