Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.
Mauritius: Cloud in financial services

Mauritius: Cloud in Financial Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by Financial Institutions

Download now

REGULATORY OVERVIEW

It is important to note that the law in Mauritius distinguishes between the carrying out of banking business which is governed by the Banking Act and regulated by the Bank of Mauritius ("Central Bank") and financial services which are non-banking services such as insurance services, trust services and provision of credit finance which are governed by the Financial Services Act and regulated by the Financial Services Commission.

The banking and financial services sector in Mauritius recognizes that innovation is not only the provision of new products or the creation of new consumer experiences but also involves the development of new business models.The traditional banking and financial services landscape is being disrupted by new entrants leveraging technology to deliver new and existing services in more relevant and convenient ways to consumers and businesses – what is referred to as “Fintech”. According to the Board of Investment Mauritius1, Fintech represents an opportunity for Mauritius, whose robust banking and financial services industry makes it ideally positioned to capitalize on this growing trend, providing the ability to export financial services and perhaps even become an international financial centre.

In principle, the banking and financial services industries and their regulators appear receptive to cloud usage provided certain risks are addressed. In these highly regulated sectors, it is however crucial to ensure that any move to the cloud complies with the applicable law and sound governance and risk management practices.

In its "Guidelines on Outsourcing by Financial Institutions", issued in May 2006 and revised in November 2017 (the “Guidelines”), the Central Bank - the banking regulator in Mauritius - recognizes that financial institutions may have recourse to cloud-based services to enhance their operations and service efficiency and provides guidance on the use and adoption of cloud services by financial institutions. Under the Guidelines, a financial institution is defined as a bank, non-bank deposit-taking institution or cash dealer licensed by the Central Bank2.

MICROSOFT'S COMMITMENT TO BANKING AND FINANCIAL SERVICES IN MAURITIUS

We believe that no cloud services provider has more experience of delivering compliant solutions to banks and financial services businesses in Mauritius than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognizes that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over a number of years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk and security standards.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with relevant regulators in Mauritius, Microsoft stands ready to support our financial services customers in Mauritius. Microsoft operates from international data centres and has also initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365 - from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The banking sector and financial services sector are regulated differently in Mauritius. The conduct of "banking businesses" (which includes the business of accepting deposits and the making of loans), is governed by the Banking Act. On the other hand, the provision of financial services (such as insurance) is governed by the Financial Services Act.

  • The banking sector in Mauritius is regulated by the Bank of Mauritius ("Central Bank”) whose principal representative is the Governor.

    The Financial Services Commission ensures the sound conduct of business in the financial services sector and in the global business sector. It has responsibility for institutions other than banks, such as insurers, pension funds, collective investment schemes and payment intermediary services.

  • Cloud services are in principle permitted. Financial institutions must however perform the requisite due diligence and apply sound governance and risk management practices when moving to the cloud.3

    With regards to banking services, the Central Bank permits the use of cloud services for non-core banking activities. According to the Guidelines, activities that are considered ‘core’ and should not be outsourced are: (i) board and senior management functions such as strategic oversight, (ii) internal audit function, and compliance function. However, exceptions for certain intra-group outsourcing of core banking activities may be allowed. The Central Bank will consider this on a case-by-case basis. Financial institutions which intend to outsource these core banking activities must seek the prior authorization of the Central Bank.

    That said, the Guidelines also state that the use of cloud-based services for banking activities is “a form of outsourcing”4. Where a bank provides computer access to its customers, it must provide such security for their internet and proprietary platforms as the Central Bank considers adequate.5

    While cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • There is presently no specific law governing cloud services in Mauritius. For financial institutions there are, however, the "Guidelines on Outsourcing by Financial Institutions", issued by the Central Bank.6 In the insurance sector, insurers which provide services over the Internet must implement and maintain appropriate mechanisms to address security concerns relating to the confidentiality of personal information transmitted between the consumer and the insurer. In addition, insurers must also ensure that there are business continuity arrangements at all times to avoid business disruptions and to ensure availability of their platform.7

    In addition to the above Guidelines, a bank must maintain client confidentiality in respect of customer information. The duty of confidentiality covers any information relating to the affairs of the customers, including any deposits, borrowings, or transactions or other personal, financial or business affairs.

    Under the current regime, a move to the cloud by a bank will be subject to the following key principles:

    • the financial institution remains responsible and accountable for maintaining oversight of cloud-based services and managing the risks of adopting cloud-based services, as in any other form of outsourcing arranagement;
    • the financial institution must have recourse to private or hybrid clouds for hosting applications with "sensitive data"8, and under no circumstances should data be stored on personal, free or community-based cloud storage services;
    • the financial institution must ensure that data on the cloud and the channel to access them are encrypted;
    • the cloud service provider should have a proven track record of at least 3 years;
    • the financial institution must obtain the consent of their clients for their information to be stored on the cloud in specified jurisdictions;
    • the financial institution must include a clause in its agreement with the cloud service provider, authorising the bank or any firm authorized by the bank to carry out examinations at the cloud servers/data centres, at any time; and
    • there must be a proper exit mechanism in place to provide for the deletion of all data stored on the cloud servers, in the event that the financial institution switches to another service provider or stops the service for any other reason. This arrangement should be included in the contract with the cloud service provider.
  • Approval of the regulator is, in principle, not needed. However, a financial institution that intends to outsource a material activity is required to notify and obtain the prior authorization of the Central Bank. The "Guidelines on Outsourcing by Financial Institutions" define material outsourcing as the outsourcing of "an activity of such importance that any weakness or failure in the provision of this activity could have a significant impact on the financial institution’s ability to meet its regulatory responsibilities and/or to continue in business".

    A financial institution intending to outsource non-material activities does not need to seek the prior authorization of the Central Bank, provided the activities do not require approval or authorization under the Banking Act.

  • A bank engaging in any material outsourcing9 must be able at all times to provide the Central Bank with specified necessary information and ensure the right of the Central Bank to carry out its supervisory functions and objectives, including the right to access information and on-site visits if the Central Bank considers necessary. The contract between the financial institution and the cloud service provider must explicitly allow for on-site visits and unhindered inspections of the outsourced activities by the financial institution and the Central Bank.

  • Customer information which constitutes personal data may be transferred to another country in specific circumstances. Permitted circumstances include where: (i) the Data Protection Commissioner (“Commissioner”) has been provided proof of appropriate safeguards with respect to the protection of the personal data; (ii) the data subject has given explicit consent to the proposed transfer (after having been informed of the possible risks of the transfer owing to the absence of appropriate safeguards, if any); and (iii) the transfer is necessary, for example, for the performance of a contract between the data subject and the data controller, or for the conclusion or performance of a contract between the data controller and another person in the interest of the data subject.10

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

    • 1www.investmauritius.com/investment-opportunities/financial-technology.aspx
    • 2i.e., the Bank of Mauritius
    • 3Guidelines, at paragraph 5.2, page 9
    • 4Guidelines, at paragraph 5.1, page 9
    • 5Section 51(4) of the Banking Act
    • 6Issued pursuant to section 50 of the Bank of Mauritius Act and section 100 of the Banking Act, dated May 2006 and revised in November 2017. Financial institutions must comply with these guidelines. Failure to comply with the guidelines constitutes a criminal offence.
    • 7Guidelines for issue of insurance policy documents in digital format, issued by the Financial Services Commission on 30 March 2017
    • 8Data will be considered sensitive having regard to the nature of the data in question; e.g., financial information and name of the customer.
    • 9Defined above
    • 10Section 36 of the Data Protection Act 2017

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.