Morocco: Cloud in Financial Services

In Morocco, different financial services sectors are supervised by different regulators.

• Who is the regulator?

  Currently, the banking sector in Morocco is regulated by Bank Al-Maghrib (Moroccan Central Bank) and insurers are regulated by the Supervisory Authority of Insurance and Social Welfare, or Autorité de Contrôle des Assurances et de la Prévoyance Sociale (ACAPS). The market conduct activities of all financial services institutions are supervised by the Moroccan Capital Market Authority, or Autorité Marocaine du Marché des Capitaux (AMMC).

  The Draft Financial Markets Conduct Bill, 2018 proposes to establish a Financial Markets Conduct Authority, a Financial Sector Ombudsman and a Financial Sector Tribunal.

• Are cloud services permitted?

  Cloud services are, in principle, permitted. Specific aspects of the applicable regulatory regime (see below) should, however, be carefully considered to ensure compliance based on specific use cases and cloud architecture.

• What are the sector-specific laws and guidelines that need to be considered?

  There is presently no uniform regulation for cloud services in Morocco. For many financial services institutions, it may however be regulated as an outsourced service.

  For a bank, its move to the cloud will likely be regulated under:

  1. Outsourcing rules¹: Certain types of outsourcing are regulated, including outsourcing of material business activities or functions;
  2. Banker-client confidentiality: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognized in Law No. 103.13 on Credit Institutions and Alike.

  While a move to cloud services is not outsourcing in the traditional sense, outsourcing regulations may apply. If the move to the cloud amounts to the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, regulatory approval is not required but prior approval by the regulator may be required for certain material functions and activities.²

  Both banks and insurers are also subject to the AML regulation³, and therefore must know their customers and ensure that their records are maintained.⁴

  Under the current regime, a move to the cloud by a bank or insurer will be subject to the following key principles: (i) the financial institution remains responsible for the processing of the transactions, (ii) the use of the cloud must not compromise the services provided to clients and, (iii) the services must be regularly monitored and information kept confidential.

  Furthermore, any financial services institution which amounts to a public institution or an infrastructure of vital importance⁵ should ensure compliance with the National Directive for the Security of Information Systems⁶ and Decree No. 2-15-712 dated 22 March 2016, laying down the plan for the protection of sensitive information systems of institutions of vital importance and ensure that its sensitive data⁷ is hosted in Morocco. The National Directive for the Security of Information Systems does not define what sensitive data refers to within the context of each financial services institution. Accordingly, a data classification framework that is adopted by the financial services institution and endorsed by the regulator is always recommended in order to define what “sensitive data” means to the financial services institution and stay compliant with the National Directive for the Security of Information Systems.

  Furthermore, regardless of its status of infrastructure of vital importance and subject to specific exemptions⁸, any financial services institution having recourse to encryption means or services is required to file a prior declaration or authorization⁹, as the case may be, before the General Direction for the Security of Information Systems¹⁰.

• Is approval needed?

  Generally, approval is not needed. However, prior approval from the relevant regulator will be required in some instances depending largely on the materiality of the outsourced function or activity. A bank will require prior regulatory approval¹¹ before it outsources “any core activity”.¹²

• What are the audit / inspection requirements for material activities and functions?

  A bank outsourcing any core activity or function (i.e. any activity the exercise of which was initially subject to Bank Al Maghrib’s prior approval) must be able at all times to provide Bank Al-Maghrib with necessary information and ensure the right of Bank Al-Maghrib to carry out its supervisory functions and objectives, including the right to access information and on-site visits.¹³

• What are the data transfer requirements?

  Under the Law No. 09-08 relating to the protection of individuals with respect to the processing of personal data (the "Law 09-08"), personal information may be transferred out of Morocco as long as the requirements of the Law 09-08 are met. Law 09-08¹⁴ permits the transfer of personal information to a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in Law 09-08, or with prior authorization of the National Control Commission for the Protection of Personal Data (CNDP).

  Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation which came into force in May 2018.

• Footnotes

  ¹ Outsourcing legal regime is provided for by Dahir dated 12 August 1913 instituting the Code of Obligations and Contracts. Some specific regulations may apply in some instances, for example for Banks by virtue of Law 103-12 relating to financial establishments and assimilated organisms and its implementing decrees and regulations.
  ² See section below headed "Is approval needed?"
  ³ Article 2 of the Law n°43-05 with respect to the Anti Money Laundering (AML)
  ⁴ Article 7 of the Law n°43-05 with respect to the AML
  ⁵ Defined in Decree No. 2-15-712 dated 22 March 2016 to mean all facilities, works and systems that are essential to the maintaining of the vital functions of the society, public health, safety, security and economic or social well-being, the damage of which or the unavailability or the destruction would have an impact leading to the failure of these functions.
  ⁶ ”Directive Nationale de la Sécurité des Systèmes d’Information”, issued on December 2013, available at Sécurité des systèmes d'information
  ⁷ Defined in the National Directive for the Security of Information Systems and in Decree No. 2-15-712 dated 22 March 2016 to mean information the compromising, alteration, misappropriation or destruction of which is likely to harm the continuity of functioning or to endanger the informational patrimony of the infrastructure of vital importance.
  ⁸ Article 2 of Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed. See Appendix II of the Decree for the list of exemptions.
  ⁹ Art 13 of Law 53-05 dated 6 December 2007 relating to the electronic exchange of legal data.
  ¹⁰ Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed.
  ¹¹ From Bank Al Maghrib (Moroccan Central Bank)
  ¹² Para 2 C. N° 4/W/2014 art 101.
  ¹³ Para 1 C. N° 4/W/2014 art 101.
  ¹⁴ Article 43 of Law 09-08