MAURITIUS FSC GUIDELINES CLOUD COMPUTING SERVICES 30 November 2023 [6 MONTHS TO COMPLY]

The Financial Services Commission, Mauritius (‘FSC’) has issued guidance on using cloud computing services (as defined in the Appendix to the document and shown below) that allow access various types of software/hardware tools and applications.

The FSC Guidelines issued pursuant to the powers conferred to the FSC under section 7(1)(a) of the Financial Services Act (‘FSA’), aim at

• Provide general guidance to licensees of the FSC (‘Licensees’) regarding the use of cloud computing services.

In addition to ensuring compliance with the provisions of the Data Protection Act, Cybersecurity and Cybercrime Act 2021 and the Information and Communication Technologies Act , licensees are required to

• Comply with the provisions of these Guidelines,
• While taking into consideration the nature, scale and complexity of their business activities, environment and risks respectively.

Any licensee which, before the coming into operation of this Guidelines, was making use of cloud computing services shall, within 6 months of the issue of these Guidelines, apply the provisions laid out therein

In these Guidelines -

1. “Cloud computing” is a broad term which encompasses access to a shared pool of on-demand configurable computing resources over the internet. These resources take various forms where minimal management effort or service-provider interaction is required. The cloud computing services are offered in three main “cloud service models”, namely:
1. Software as a Service (SaaS) - an application software hosted by a third-party provider and delivered to customers over the internet as a service. The application software typically takes the form of a standardised off-the-shelf application, which is free or paid via a subscription, and accessed over the internet from any device. Users have only permission to the configuration settings specific to the application.
2. Platform as a Service (PaaS) - the usage of a computing platform where users may develop and run their own online applications using the tools, database and other providers’ resources available. Users have only control over their own applications which run on the platform; and
2. Infrastructure as a Service (IaaS) - the usage of computer infrastructure resources – whether physical or virtual servers, networking, storage, and data centre space. Users have only control over the operating system, storage levels and specific networking components.
3. “Cloud computing services” or “cloud-based services” refer to the services provided by the usage of cloud computing on a “pay-per-use” basis. These cloud services are provided through the following different deployment models:
1. Public cloud: the cloud infrastructure is owned and operated by the service provider and is accessible on a public network.
2. Private cloud: the cloud infrastructure is operated solely by a single organisation, either physically managed on-site data centre(s) (on-premises) or externally by a third party and hosted on a private network; and
3. Hybrid cloud: the cloud infrastructure is built on a private cloud architecture with a strategic combination of public cloud services. It, therefore, retains some unique characteristics of the two infrastructures, which are interconnected.
4. “Cloud infrastructure” refers to the essential characteristics of cloud computing, which may comprise of a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the provision of the cloud service and typically includes servers, storage and network components. On the other hand, the abstraction layer consists of the software deployed across the physical layer.
5. “Cloud service provider” refers to the entity providing or hosting the cloud service models.
6. “Licensee” has the same meaning as in the FSA.
7. “Material cloud service” refers to any cloud computing services adopted by a licensee whose interruption is likely to have a significant impact on:
1. The licensee’s ability to continue in business and/or cause a significant disruption in the business operations of the licensee;
2. The licensee’s ability to meet its regulatory responsibilities and/or the conditions of its licence;
3. The licensee’s ability to manage risks including risks relating to any unauthorised access or disclosure, loss or theft of customer information; or
4. Any critical or sensitive assets of the licensee including IT assets.
8. “Outsourcing” means an arrangement whereby licensees engage a third-party service provider to perform activities on an ongoing basis that would normally be undertaken by the licensees themselves.

SOURCE

• https://www.fscmauritius.org/media/168554/final-guideline-on-cloud-computing.pdf
• https://www.fscmauritius.org/media/168553/fsc-issues-guidelines-on-cloud-computing-services.pdf
• https://linkscan.io/scan/ux/aHR0cHM6Ly93d3cuZnNjbWF1cml0aXVzLm9yZy9tZWRpYS8xNjg1NDgvZmluYWwtZ3VpZGVsaW5lLW9uLWNsb3VkLWNvbXB1dGluZy5wZGY=/5BBB9AF659EE261A6BF2E6CD26E128ADF4A77EA6EC3C5CAC97CF9C169F90A1C1?c=1&i=1&docs=1