Heading size 2

Microsoft's Commitment to the Malaysian Financial Services Sector

We believe that no cloud services provider has more experience of delivering compliant solutions to financial institutions in Malaysia than Microsoft. Having helped a number of financial institutions move to the cloud, working in close cooperation with BNM and the financial institutions themselves, Microsoft recognizes that a cloud services provider needs to help facilitate compliance through full, transparent, proactive engagement with the financial institution and, on request, with BNM. Through this process of collaboration over a number of years, Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk and security standards.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with BNM, Microsoft stands ready to support our financial institutions customers in Malaysia. For example, we issued our Practical Guide to the Cloud for Malaysian Financial Institutions to provide transparency, to tackle common misconceptions and to set new standards in the rapidly-evolving financial services space. In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical contractual and practical aspects of your proposed cloud project.

This is all part of our commitment to helping our financial institution customers navigate their way to the Microsoft cloud with confidence and enjoy the benefits of digital transformation.


Regulatory Overview

The Malaysian financial services sector is undergoing rapid transformation by leveraging on the transformative power of cloud computing.

Financial services institutions across the country, including major banks and insurance companies, are adopting cloud services, from testing and development of data analytics solutions through to communications, CRM and business productivity applications.

From a regulatory perspective, cloud is permitted. The regulatory framework in Malaysia permits the use of cloud services by financial institutions in Malaysia. All service and deployment models (including public cloud) are permitted. Where data centers outside of Malaysia are used to deliver the cloud services, approval from the regulator (Bank Negara Malaysia or BNM) is required. Microsoft is pleased to be able to offer support for its financial institution customers in securing all necessary approvals leveraging its substantial prior experience in the Malaysia financial services space.

Financial institutions are advised to adopt the risk management practices set out in the Outsourcing Guidelines issued by BNM. Financial institutions are also generally required to adopt sound and robust risk management strategies, to perform a risk analysis of their IT environment, to develop effective data management system and to carry out disaster recovery and business continuity planning. Financial institutions are subject to the banking secrecy obligations of the Banking and Financial Institutions Act, which prohibit them from disclosing customer account information.


Regulatory Deep Dive


Bank Negara Malaysia (the Central Bank of Malaysia) ( BNM).


The primary reference is BNM's Outsourcing Guidelines. In most cases, the use of cloud services will be regarded as "material" and subject to the requirements outlined in this section. In addition, other relevant requirements are set out in:

  1. BNM’s Guidelines on Data Management and MIS Framework for FSIs.
  2. BNM’s Guidance on Business Continuity Management.
  3. BNM’s Guidelines on Management of IT Environment.
  4. BNM’s Guidelines on the Provision of Electronic Banking Services by FSIs.
  5. The Financial Services Act 2013.

Yes, where the financial institution wishes to use a cloud services provider with data centers located outside of Malaysia. Microsoft has considerable experience working with financial institutions in Malaysia to help them receive BNM approval for the use of offshore public cloud. In practice, the financial institution should engage with BNM as soon as possible after it has in place all of the requirements and information that are outlined in this guide, including a full understanding of the solution that the financial institution proposes to implement.

The cloud contract should permit the financial institution's regulator to independently assess the cloud services provider based on agreed parameters.

Transfer of data outside of Malaysia is permitted. There are, however, two requirements. First, the financial institution should ensure that it will continue to comply with the general requirements under the PDPA (for example, the financial institution should be comfortable that the data will be processed by the cloud services provider according to standards that are at least equivalent to the PDPA). Second, approval from BNM is required (see above).