This report examines cloud adoption and regulation across the Asia-Pacific financial services sector. It explores how regulatory settings can act as a facilitator for cloud adoption, identifies the key emerging regulatory issues under discussion by financial institutions (FIs) and regulators in the region and globally, and provides recommendations to regulators and other stakeholders on actions they can take to help drive cloud adoption in financial services and collaborate for a future-ready financial ecosystem. 

The findings and recommendations are informed by interviews with 15 official sector agencies—including central banks, monetary authorities, bank supervisors, and securities regulators—in ten Asia-Pacific economies, together with interviews with IIF member active in cloud in region, and builds on the IIF’s previous work on cloud and digital transformation.

Key findings from the study include: 

• Cloud adoption by FIs is increasing. FIs are migrating non-core services and authorities are starting to oversee cloud-native FIs; however, smaller banks and core services are slower to move. 
• Benefits of adoption include improved security and cost savings. With increased recognition that CSPs can provide FIs more sophisticated fraud prevention and cyber defences, there is also a warning that misconfiguration risk management is key. 
• Talent is crucial. Recruiting and retaining granular expertise in cloud migration and CSP offerings is a challenge and regulators are encouraging FIs to reskill existing workforces
• No authority sees an immediate need to extend the regulatory perimeter to cover CSPs, and systemic risk is not considered significant at this time. 
• There is a variety of attitudes among authorities to data localization, but all regulators insist that access to data is vital, while data localization remains a key “pain point” for FIs. 

Key recommendations based on the findings include: 

• FIs and regulators should adopt approaches that help smooth the transition to cloud technology, while always ensuring that risks are adequately monitored and managed.
• FIs should focus on developing an adoption plan based on their institution’s strategic goals and objectives consistent with their risk management strategies.
• Data localization requirements are frequently not the best means to achieve regulatory objectives. Clearly identifying objectives and working with industry can yield better results for the entire economy. 
• Financial institutions and regulators working closely together could enable safe and successful migration, chiefly by providing clear guidance and timely and easy to navigate notification/approval processes.

The IIF looks forward to continuing to engage with stakeholders on this topic moving forward, including on the issues for further study identified in the report.