Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.

Morocco: Cloud in Financial Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by
Financial Institutions

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The Moroccan financial services sector is undergoing a rapid transformation, powered by cloud technologies.

Globally, financial services institutions are considering adopting cloud services, from testing and development of data analytics solutions, through to communications, CRM, and business productivity applications.

There are multiple benefits that can be achieved from a move to the cloud. In a highly regulated sector such as the financial services sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE NIGERIAN FINANCIAL SERVICES SECTOR

Having helped a number of financial institutions move to the cloud, Microsoft recognizes that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution, and where appropriate, with financial regulators.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators, Microsoft stands ready to support our financial services customers across the Middle East & Africa (MEA) region. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - from data centres located in the MEA region, which will offer enterprise-grade reliability and performance to our customers across the MEA region.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

In Morocco, different financial services sectors are supervised by different regulators.

  • Currently, the banking sector in Morocco is regulated by Bank Al-Maghrib (Moroccan Central Bank) and insurers are regulated by the Supervisory Authority of Insurance and Social Welfare, or Autorité de Contrôle des Assurances et de la Prévoyance Sociale (ACAPS). The market conduct activities of all financial services institutions are supervised by the Moroccan Capital Market Authority, or Autorité Marocaine du Marché des Capitaux (AMMC).

    The Draft Financial Markets Conduct Bill, 2018 proposes to establish a Financial Markets Conduct Authority, a Financial Sector Ombudsman and a Financial Sector Tribunal.

  • Cloud services are, in principle, permitted. Specific aspects of the applicable regulatory regime (see below) should, however, be carefully considered to ensure compliance based on specific use cases and cloud architecture.

  • There is presently no uniform regulation for cloud services in Morocco. For many financial services institutions, it may however be regulated as an outsourced service.

    For a bank, its move to the cloud will likely be regulated under:

    1. Outsourcing rules1: Certain types of outsourcing are regulated, including outsourcing of material business activities or functions;
    2. Banker-client confidentiality: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognized in Law No. 103.13 on Credit Institutions and Alike.

    While a move to cloud services is not outsourcing in the traditional sense, outsourcing regulations may apply. If the move to the cloud amounts to the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, regulatory approval is not required but prior approval by the regulator may be required for certain material functions and activities.2

    Both banks and insurers are also subject to the AML regulation3, and therefore must know their customers and ensure that their records are maintained.4

    Under the current regime, a move to the cloud by a bank or insurer will be subject to the following key principles: (i) the financial institution remains responsible for the processing of the transactions, (ii) the use of the cloud must not compromise the services provided to clients and, (iii) the services must be regularly monitored and information kept confidential.

    Furthermore, any financial services institution which amounts to a public institution or an infrastructure of vital importance5 should ensure compliance with the National Directive for the Security of Information Systems6 and Decree No. 2-15-712 dated 22 March 2016, laying down the plan for the protection of sensitive information systems of institutions of vital importance and ensure that its sensitive data7 is hosted in Morocco. The National Directive for the Security of Information Systems does not define what sensitive data refers to within the context of each financial services institution. Accordingly, a data classification framework that is adopted by the financial services institution and endorsed by the regulator is always recommended in order to define what “sensitive data” means to the financial services institution and stay compliant with the National Directive for the Security of Information Systems.

    Furthermore, regardless of its status of infrastructure of vital importance and subject to specific exemptions8, any financial services institution having recourse to encryption means or services is required to file a prior declaration or authorization9, as the case may be, before the General Direction for the Security of Information Systems10.

  • Generally, approval is not needed. However, prior approval from the relevant regulator will be required in some instances depending largely on the materiality of the outsourced function or activity. A bank will require prior regulatory approval11 before it outsources “any core activity”.12

  • A bank outsourcing any core activity or function (i.e. any activity the exercise of which was initially subject to Bank Al Maghrib’s prior approval) must be able at all times to provide Bank Al-Maghrib with necessary information and ensure the right of Bank Al-Maghrib to carry out its supervisory functions and objectives, including the right to access information and on-site visits.13

  • Under the Law No. 09-08 relating to the protection of individuals with respect to the processing of personal data (the "Law 09-08"), personal information may be transferred out of Morocco as long as the requirements of the Law 09-08 are met. Law 09-0814 permits the transfer of personal information to a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in Law 09-08, or with prior authorization of the National Control Commission for the Protection of Personal Data (CNDP).

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation which came into force in May 2018.

  • 1 Outsourcing legal regime is provided for by Dahir dated 12 August 1913 instituting the Code of Obligations and Contracts. Some specific regulations may apply in some instances, for example for Banks by virtue of Law 103-12 relating to financial establishments and assimilated organisms and its implementing decrees and regulations.
    2 See section below headed "Is approval needed?"
    3 Article 2 of the Law n°43-05 with respect to the Anti Money Laundering (AML)
    4 Article 7 of the Law n°43-05 with respect to the AML
    5 Defined in Decree No. 2-15-712 dated 22 March 2016 to mean all facilities, works and systems that are essential to the maintaining of the vital functions of the society, public health, safety, security and economic or social well-being, the damage of which or the unavailability or the destruction would have an impact leading to the failure of these functions.
    6 ”Directive Nationale de la Sécurité des Systèmes d’Information”, issued on December 2013, available at Sécurité des systèmes d'information
    7 Defined in the National Directive for the Security of Information Systems and in Decree No. 2-15-712 dated 22 March 2016 to mean information the compromising, alteration, misappropriation or destruction of which is likely to harm the continuity of functioning or to endanger the informational patrimony of the infrastructure of vital importance.
    8 Article 2 of Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed. See Appendix II of the Decree for the list of exemptions.
    9 Art 13 of Law 53-05 dated 6 December 2007 relating to the electronic exchange of legal data.
    10 Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed.
    11 From Bank Al Maghrib (Moroccan Central Bank)
    12 Para 2 C. N° 4/W/2014 art 101.
    13 Para 1 C. N° 4/W/2014 art 101.
    14 Article 43 of Law 09-08

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Privacy

Our policies and processes help keep your data private and in your control

Compliance

We provide industry-verified conformity with global standards

Transparency

We make our policies and practices clear and accessible to everyone

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}
Slide %{start} of %{total}. %{slideTitle}

CUSTOMER STORIES

*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.