On July 28, 2022 the Paraguayan Central Bank Directory (“BCP”) approved by Resolution Nr. 10, Application Nr. 43 the regulation of use of cloud computing services (“RCN”). The RCN marks a before and after in Paraguayan Banking and opens the doors for Paraguayan Financial entities welcome cloud computing services.
Before the RCN it already existed a regulation from year 2004 which was definitely not conducive for financial institutions to resort to cloud computing services. The 2004 regulation only allowed (i) Financial entities with a matrix, branch or subsidiaries abroad (namely, Citibank, Banco do Brasil, Banco de la Nación Argentina, among others) outsource processes outside of the national territory only for these processes to be carried out in said parent company, branch or foreign subsidiary; and (ii) the other local financial entities to outsource processes, as long as they are carried out within Paraguay. Said regulation also demanded to fulfill a list of onerous requirements and obtain previous authorization from the BCP. Considering that by their very essence, cloud computing services are not physically located within a single country (rather, the cloud is precisely a worldwide network of servers), before the RCN, Paraguayan financial entities had their doors closed to the fan existing cloud computing offers outside Paraguayan territory; doors that have been opened today with the RCN.
The RCN limits itself to establishing the minimum guidelines and obligations that the entities supervised by the BCP must comply with in order to outsource their cloud computing service processes and activities. Unlike the previous regulation, which required the financial entity to obtain prior authorization from the Superintendency of Banks (“SIB”) before initiating a computerized decentralization, with the RCN the financial entity is only required to notify the SIB thirty (30) days before the start of the processing of information in the cloud, its intention to do so.
The RCN focuses on protecting the confidentiality of the data of financial institutions, combating cybersecurity attacks, maintaining privacy and ensuring the continuity of the business of financial institutions in adverse situations. Likewise, the RCN recognizes the different models of provision of cloud computing services (Software as a Service; Platform as a Service; Infrastructure as a Service) and differentiates between public, private, community, hybrid cloud and others. On the other hand, the RCN requires that the cloud service provider have high financial, technical and security certifications and observe good practices for the Protection of Personal Information (e.g. ISO27018). Finally, the RCN also obliges the cloud service provider to keep the information classified as confidential, in transit or stored with international standards, such as AES, RSA, 3DES or others, encrypted.
For a booming economy such as the Paraguayan, the entry in force of RCN will allow that the local financial entities ride the wave of the world innovation of financial services and will provide the to the Paraguayan financial consumer access to the latest financial solutions in the palm of their hands. Likewise, for the Banks and financial companies, the clouding computing services will allow the entities to optimize the operational efficiency and velocity, since the information will be captured, stored and interpreted in a centralized way, which will make the velocity and the processing costs substantially lower. The velocity and immediate availability will also reduce and speed up the launch of new products or services (time to market).
Likewise, sunk costs and the need to make large investments in technological infrastructure and human resources will be exponentially reduced, since financial entities will hire cloud service providers that will provide these services, taking advantage of their respective economies of scale.
Even so, and no matter how the RCN represents a big step forward towards the modernization of the Banking in Paraguay, still exist space for improvements. For instance, the BCP could update the Resolution SB. SG. N° 229/2001, specifically in relation to the preservation of backup files, in order to expressly allow that the security copies can be stored in the cloud. On the other hand, it could also capitalize on experience in Chile, where the local regulation does not require previous notification to the regulator to use the cloud computing services.
For more information, please contact to:
- Manuel Arias – manuel.arias@berke.com.py
- Álvaro Rojas – alvaro.rojas@berke.com.py
- Andres Nasser – andres.nasser@berke.com.py
- Gastón Segovia – gaston.segovia@berke.com.py