The Pension Fund Regulatory and Development Authority (PFRDA) has laid down a Policy Framework for intermediaries adopting cloud services to protect subscribers’ interests. 

The November 23 circular lays down the legal requirements and compliances if intermediaries adopt cloud services. The new rules come after PFRDA gave guidelines on outsourcing the day-to-day activities of the Central Record-keeping Agencies (CRAs) and pension funds in 2016 and 2017, respectively. At the time, the outsourcing activities related to IT and ITeS were left out.

The PFRDA-registered intermediaries have extensively leveraged information technology (IT) and IT-enabled services (ITeS) lately, including cloud computing, to support their business and customer services. It is expected to equip them to expand cloud services.

While cloud solutions offer multiple advantages in the financial and other sectors, they have also increased cyber security risks. The cloud services are considered part of the outsourcing activities of the registered intermediaries. Hence, the pension regulator has established a policy framework for adopting cloud services to address the risks and ensure regulatory compliance. The new rules are in addition to the outsourcing guidelines for the intermediaries.

PFRDA has advised the intermediaries adopting cloud services to comply with its policy.

Policy Requirements:

The intermediary must ensure that the cloud service provider maintains the same high standard in performing the services as the intermediary would have if the same activity were not outsourced.

They must also ensure that outsourcing addresses the entire life cycle of data, from the time the data is generated and entered in the cloud to the data being permanently deleted. They must ensure that the procedures specified are consistent with business needs and legal requirements.

They must also consider cloud-service-specific factors, like multi-tenancy, multi-location storing and processing of data, etc., and risks while establishing a risk-management framework.

Intermediaries must adopt a well-established cloud adoption policy. For instance, it should identify the activities that can be moved to the cloud, enable and support the protection of various stakeholder interests, and ensure regulatory compliance, “including privacy, security, data sovereignty, recoverability, and data storage requirements, aligned with data classification”.

Role Of Intermediary Boards

The intermediary board will decide on the adoption of cloud-based services after evaluating the need, implications, risks, benefits, etc. Further, it will consider all relevant laws, regulations, rules, guidelines, and conditions for licensing or registration.

After evaluating all relevant activities, the board will implement a comprehensive board-approved cloud adoption policy, including laying a clear policy on the role of senior management, the IT and business functions, and the oversight and assurance functions.

The intermediaries must immediately notify PFRDA in case of a security breach or leakage of confidential customer-related information. The intermediary’s compliance officer will be responsible for filing the incident or reporting to CERT-In (Indian Computer Emergency Response Team under the Ministry of Electronics and Information Technology) or similar entities, including PFRDA. Information and cyber security breaches must be informed according to the prescribed format to CERT-In, provided in the PFRDA circular dated June 30, 2021.

The circular has listed many other policy guidelines besides the rules mentioned above. Those interested can check the detailed guidelines in the notification.