SBP allows financial institutions to outsource cloud-based services

KARACHI: The State Bank of Pakistan (SBP) on Monday allowed financial institutions to outsource hosting on the cloud to both domestic and international cloud service providers. 

In Circular No. 04 of 2020 issued by the Banking, Policy and Regulations, the SBP said financial institutions, defined as banks, microfinance banks and development finance institutions (DFIs), can now access cloud service models like Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) from both domestic and offshore cloud service providers. 

The SBP said that the central bank’s board IT committee will approve all cloud-based outsourcing arrangements. 

Through this new circular, the SBP has updated part of the language of two earlier circulars issued in 2017 and 2019, to do with the ‘Enterprise Technology Governance and Risk Management Framework for Financial Institutions (FIs)’.

Now, financial institutions can use cloud services for non-core operations and business support processes. The exhaustive list is defined as HR modules, procurement functions, non-production environment, sandboxing, inventory management, supply chain management, office productivity, customer relationship management tools (WhatsApp, Facebook etc.), communication tools, security tools, computation and processing services, data analytics and risk modeling, middleware and payments processing services. 

The SBP, however, said that other banking applications and allied infrastructure, which are used to store and process customers’ information relating to deposits, loans & credits, and details of balances and transactions in ledger accounts of customers and borrowers, will not be placed under cloud-based outsourcing arrangements.

The central bank also outlined internal controls, mandating that all outsourcing arrangements are undertaken through legally binding service level agreements. The banks’ data has to be encrypted at database level, storage level and during network transmission. Further, the arrangement should not contain a lock-in clause ie. banks’ should be able to transfer their data from one cloud provider to another. 

The SBP also maintains the right to conduct an audit and on-site inspection of the cloud service provider, or their sub contractor.


  1. One of the paragraph in your article says that:
    The SBP said that the central bank’s board IT committee will approve all cloud-based outsourcing arrangements.
    The above is an incorrect understanding, the circular does not requires approval from central bank’s board IT committee, instead approval would be required from concerned bank’s board IT committee.

Comments are closed.

Must Read