fbpx

Public, Private, Hybrid or Community Cloud for BSP Regulated Financial Companies

Public, private, community, or hybrid cloud
A couple of weeks ago, Apper.ph and AWS presented a webinar, “Updates on BSP: Security & Compliance for the Cloud.” I am happy to share that the event went well. Alejandra Artiguez (AWS Security Specialist Solutions Architect), Mitch Bautista (AWS Enterprise Sales), and our very own co-founder Patrick Zulueta have given participants the latest updates from the Bangko Sentral ng Pilipinas (BSP) regulations and compliance requirements. These regulations and compliance requirements apply for Philippine-based financial institutions (FI) and FinTech companies building or planning to build on the cloud.

The event gave me a sense of nostalgia for my time in the FinTech and payments industry. Before starting Apper.ph, I worked for Voyager Innovations, the digital arm of PLDT/SMART, for almost five years. I lead the architecture, implementation, and platform engineering teams of the payment gateway services of PayMaya’s payment acceptance business unit on top of AWS. The payment gateway service of the business unit grew over the years, processing billions of pesos worth of payment throughput. I am very proud that even after six years since I first worked on it, the service is still growing and is considered the country’s preferred online payment gateway service.

Fast forward to 2021; the cloud is the go-to platform for building digital innovations. If the question for most companies previously is “what is the cloud?” it is now “how do I get started?” There is no doubt cloud computing platforms provide the agility needed to implement, deploy, and manage digital applications and platforms.  But for companies in the financial services industry, the use of the cloud requires thoughtful considerations to comply with regulations.

BSP Compliance and Considerations

If you are a financial institution, FinTech, or financial services company operating in the Philippines, there are a couple of considerations that you need to take into account before moving workloads into the cloud:

1) Bangko Sentral ng Pilipinas (BSP) regulated entities, such as banks, non-bank financial institutions, and electronic money issuers (EMI), need to inform and get approval from BSP before moving workloads into the cloud. The IT Risk Management Standards and Guidelines concerning IT Outsourcing/Vendor Management guide outlines explicitly what type of workloads can be hosted on which variety of cloud platforms:

Workload Public Cloud Private Cloud Community Cloud Hybrid Cloud
Core operations
Not allowed
Allowed*
May be allowed
May be allowed
Non-core operations and business processes
Allowed*
Allowed
Allowed
Allowed
* – Subject to compliance
Core operations are defined as essential business processes and procedures that ensure continuous financial services such as serving CA/SA, loans, treasury systems, ATM switch operations, and systems used to record transactions. Non-core operations and business processes refer to email, office productivity, collaboration tool, claims, and legal management.

2) The choice of the cloud deployment model is critical in driving the decision on which workloads can be hosted on the cloud. The guidelines have enumerated the various cloud deployment models: private cloud, public cloud, community cloud, and hybrid cloud.
Deployment Model Description
Private Cloud
A private cloud is operated solely for an institution and is closely related to the existing IT outsourcing models in the marketplace, but can be an institution’s internal delivery model as well.
Public Cloud
A public cloud is owned and operated by a CSP that delivers services to the general public or a large industry group via the internet or other computer network using a multi-tenant platform.
Community Cloud
It is a private- public cloud with users having a common connection or affiliation, such as a trade association, the same industry or a common locality. It allows a CSP to provide cloud tools and applications specific to the needs of the community.
Hybrid Cloud
This model composes two or more clouds (private, community or public). A hybrid cloud leverages on the advantage of the other cloud models, thus, providing a more optimal user experience.
Most companies and organizations are familiar with the more popular public cloud deployment model popularized by Amazon Web Services and supported by other cloud service providers like Google Cloud Platform, Alibaba Cloud, Microsoft Azure, and others. The private cloud deployment model refers to a more traditional on-premises model in which the cloud computing infrastructure is also owned and operated by the financial institution. A community cloud deployment model is close to a private cloud deployment model where the cloud computing hardware is owned and operated by a group of related organizations. Hybrid cloud provides a combination of the three models, which may provide the best variety for agility, risk reduction, and compliance.

Public, private, community, or hybrid cloud?

For banks and EMIs, core banking operations systems are allowed only on private, hybrid, or community clouds subject to approval and compliance. From a cloud architecture perspective, this restriction requires that financial institutions operate a portion of the physical infrastructure. Cloud service providers have provided options, like Microsoft Azure Stack and AWS Outposts, to answer these requirements. Using these services allows a financial institution to operate cloud infrastructure hardware within their on-premises location or data center with an option to extend to public cloud services. 


There are financial institutions that have achieved approval for hosting core banking systems in the cloud. An example would be Cantilan Bank which has reached the milestone by becoming the first BSP-regulated rural bank to host core banking systems on the cloud. Cantilan Bank uses Oradian’s cloud-based banking system that enhanced security and increased growth with the traditional costs associated with on-premises infrastructure.


Exciting developments for Philippine FinTechs

I find it interesting what is in store for Philippine financial institutions and FinTechs with their adoption of cloud technologies. The release of AWS Outposts in the Philippines will enable FIs to use AWS to leverage private and public cloud capabilities with an integrated API and management console. Alibaba Cloud has also announced the first public cloud region in the Philippines – it will be fascinating to see how regulation will change to adapt to the needs of FIs and FinTechs in delivering better services and more value to customers.
Apper.ph CAMP Cycle 5

Diwa del Mundo

Co-Founder, President

Diwa is the Co-Founder, President, and Principal Cloud Architect of Apper.ph. He has lead, built, and architected platforms on the cloud in his fifteen years of experience in the IT industry. He is AWS Certified (12x), GCP Certified, and holds a CISSP®.

Share:
LinkedIn
Facebook