Rwanda: Cloud in Financial Services

The current financial services industry in Rwanda is primarily under the supervisory authority of National Bank of Rwanda ("BNR")¹. Law No. 47/2017 of 23/9/2017 governing the organization of banking ("Banking Act") came into force from October 2017, replacing the one of 2008. It governs the organization of banking, management and supervision of banks operating within the Republic of Rwanda. It also sets standards and prudential rules to which banks are subject with a view to maintaining a safe and sound banking system in the interests of depositors and other bank customers.

To ensure the conduct of business operations, BNR has issued a Regulation No. 04/2018 of 24/01/2018 on business continuity management which regulates the manner in which a bank is required to store data.

Microfinance activities are organized under Law No. 40/2008 of 26/08/2008 establishing the organization of micro finance activities while the Law No. 52/2008 of 10/09/2008 governs the organization of insurance business.

• Who is the regulator?

  Currently, the banking sector and the microfinance and insurance sectors in Rwanda are supervised by the BNR, headed by the Governor. The general mission of BNR is to ensure price stability and a sound financial system. Amongst other things, the BNR has the following responsibilities:

  1. to supervise and regulate the activities of financial institutions²;
  2. to supervise and regulate payment systems
  3. to conduct a financial stability assessment for sustaining economic growth and development;
  4. to formulate and implement policies to promote the establishment of regulations and the supervision of efficient and effective clearing and settlement payment systems;
  5. to collect, compile, disseminate monetary and related financial statistics on a timely basis;
  6. to follow up and promote the soundness of financial institutions and their compliance with governing laws including law on preventing and penalizing crimes of money laundering and financing terrorism;
  7. to ensure the adoption by financial institutions of policies and procedures designed to control and manage risks effectively; and
  8. to adopt policies to safeguard the rights and interests of customers, depositors and creditors of financial institutions, having regard to the need for financial institutions to compete effectively in the market and take reasonable risks.

  The BNR also has overarching responsibility for financial institutions other than banks, microfinance institutions and insurance companies such as capital markets, pension funds, collective investment schemes and financial service providers.

  Under the BNR Act, BNR has powers to set regulations, directives and take decisions on matters provided by this law and other specific laws.

• Are cloud services permitted?

  Yes, cloud services are in principle permitted. However the BNR considers a bank's move to the cloud to be a form of outsourcing³ which will be subject to BNR Regulation No. 03/2018 of 24/01/2018 on outsourcing published in Official Gazette No. 6bis of 05/02/2018 ("BNR Outsourcing Regulation").

• What are the sector-specific laws and guidelines that need to be considered?

  The general provisions of the BNR Outsourcing Regulation and in particular Article 17 that applies to a bank's use of cloud services provides that:

  1. The bank is ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships. The bank must satisfy itself that the security policies, procedures and controls of the cloud service provider ("CSP") will enable the bank to protect the confidentiality and security of customer information.
  2. The engagement of a CSP in a foreign country, or an outsourcing arrangement where the outsourced function is performed in a foreign country, may expose the bank to country risk - economic, social and political conditions and events in a foreign country that may adversely affect the bank - which the bank should consider and address.
  3. BNR recognizes that a bank may leverage cloud services to enhance its operations and service efficiency while reaping the benefits of the CSP's scalable, standardized and secured infrastructure. In this regard, the CSP selected by the bank must have implemented strong authentication, access controls, and tokenization techniques and data encryption security which meet the bank's requirements.
  4. The bank must perform necessary due diligence and apply sound governance and risk management practices when subscribing to cloud services. The bank must be aware of different characteristics of cloud services such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. The bank must also take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing. In particular, the bank must ensure that the CSP has the ability to clearly identify and segregate customer data using strong physical or logical controls.
  5. The bank must ensure that the CSP has in place robust access controls to protect customer information and such access controls should survive the tenure of the contract for cloud services.
  6. The bank is and remains ultimately responsible and accountable for maintaining oversight of cloud services and managing any attendant risks. A risk-based approach must be taken by the bank to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the functions and activities outsourced to the cloud.

  A bank would also to consider the BNR regulation on cybersecurity⁴, which aims at establishing minimum prudent standards for banks to protect against cybersecurity threats, and promote the protection of customer information as well as the information technology systems of banks. It provides, amongst other things, that:

  1. a bank licensed by the BNR must maintain its primary data in the territory of the Republic of Rwanda (see discussion below); and
  2. a bank must also maintain a cybersecurity strategy and program designed to protect the confidentiality, integrity and availability of the bank’s information systems.

  Although the above is specific only for banks, any microfinance and insurance companies that wish to move to cloud services may also be advised to engage with BNR if the arrangement could jeopardize their cyber resilience and/or the protection of confidentiality and security of customer information.

• Is approval needed?

  A bank wishing to outsource material activities should first get approval from the BNR. This will depend on the circumstances. Also, prior approval of the BNR will be necessary to contract, modify or extend a material outsourcing arrangement⁵.

  For other sectors of financial services, as explained above approval may also be necessary.

• What are the audit / inspection requirements for material activities and functions?

  A bank outsourcing any material activity or function must be able at all times to provide the BNR with necessary information, and ensure outsourcing arrangements do not interfere with the ability of the bank to effectively manage its activities and impede BNR in carrying out its supervisory functions and objectives. The bank must subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangements. The bank must establish a structure for the management and control of its outsourcing arrangements. The bank must also evaluate the adequacy of the internal controls environment offered by the service provider.

  Similarly, a microfinance institution or an insurer outsourcing any control, management or material function must appropriately assess, monitor, manage and regularly review the performance of the outsourced service provider and ensure that it has continued access to information and that the outsourced service provider permits the regulator access to its business and information relevant to the applicable function or activity.

• What are the data transfer requirements?

  Under the BNR regulation on cyber-security8, any bank licensed by the BNR must maintain its primary data in the territory of the Republic of Rwanda. This should however permit public cloud services as back-up for primary data, subject to prior approval from BNR. Material outsourcing arrangements with service providers located outside Rwanda must be conducted in a manner so as not to hinder BNR’s efforts to supervise the Rwanda business activities of the bank (i.e., from its books, accounts and documents) in a timely manner.

  Read on to find out how the adoption of cloud and knowledge of cloud regulations can help banks and financial institutions mitigate the disruptive influence of FinTech firms.

  Microsoft Industry – Financial Services, Banking and Capital Markets

  Learn more about how Microsoft's cloud technology can help engage customers, empower employees and optimize operations in the Financial Services, Banking and Capital Markets industry.

• Footnotes

  ¹ Established under Law No. 48/2017 of 23/09/2007 governing the National Bank of Rwanda in official Gazette No. 41 of 09/10/2017 ("BNR Act”)
  ² Notably banks, micro finance institutions, non-deposit taking lending institutions, finance-lease institutions, insurance institutions, social security institutions, pension funds/schemes institutions, discount houses and other financial services providers that are not supervised by any other institution under specific laws
  ³ Article 17 of the BNR Regulation nº03/2018 of 24/01/2018 on outsourcing published in Official Gazette No. 6bis of 05/02/2018
  ⁴ BNR Regulation No. 02/2018 of 24/01/2018 on cyber-security, published in Official Gazette No. 6bis of 05/02/2018,
  ⁵ "Material activities" means those which, if disturbed, may significantly affect the business operations, reputation or profitability of the bank.
  ⁶ Article 18 of the regulation on outsourcing
  ⁷ Article 14 of the regulation on outsourcing
  ⁸ BNR Regulation No. 02/2018 of 24/01/2018 on cyber-security, published in Official Gazette No. 6bis of 05/02/2018, as read with BNR regulation on outsourcing (Article 15.2(d)