MFSA Released a Circular about Software-as-a-Service as an Outsourcing Arrangement

In its continued work to increase awareness about ICT matters, the MFSA has issued a circular titled ‘Software-as-a-Service as an Outsourcing Arrangement’ as more financial institutions are starting to adopt cloud solutions across different areas within their organisation.

Financial entities have been resorting to automation using digital solutions in order to increase efficiency and drive costs lower. While the term Software-as-a-service (SaaS) is technical, the services that it provides are very real and used by several license holders. If you have bought a renewable software license via a subscription, whether installed on the cloud or on-premises, then this applies to you too. It does not apply for one-time purchases of software.

Services that are commonly acquiring through such a model include Know Your Customer (KYC), Anti Money Laundering (AML), Anti-Terrorism Financing (ATF), Risk & Compliance tools and Case Investigation. In all cases, MFSA is highlighting the importance of due consideration to the outsourcing risk, including access to data in case of provider default, right to access and right to audit. These have to be evaluated in your Business Impact Analysis and Business Continuity Plans. The circular address two main key points, establishing whether an SaaS application falls under outsourcing arrangement and outsourcing risks in the context of SaaS.

Access the circular here.

At RSM, we have helped many customers to align with MFSA regulations. Insurances, Banks, TIIs, e-money issuers and others have used our services in the following areas:

  • Outsourced Information Security Officer
  • Risk Management Frameworks
  • Business Impact Assessments
  • Develop Cyber Security Strategies
  • Ensure effective training and awareness
  • Technical cybersecurity testing
  • Implementation support to the Information Security Officer.