Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft
Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 1 of 3
Jabatan Pemantauan Pembayaran
Bank Negara Malaysia
Jalan Dato' Onn
50480 Kuala Lumpur
Submitted via email to email@example.com
1 September 2020
Re: Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services
The ACCA appreciates the efforts of Bank Negara Malaysia (BNM) to clarify regulations for Merchant
Acquiring Services to account for technological change. As financial institutions increasingly shift to
digital environments, particularly due to challenges brought on by the COVID-19 pandemic, we
believe that clear and enabling regulations for technology use such as cloud computing are key to
helping meet customer needs while ensuring proper protections are in place.
As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the
ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders.
The ACCA’s mission to accelerate the adoption of cloud computing throughout Asia Pacific by
helping to create a trusted and compelling market environment, and a safe and consistent
regulatory environment for cloud computing products and services. We are committed to
strengthening digital resilience, and to the development of a safe and secure ecosystem where data
is protected by the best technology and regulatory frameworks, in support of a better world for all.
Following discussions with our member companies, we are submitting the following comments to
the Merchant Acquiring Services Exposure Draft. Should you have any questions on our comments, I
would be pleased to arrange for a videoconference discussion with our members.
Thank you, and I look forward to hearing from you on the issues raised.
Asia Cloud Computing Association
Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 2 of 3
Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure
The ACCA thanks Bank Negara Malaysia (BNM) for the opportunity to submit feedback on the
Merchant Acquiring Services Exposure Draft (the “Exposure Draft”).
1. General Comments
a. As a general comment, we would like to encourage consistency between the Merchant
Acquiring Services Exposure Draft and the current BNM Outsourcing Guidelines to help avoid
b. In addition, we would also like to suggest a consultation on operational issues related to Risk
Management in Technology (RMiT) to align regulatory expectations with current
international best practices.
2. Comments on Section 16.5(c)
This provision stipulates that as part of their outsourcing agreements, acquirers must have
provisions for on-site inspection of service providers, which would include cloud service providers
a. The ACCA would like to highlight that for CSPs, requiring on-site customer access poses a
security risk due to the multi-tenanted environment of the public cloud model. Physical
access rights would allow acquirers to access the same physical environment used by many
other companies, and also presents potential for property damage or personal injury.
b. In addition, such access rights also conflict with international security best practices and
standards for public cloud.
c. We would also like to note that this audit right also runs counter to BNM’s Outsourcing
Guidelines (the “Outsourcing Guidelines”), which recognize alternative means of exercising
audits and inspections of CSPs, such as relying on third party audit reports (Section 11.3 of
the Outsourcing Guidelines).
d. Recommendation: To align with the Outsourcing Guidelines, we suggest that BNM revise
Section 16.5(c) to explicitly state that service providers can provide regular audit reports
certifying that they are compliant with global security standards. We therefore recommend
that this section be amended per the below, which is substantively the same as the
“The acquirer may rely on third party certifications and reports made available by a cloud
service provider to exercise its access rights under this section, provided such reliance is
supported by an adequate understanding and review of the scope of the audit and methods
employed by the third party, and access to the third party and service provider to clarify
matters relating to the audit.”
Asia Cloud Computing Association’s (ACCA) Response to the Merchant Acquiring Services Exposure Draft | Sep 2020 | Page 3 of 3
3. Comments on Section 16.6
a. This section contains a requirement for outsourced parties such as CSPs to provide a written
undertaking to comply with additional privacy requirements set by BNM, which is not
compatible with the shared responsibility framework under which CSPs operate.
In this framework, CSPs work in tandem with customers, such as acquirers, to assure data
security, privacy, and reliability. Customers maintain governance over the entire IT control
environment and retain full control and ownership over data and other content when using
a CSP’s services. The customer is also responsible for determining the levels of security they
wish to adopt for data storage and processing. When a customer retains control of security
processes to protect their own content, applications, systems and networks, the level of
oversight and control that they exercise is no different from applications run by an entity in
an on-site data centre.
The ACCA highlights that the CSP does not have access to customer data nor does it have
visibility over the content of customer data. The CSP also does not have any control over
the security controls that the customer has chosen to apply to that content. Any proposal
to extend the visibility of CSPs to customer data handling would breach security and
privacy best practices, and invalidate multiple security certifications.
b. This stipulation for an undertaking is also not contained in the Outsourcing Guidelines, which
have provisions to ensure that CSPs maintain confidentiality.
c. Recommendation: We recommend amending Section 16.6, as shown below:
“In addition to the requirements in paragraph 16.5(b), where the outsourced party will have
access to documents or information relating to the affairs or account of any customer of the
acquirer, the acquirer shall ensure that the outsourced party has appropriate controls to
safeguard the security, confidentiality and integrity of any information shared with the
Outsourced Party. The acquirer shall also ensure that the service provider is bound by
adequate confidentiality provisions stipulated under the outsourcing agreement.”
4. Comments on Section 16.8
a. As the extent to which service providers may use subcontractors and the roles of
subcontractors can vary greatly, the requirement for acquirers to implement controls for
subcontractors to comply with all relevant regulatory requirements may be interpreted as
overly prescriptive and may not be feasible for hyperscale CSPs.
b. However, adequate controls should be put in place for subcontractors that correspond to
the subcontractor’s role in the delivery of services to the acquirer. As Section 9.6 of the
Outsourcing Guidelines recognize, the key issue with subcontracting is to ensure that service
providers do not diminish the ultimate responsibility of the primary service provider.
c. Recommendation: We recommend that Section 16.8 be amended as shown below:
“The requirement in paragraph 16.7 is also applicable when an outsourced party engages a
subcontractor to undertake the activities that were outsourced by the acquirer, whereby the
acquirer shall implement proper controls to ensure the accountability of the primary
outsourced party over the performance and conduct of the subcontractor in relation to the
outsourcing arrangement. that the subcontractor complies with the relevant requirements
based on standards issued by the Bank to acquirers from time to time.”