Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.

Mauritius: Cloud in Financial Services

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by
Financial Institutions

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

It is important to note that the law in Mauritius distinguishes between the carrying out of banking business which is governed by the Banking Act and regulated by the Bank of Mauritius ("Central Bank") and financial services which are non-banking services such as insurance services, trust services and provision of credit finance which are governed by the Financial Services Act and regulated by the Financial Services Commission.

The banking and financial services sector in Mauritius recognizes that innovation is not only the provision of new products or the creation of new consumer experiences but also involves the development of new business models.The traditional banking and financial services landscape is being disrupted by new entrants leveraging technology to deliver new and existing services in more relevant and convenient ways to consumers and businesses – what is referred to as “Fintech”. According to the Board of Investment Mauritius1, Fintech represents an opportunity for Mauritius, whose robust banking and financial services industry makes it ideally positioned to capitalize on this growing trend, providing the ability to export financial services and perhaps even become an international financial centre.

In principle, the banking and financial services industries and their regulators appear receptive to cloud usage provided certain risks are addressed. In these highly regulated sectors, it is however crucial to ensure that any move to the cloud complies with the applicable law and sound governance and risk management practices.

In its "Guidelines on Outsourcing by Financial Institutions", issued in May 2006 and revised in November 2017 (the “Guidelines”), the Central Bank - the banking regulator in Mauritius - recognizes that financial institutions may have recourse to cloud-based services to enhance their operations and service efficiency and provides guidance on the use and adoption of cloud services by financial institutions. Under the Guidelines, a financial institution is defined as a bank, non-bank deposit-taking institution or cash dealer licensed by the Central Bank2.

MICROSOFT'S COMMITMENT TO BANKING AND FINANCIAL SERVICES IN MAURITIUS

We believe that no cloud services provider has more experience of delivering compliant solutions to banks and financial services businesses in Mauritius than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognizes that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over a number of years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk and security standards.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with relevant regulators in Mauritius, Microsoft stands ready to support our financial services customers in Mauritius. Microsoft operates from international data centres and has also initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365 - from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The banking sector and financial services sector are regulated differently in Mauritius. The conduct of "banking businesses" (which includes the business of accepting deposits and the making of loans), is governed by the Banking Act. On the other hand, the provision of financial services (such as insurance) is governed by the Financial Services Act.

  • The banking sector in Mauritius is regulated by the Bank of Mauritius ("Central Bank”) whose principal representative is the Governor.

    The Financial Services Commission ensures the sound conduct of business in the financial services sector and in the global business sector. It has responsibility for institutions other than banks, such as insurers, pension funds, collective investment schemes and payment intermediary services.

  • Cloud services are in principle permitted. Financial institutions must however perform the requisite due diligence and apply sound governance and risk management practices when moving to the cloud.3

    With regards to banking services, the Central Bank permits the use of cloud services for non-core banking activities. According to the Guidelines, activities that are considered ‘core’ and should not be outsourced are: (i) board and senior management functions such as strategic oversight, (ii) internal audit function, and compliance function. However, exceptions for certain intra-group outsourcing of core banking activities may be allowed. The Central Bank will consider this on a case-by-case basis. Financial institutions which intend to outsource these core banking activities must seek the prior authorization of the Central Bank.

    That said, the Guidelines also state that the use of cloud-based services for banking activities is “a form of outsourcing”4. Where a bank provides computer access to its customers, it must provide such security for their internet and proprietary platforms as the Central Bank considers adequate.5

    While cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • There is presently no specific law governing cloud services in Mauritius. For financial institutions there are, however, the "Guidelines on Outsourcing by Financial Institutions", issued by the Central Bank.6 In the insurance sector, insurers which provide services over the Internet must implement and maintain appropriate mechanisms to address security concerns relating to the confidentiality of personal information transmitted between the consumer and the insurer. In addition, insurers must also ensure that there are business continuity arrangements at all times to avoid business disruptions and to ensure availability of their platform.7

    In addition to the above Guidelines, a bank must maintain client confidentiality in respect of customer information. The duty of confidentiality covers any information relating to the affairs of the customers, including any deposits, borrowings, or transactions or other personal, financial or business affairs.

    Under the current regime, a move to the cloud by a bank will be subject to the following key principles:

    • the financial institution remains responsible and accountable for maintaining oversight of cloud-based services and managing the risks of adopting cloud-based services, as in any other form of outsourcing arrangement;
    • the financial institution must have recourse to private or hybrid clouds for hosting applications with "sensitive data"8, and under no circumstances should data be stored on personal, free or community-based cloud storage services;
    • the financial institution must ensure that data on the cloud and the channel to access them are encrypted;
    • the cloud service provider should have a proven track record of at least 3 years;
    • the financial institution must obtain the consent of their clients for their information to be stored on the cloud in specified jurisdictions;
    • the financial institution must include a clause in its agreement with the cloud service provider, authorising the bank or any firm authorized by the bank to carry out examinations at the cloud servers/data centres, at any time; and
    • there must be a proper exit mechanism in place to provide for the deletion of all data stored on the cloud servers, in the event that the financial institution switches to another service provider or stops the service for any other reason. This arrangement should be included in the contract with the cloud service provider.

  • Approval of the regulator is, in principle, not needed. However, a financial institution that intends to outsource a material activity is required to notify and obtain the prior authorization of the Central Bank. The "Guidelines on Outsourcing by Financial Institutions" define material outsourcing as the outsourcing of "an activity of such importance that any weakness or failure in the provision of this activity could have a significant impact on the financial institution’s ability to meet its regulatory responsibilities and/or to continue in business".

    A financial institution intending to outsource non-material activities does not need to seek the prior authorization of the Central Bank, provided the activities do not require approval or authorization under the Banking Act.

  • A bank engaging in any material outsourcing9 must be able at all times to provide the Central Bank with specified necessary information and ensure the right of the Central Bank to carry out its supervisory functions and objectives, including the right to access information and on-site visits if the Central Bank considers necessary. The contract between the financial institution and the cloud service provider must explicitly allow for on-site visits and unhindered inspections of the outsourced activities by the financial institution and the Central Bank.

  • Customer information which constitutes personal data may be transferred to another country in specific circumstances. Permitted circumstances include where: (i) the Data Protection Commissioner (“Commissioner”) has been provided proof of appropriate safeguards with respect to the protection of the personal data; (ii) the data subject has given explicit consent to the proposed transfer (after having been informed of the possible risks of the transfer owing to the absence of appropriate safeguards, if any); and (iii) the transfer is necessary, for example, for the performance of a contract between the data subject and the data controller, or for the conclusion or performance of a contract between the data controller and another person in the interest of the data subject.10

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1 ECONOMIC DEVELOPMENT BOARD
    2 i.e., the Bank of Mauritius
    3 Guidelines, at paragraph 5.2, page 9
    4 Guidelines, at paragraph 5.1, page 9
    5 Section 51(4) of the Banking Act
    6 Issued pursuant to section 50 of the Bank of Mauritius Act and section 100 of the Banking Act, dated May 2006 and revised in November 2017. Financial institutions must comply with these guidelines. Failure to comply with the guidelines constitutes a criminal offence.
    7 Guidelines for issue of insurance policy documents in digital format, issued by the Financial Services Commission on 30 March 2017
    8 Data will be considered sensitive having regard to the nature of the data in question; e.g., financial information and name of the customer.
    9 Defined above
    10 Section 36 of the Data Protection Act 2017

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Learn more

Privacy

Our policies and processes help keep your data private and in your control

Learn more

Compliance

We provide industry-verified conformity with global standards

Learn more

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

Responding to the evolving cyber threat landscape in the financial services sector.

With the threats of cyberattacks becoming an ever-increasing problem in today’s financial landscape, the need for cybersecurity and protection of data and information has become of utmost importance. Find out what you can do to improve your security stance against cyberattacks.

DOWNLOAD NOW
Close up shot of man‘s hands using Dell convertible laptop as tablet in café restaurant setting. Screen shows charts of TD Bank sales, savings, and checking accounts.
Slide %{start} of %{total}. %{slideTitle}
A close up of a woman with line illustrations on the left-hand side

AI in Africa

Download the full whitepaper to learn more about the future of AI in Africa.

Learn more
A man and a woman using Microsoft HoloLens

The Future Computed

Artificial Intelligence and its role in society

Read more Download the book
Global network security illustration with tablet and stylus in background

GDPR

Safeguard individual privacy with the Microsoft Cloud

Take GDPR assessment
Highway lights blur to depict fast digital connection

Digital Transformation in the Cloud

Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.

Read more Download the book
Microsoft Cyber Defense Operations Center

Cloud for Global Good

A roadmap to a trusted, responsible, and inclusive cloud

Read more Download the book

CUSTOMER STORIES

Anglo-Gulf Trade Bank (AGTB) Logo

Anglo-Gulf Trade Bank (AGTB)

Trade finance has become an option for the few―mostly large multinationals―leaving a trade-financing gap of around 1.5 trillion dollars worldwide. This gap implies a tremendous loss of economic growth potential for many countries.

Read more
Atura Logo

Atura

Robotic chat advisor Atura takes advantage of artificial intelligence (AI) to offer powerful sales, onboarding, customer support, and transactional chatbot services, which improve customer experiences while reducing fees.

Read more
Bank of Beirut Logo

Bank of Beirut

Today’s customers want speed and personalization in all services. That’s why Bank of Beirut optimized its processes to improve customer experience and interaction with the bank by developing the DiGi BoB chatbot on the Microsoft Azure Bot Framework.

Read more
GHL Bank Ltd. Logo

GHL Bank Ltd.

GHL Bank, 2018 Best Mortgage Company of the Year, was established in December 2017 in Ghana. As a digital bank, GHL used Microsoft Office 365 and Microsoft Azure to deeply integrate branches and increase employee productivity.
Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Redwood Bank Logo

Redwood Bank

Redwood Bank puts business customers first with Microsoft Azure

Read more
Banco Angolano de Investimentos (BAI Group) Logo

Banco Angolano de Investimentos (BAI Group)

Innovative Angolan bank rethinks business with a cloud-first approach

Read more
goeasy Ltd. Logo

goeasy Ltd.

Goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365

Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Boursa Kuwait Logo

Boursa Kuwait

Towards a more secure digitized stock trading venue in Kuwait

Read more
Ecobank The Pan African Bank Logo

Ecobank Ghana Limited

Microsoft Power BI solution helps boost Ecobank’s business performance

Read more
Interswitch Logo

Interswitch

Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa

Read more
Standard Bank Logo

Standard Bank

The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint

Read more
NEDBANK Logo

NEDBANK

Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major...

Read more
Diamond Your Bank Logo

Diamond Bank Plc

Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission

Read more
ABN AMRO BANK Logo

ABN AMRO BANK

To prepare for its digital transformation, ABN Amro simplified and rationalized its IT...

Read more
Kuwait Finance House Logo

Kuwait Finance House

Islamic banking pioneer innovates again with digital banking shift

Read more
Societe Generale Qarnot computing Logo

Société Générale Corporate & Investment Banking

This article is part of a series about customers who've worked closely with Microsoft on Service Fabric

Read more
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.