A financial institution's use of cloud services provided by a third-party cloud service provider may be considered outsourcing, although this will ultimately depend on what the cloud services are used for. Where the arrangement constitutes outsourcing, the arrangement will fall within the local rules mentioned in question 2.

The extent and degree to which certain aspects of the Monetary Authority of Singapore ("MAS") Guidelines on Outsourcing will apply depend on whether the arrangement is a "material outsourcing arrangement." "Material outsourcing" means the following:

• An outsourcing arrangement that, in the event of a service failure or security breach, has the potential to materially impact either of the following:
  • An institution's business operations, reputation or profitability
  • An institution's ability to manage risk and comply with applicable laws and regulations
• An outsourcing arrangement that involves customer information and, in the event of any unauthorized access or disclosure, loss, or theft of customer information, may have a material impact on an institution's customers

The MAS Public Cloud Advisory relates to financial institutions' use of public cloud services generally.