The Pension Fund Regulatory and Development Authority (PFRDA) in India has recently taken a significant step in the realm of digital transformation within the financial services sector. On November 23, 2023, PFRDA issued a circular focusing on the adoption of cloud services by intermediaries registered with the Authority. This move marks a pivotal shift towards integrating modern cloud technology into the operations of financial intermediaries, reflecting the growing trend of digitalization in financial services globally.
Overview of the PFRDA Circular
- Objective: The circular aims to provide a comprehensive policy framework and set regulatory guidelines to ensure secure and compliant use of cloud services by PFRDA-registered intermediaries. This includes Central Recordkeeping Agencies and pension funds. The framework emphasizes the need to address cybersecurity risks and challenges while leveraging the advantages offered by cloud technology.
- Background: Prior to this, PFRDA had issued guidelines for outsourcing the day-to-day activities of the Central Record-keeping Agencies (CRAs) and pension funds in 2016 and 2017. However, these guidelines did not specifically address IT and IT-enabled services (ITeS), which have increasingly incorporated cloud computing to enhance business models and customer service.
- Policy Requirements: The intermediaries are required to ensure that cloud service providers maintain the same standards as the intermediaries would if the activities were not outsourced. The policy also stipulates that the entire lifecycle of data, from creation to deletion, must be managed in accordance with legal requirements and business needs, while also considering cloud-service-specific factors like multi-tenancy and multi-location data storage and processing.
- Risk Management: The intermediaries are advised to establish a comprehensive risk management framework that addresses the unique challenges posed by cloud services.
- Role of Intermediary Boards: The decision to adopt cloud services lies with the intermediary boards, which are responsible for evaluating the need, implications, risks, and benefits of such services. The boards are also tasked with ensuring compliance with relevant laws, regulations, and guidelines.
- Reporting and Compliance: In case of a security breach or leakage of confidential information, intermediaries must immediately notify PFRDA. The compliance officer of the intermediary is responsible for reporting such incidents to CERT-In (Indian Computer Emergency Response Team) and PFRDA, following the format prescribed in the PFRDA circular dated June 30, 2021.
Significance and Impact
- Enhanced Efficiency: The adoption of cloud services is expected to enhance the efficiency and scalability of operations for intermediaries, providing benefits like reduced overhead costs and ease of deployment.
- Cybersecurity Focus: Given the increasing cyber threats in the digital domain, this policy underscores the importance of robust cybersecurity measures and regulatory compliance.
- Data Management and Compliance: The policy ensures that intermediaries effectively manage data throughout its lifecycle, aligning with privacy, security, data sovereignty, and recoverability requirements.
- Asset Growth: The assets under management of the National Pension System and Atal Pension Yojana have been growing steadily, indicating the expanding scope of these services. As of October 28, the assets under management reached ₹10.23 lakh crore, growing at a rate of 25% year-on-year.
This policy framework is a crucial step in aligning India’s pension fund intermediaries with global best practices in IT management and cybersecurity, ensuring that the adoption of cloud services enhances, rather than impedes, their ability to serve their subscribers and comply with regulatory requirements.