In general terms (as requirements can slightly vary depending on each financial institution), a financial institution that intends to engage a third-party service provider to provide cloud services to it on an outsourced basis must provide the National Banking and Securities Commission (CNBV) with a copy of the draft contract for the rendering of cloud services. The draft contract must indicate the probable date of its execution, and the rights and obligations of the financial institution and the third party. Additionally, the outsourcing contract must include a record of the third party's express acceptance of certain specific obligations, including obligations to do the following:
a) Deliver, during the course of an audit and at the financial institution's request, to the appointed independent external auditor and to the CNBV, the books, systems, records, manuals and documents in general that are related to the rendering of the service in question (The third party must also expressly accept an obligation to allow the independent external auditor or the CNBV's personnel access to its offices and facilities in general, related to the rendering of the service in question.)
b) Inform the financial institution of any modification to its corporate purpose or any other change that may affect the rendering of the service that is the object of the contract at least 30 days prior to such modification or change
c) Keep confidential the information that has been received, transmitted, processed or stored during the provision of the services and, likewise, accept that such information may only be used and exploited for the purposes agreed on in the provision of the service
Additionally, financial institutions are required to describe the following to the CNBV (among other requirements):
- Type of cloud, whether public, private or hybrid
- Specific regions where the information will be stored and processed
- In public clouds or virtualization schemes on infrastructure shared with other clients, a description of the control mechanisms that will be used to guarantee the confidentiality, integrity and availability of sensitive information
In addition, in compliance with the requirements and restrictions contained in the implementing regulations of the Federal Law for the Protection of Personal Data Held by Private Entities ("Ley Federal de Proteccion de Datos personales en Posesión de los Particulares") (LFPDPPP), the agreement with the cloud service provider should confirm the following:
(i) The cloud service provider complies, at least, with the following: (a) have and apply personal data protection policies in accordance with the applicable principles and duties established in the LFPDPPP and related regulations; (b) be transparent in subcontracting involving the information in respect of which the service is provided; (c) refrain from including conditions for the provision of the service that authorize or allow it to assume ownership or ownership of the information in respect of which the service is provided, and (d) maintain confidentiality of the personal data in respect of which the service is provided.
(ii) The cloud service provider has mechanisms in place, at least, to: (a) make known changes in its privacy policies or conditions for the service it provides; (b) allow a data controller to limit the type of processing of the personal data in respect of which the service is provided; (c) establish and maintain adequate security measures for the protection of the personal data in respect of which the service is provided; (d) guarantee the deletion of the personal data once the service has been provided to the data controller and the data controller has been able to recover it; and (e) prevent access to the personal data to persons who do not have access privileges or, in the case of a founded and motivated request from a competent authority, inform the data controller of that fact.