Jordan: Cloud in Financial
Services

Currently, the banking sector in Jordan is regulated by the Central Bank of Jordan ("CBJ"). The Board of Directors of the CBJ approves the licensing of Jordanian banks, their mergers, the revocation of their licenses, the opening of their branches inside and outside the Kingdom and in free zones established in the Kingdom, the licensing and the revocation of licenses of branches or representative offices of foreign banks in the Kingdom and in the free zones established therein; and approves and revokes the licenses of financial institutions in accordance with the applicable legislation.¹

The insurance sector is regulated by the Insurance Directorate at the Ministry of Industry, Trade and Supply. An insurer² is not permitted to transact insurance business without a license from the Insurance Directorate.³

The Jordan Securities Commission (JSC) regulates, monitors and develops Jordan capital market, including issues related to disclosure, financial services activities and dealing in securities. This is done to enhance trust in the national economy, encourage investment and protect investors.⁴

Yes, cloud services are in principle permitted.⁵ While a move to cloud services is not outsourcing in the traditional sense, the Instructions regarding Governance and Management of Information and the Accompanying Technology No. 65-2016 dated 25 October 2016 and its annexes will likely apply. For the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, prior approval from the regulator is not required, but banks, Islamic banks, financial institutions, money exchange companies, credit information companies and microfinance companies must notify the CBJ when contracting with any provider of cloud services.⁶

When concluding agreements with third party service providers for the provision of human resources, services, software and IT infrastructure to manage the operations of the bank, a bank should ensure that the service provider complies with the provisions of the aforementioned Instructions⁷ in whole or in part to the extent commensurate with the importance and nature of the bank's operations and the services, programs and infrastructure provided, before and during the term of the agreement. This does not relieve the bank or its Board of Directors or Executive Management from the responsibility of fulfilling its compliance obligations, including any audit requirements.

While cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

There is presently no uniform regulation for cloud services in Jordan, however the CBJ has issued specific Cloud Computing Guidelines. For many financial services institutions a move to the cloud may also be regulated as an outsourced service and/or an arrangement impacting on its cyber resilience.

For a bank, its move to the cloud will likely be regulated under the following⁸:

1. Cloud Computing Guidelines issued by the CBJ⁹: These guidelines apply to banks and other concerned organizations¹⁰ and confirm that the bank retains full responsibility for its compliance obligations. The document also clarifies guidelines regarding cloud computing technology, its core features, deployment models, service models, and guidance on some of the key issues that must be considered carefully when using cloud computing, including risk management, business continuity, controls and mechanisms to protect data. It also confirms the need for the bank to ensure rights of supervisory access for the CBJ.
2. Instructions regarding Governance and Information Management and the related Technology No. 65-2016 dated 25 October 2016 and its annexes¹¹.
3. Instructions of internal control systems (35/2007) dated 10/6/2007: the instructions stipulate that the internal control systems must guarantee the effectiveness and integrity of information management and the related technology at the bank, including setting up proper controls to ensure the quality of the services provided by external parties and the mechanism of ensuring the confidentiality, accuracy, availability, and integrity conditions; where such conditions are controlled through duly documented agreements.
4. Circular concerning risk management principles for electronic banking No. 3344/1/10 of 21 March 2005¹²: The Board of Directors and senior management in a bank must establish a system and mechanism for the management of outsourcing services to support the process of providing and developing e-banking services.
5. Instructions for Conducting Banks’ Activities via Electronic Means No. 8 of 2001¹³: A bank which wishes to conduct any of its activities through electronic means should fulfil certain requirements and notify the CBJ of the fulfilment of the relevant requirements. The bank should also organize the agreements between the bank and any of the companies providing services or support in a manner that does not conflict with banking confidentiality provisions and in a manner that ensures the security of the systems and information.
6. Circular concerning the instructions of the Business Continuity Plan No. 10/1/9943 dated 17 August 2014: A bank must ensure that agreements with external suppliers for technical support of services in general, and critical services in particular, require support under a service level agreement to ensure availability at all levels and in compliance with the bank's business continuity plans.¹⁴ Furthermore, the bank should have an outsourcing policy which takes into consideration the need for third parties to have reliable business continuity plans, with periodic (at least annual) independent confirmation from a neutral party, guaranteeing the availability and confidentiality of bank data and operations in the event of any emergency that may lead to the interruption of the supply of services, and the use of this rule as an important criterion in the selection of suppliers for the use of their services. The bank must ensure that its agreements with relevant service providers reflect these requirements.¹⁵
7. Cyber risks resilience Instructions:¹⁶ A bank's cyber resilience should be in accordance with international best practice guidance for financial market infrastructures. This requires that a bank should implement appropriate risk-mitigation measures, either by means of outsourcing or third-party agreements, or by internal resources which are available to it in-house without undue delay; and
8. (viii) Banker-client confidentiality: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's deposits, trusts, and safe-deposit boxes and information relating to the customer acquired through the keeping of his account. There is no specific data protection law in Jordan¹⁷, but certain laws refer to the requirement to keep certain information confidential.¹⁸ The duty to respect privacy and confidentiality is expressly recognized in Banking Law No. 28 of 2000.¹⁹

For an insurer, the Insurance Regulatory Law stipulates that all means of proof may be utilized in matters related to insurance, including electronic data, data issued by computers, telex, facsimile correspondence, and electronic mail. An insurer may maintain, for the period specified by law, a microcopy (microfilm or other modern technological instrument) instead of the original registers, records, statements, documents, correspondence, telegrams, notices and other papers relevant to its financial transactions. These microcopies shall have the original's conclusiveness as to proof. Insurance companies using computers or other modern technological equipment to regulate their financial operations shall be exempted from keeping the registers required by the Law of Commerce in force, and the information obtained from these instruments or other modern methods, shall be deemed as commercial registers.²⁰ Instructions No. 2 of 2004 regarding Computerization of the Business of Insurance Companies²¹ requires that an insurer should set up information systems and procedures for the computerization of its work related to financial, technical and legal matters related to insurance. While the Instructions do not regulate outsourcing or cloud services explicitly, a move to the cloud can assist an insurer to comply with its obligations. Both banks and insurers²² (and other financial entities including persons or companies exercising any of the activities subject to the supervision and licensing of the Securities Commission²³) must keep records and legal instruments to document local and international financial transactions with sufficient data to identify such transactions; as well as maintain such records, documents, legal instruments, data and information including records of identification of customers and real beneficiaries (know-your-client records) for not less than five years from the date of completion of the transaction or the date of termination of the business relationship, as the case may be, which must be updated periodically. Microfilm copies or any other modern electronic means may be maintained, which shall have the same legal effect as the originals in relation to evidence, if prepared, kept and retrieved in accordance with the bases identified within the instructions issued by the Chief of the Anti Money Laundering and Counter Terrorist Financing Unit (the unit is linked to the Governor of the Central Bank of Jordan).²⁴

There are no Regulations or Guidelines governing the use of cloud services by insurance companies.

Generally approval is not needed. However, banks, Islamic banks, financial institutions, money exchange companies, credit information companies or microfinance companies must notify the CBJ when contracting with any cloud service provider.²⁵ Banks should, when concluding agreements with third party service providers who provide human resources, services, software and IT infrastructure to manage the operations of the bank, ensure that the service provider complies with the provisions of the aforementioned instructions in whole or in part to the extent commensurate with the importance and nature of the bank's operations and the services, programs and infrastructure provided, before and during the term of the agreement.

When contracting with a cloud service provider, the bank must ensure that it can at all times provide the CBJ with necessary information and ensure the right of the CBJ to carry out its supervisory functions and objectives, including ensuring that all the bank’s data and cloud computing services are available for review or inspection by the CBJ at any time.²⁶

There is no specific data protection law in Jordan²⁷, and no specific restriction on transfer of data offshore. Microsoft nonetheless holds itself accountable to and is subject to laws of general application applicable to information technology service providers, including security breach notification law, and has binding agreements. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation which came into force in May 2018.