Published and draft legislation - Colombia

Instructions on the use of cloud-based computing services

External Circular 005, 11 March, 2019 SFC

Colombia's Financial Authority, the SFC, recently issued External Circular 005 which promotes the use of cloud-based computing for the provision of financial services and makes the operational risk management entailed in using these services more robust.

Compliance with new requirements

Under the conditions of this Circular, if financial institutions in Colombia want to use the cloud to store information pertaining to their business activities and accounting or financial management, they must meet the new requirements set up by the regulator, among which we have highlighted the following:

  • Provide for the effective management of the risks arising from using these services as part of the institution's operational risk system
  • Establish criteria to select the suppliers who provide information storage services in the cloud
  • Verify that the jurisdictions in which the information is processed have data protection regulations that are comparable to those of Colombia
  • Establish back-up mechanisms for the information and keep the information encrypted
  • Suppliers providing cloud storage services must be ISO 27001 certified and comply with ISO 27017 and 27018
  • Reach agreements by which the supplier offers at least 99.95% availability