The Bank of Ghana has introduced new guidelines for cloud computing in banking, marking a significant step towards embracing digital transformation in the financial sector.
These guidelines aim to promote the adoption of cloud computing services while ensuring the security, confidentiality, and integrity of banking operations and customer data.
The new guidelines outlined the requirements for banks and financial institutions to follow when adopting cloud computing services. This includes ensuring that cloud service providers meet the Bank of Ghana’s security and risk management standards.
According to the revised explanatory notes on Outsourcing Directives, paragraph 26c of the Exposure Drafts which increase RFI’s dependence on service providers and allowed heighten risk have been deleted because some business operations of the Service Provider may be non-financial which are not permissible under Act 930 and Act 1032.
Furthermore, the new outsourcing explanatory note required the use of data from the recent Audited Financial Statement in determining supervisory thresholds for materiality assessments, however, a footnote has been inserted, providing clarity to the reference date to apply when computing the total operating cost.
This means that with increasing reliance on third-party service providers, the directive mandates robust data protection mechanisms to secure customer information, therefore, institutions are required to ensure that service providers adhere to the highest standards of confidentiality and cybersecurity.
The directive also grants financial institutions the right to monitor and audit their cloud service providers to ensure adherence to contractual and regulatory obligations. This provision aims to enhance transparency and accountability.
However, the central bank stated that the minimum expectations for Regulated Financial Institutions (RFls) with regards to Risk Assessment aligns with CP25 (Operational Risk and Operational Resilience) of the Basel Core Principles for Effective Supervision (BCPs). Also there is a provision that restricts RFls from procuring the services of Service Providers/ sub-contractors that are owned or controlled by related interest and related persons.
The means that, institutions must implement effective risk management systems to identify, assess, and mitigate potential threats arising from outsourcing arrangements. This includes contingency planning to address service disruptions.
In addition, BoG added that the factors to consider when conducting a materiality assessment has been re-arranged with the quantitative requirements separated from the qualitative criteria. “The reviews of an RFl’s outsourcing arrangements to identify new outsourcing risks and materiality have been amended. RFls are required to conduct the reviews annually”, it said.
This directive imposes an obligation on financial institutions to regularly assess the performance of third-party providers, ensuring compliance with both contractual terms and regulatory standards.
Nonetheless, this initiative reaffirms the Bank of Ghana’s commitment to fostering a resilient, innovative, and secure financial ecosystem, ensuring that Ghana’s banking sector remains competitive in a rapidly evolving digital landscape.
