HONG KONG GUIDANCE ON COMPLYING WITH...

of 41

HONG KONG

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO

BANKS USING DYNAMICS 365

Last updated: 1 August 2017

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to banks in Hong Kong (“FSI”) using

Dynamics 3651. Note that insurance companies are subject to separate regulation in Hong Kong. Microsoft has prepared a guidance document for

insurance companies which is available on request.

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the use

of cloud services. Although there is no legal or regulatory requirement to complete a checklist like this one, we have received feedback from FSIs that a

checklist approach like this is very helpful. The checklist can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to compliance

with their requirements.

1 Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact.

of 41

Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.

2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?

There are two key regulatory documents that HKMA has developed and publicly distributed in this area:

• HKMA’s Guidelines on Outsourcing (“Guidelines on Outsourcing”) at http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-

stability/supervisory-policy-manual/SA-2.pdf; and

• HKMA’s General Principles for Technology Risk Management (“Technology Risk Principles”) at http://www.hkma.gov.hk/media/eng/doc/key-

functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf.

(collectively “Publicly Available Documents”)

There are also guidelines and documents issued by the HKMA to and accessible only by the FSIs in this area. Due to the nature of these materials, they

are not covered by this guidance document.

3. WHO IS/ARE THE RELEVANT REGULATORS(S)?

The Hong Kong Monetary Authority (“HKMA”)

4. IS REGULATORY APPROVAL REQUIRED IN HONG KONG?

No.

Under the Publicly Available Documents, the HKMA does not require FSIs to obtain prior approval before engaging service providers to provide cloud

services.

of 41

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

No. Under the Publicly Available Documents, there are no specific forms or questionnaires that an FSI must complete when considering cloud computing

solutions.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

Yes.

These are not set out by HKMA in a comprehensive list but the Guidelines on Outsourcing and Technology Risk Principles do contain certain provisions

which HKMA states should be set out in the FSI’s agreement with its service provider. Appendix One contains a comprehensive list and details of where

in the Microsoft contractual documents these points are covered.

of 41

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point

raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to provide this

if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need to complete these

answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Templates response and guidance

A. OVERVIEW

1. Who is the proposed Service Provider? The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft

Corporation, a global provider of information technology devices and services, which is publicly-listed in

the USA (NASDAQ: MSFT). Microsoft’s full company profile is available here:

https://www.microsoft.com/en-us/news/inside_ms.aspx.

2. How would cloud computing be

implemented in your organization?

Through adoption of Microsoft Dynamics 365 product, a remotely hosted customer relationship

management (CRM) solution managed by Microsoft which is described in more detail here:

https://www.microsoft.com/en-us/dynamics365/home. Details of our proposed activities and operations

are listed in our response to Q3 below.

https://www.microsoft.com/en-us/news/inside_ms.aspx

of 41


3.

List all proposed activities and operations to

be outsourced to the Service Provider.

Service(s) to be outsourced Critical (Y/N)

1. Customer Relationship Management Solution Y

Microsoft Dynamics 365 is a remotely hosted customer relationship management (CRM) solution

managed by Microsoft and offering the following capabilities:

• Marketing—flexible segmentation tools, simplified campaign management, intuitive response

tracking, and insightful analytics.

• Sales—full lead to cash visibility, lead and opportunity tracking, streamlined approvals, and real-

time sales forecasts.

• Field Service—simplified case management, streamlined escalations, improved knowledge

sharing, and more effective account management.

• Project

• Operations

• Dynamics Business Platform—a flexible framework that helps organizations to extend and build

custom business applications and industry solutions known as the Business Application Platform.

of 41


Microsoft Dynamics CRM Online delivers flexibility and business fit, combined with familiar user

experiences through deep stack alignment with the Microsoft Office productivity suite, namely Microsoft

Outlook, Microsoft Excel, and Microsoft Word. It also works well with other Microsoft technologies such

as Microsoft SQL Server® database software, Microsoft Communications Server, Microsoft BizTalk®

Server, Microsoft Exchange Server, and Microsoft SharePoint® Server.

4. What data will be processed by the service

provider on behalf of the FSI?

When you choose a Microsoft Dynamics 365 solution the types of data impacted are within your control

so the template response will need to be tailored depending on what data you have selected is relevant

to the solution.

We ensure that all data (but in particular any customer data) is treated with the highest level of security

in accordance with good industry practice to ensure that we and our service provider comply with our

legal and regulatory obligations and our commitments to customers. We only collect and process data

that is necessary for our business operations in compliance with all applicable laws and regulation and

this applies whether we process the data on our own systems or via a cloud solution such as Microsoft

Dynamics 365. Typically, the types of data that would be processed and stored by the Dynamics 365

service may include:

• Customer data (including customer name, contact details, account information, payment card data,

security credentials and correspondence).

• Employee data (including employee name, contact details, internal and external correspondence by

email and other means and personal information relating to their employment with the organization).

• Transaction data (data relating to transactions in which the organization is involved).

of 41


• Indices (for example, market feeds).

• Other personal and non-personal data relating to the organization’s business operations as a FSI.

B. ACCOUNTABILITY

5. In any outsourcing arrangement, the Board

of Directors and management of FSIs

should retain ultimate accountability for the

outsourced activity.

Paragraph 2.1.1, Guidelines on Outsourcing (Accountability).

We would also suggest including a list, setting out the position of the key people involved in the selection

and any decision-making and approvals processes used.

Management in our organization has been involved throughout to ensure that the project aligns with our

organization’s overall business and strategic objectives. At the center of our objectives are of course

legal and regulatory compliance and customer satisfaction and these were the key objectives that

management had in mind when it considered this project. We are satisfied that this solution will ensure

legal and regulatory compliance because of the key features (including the security and regulator’s audit

rights) forming part of the Dynamics 365 service. We are also satisfied that customer satisfaction will be

maintained because we believe that Dynamics 365 will actually have some major benefits for our IT

operations and, accordingly, improve the overall service that we are able to provide to customers.

6. Outsourcing can allow management to

transfer their day-to-day managerial

responsibility, but not accountability, for an

activity or a function to a service provider.

FSIs should therefore continue to retain

ultimate control of the outsourced activity.

Paragraph 2.1.1, Guidelines in Outsourcing (Accountability).

The handing over of certain day to day responsibility to an outsourcing provider does present some

challenges in relation to control. Essential to us is that, despite the outsourcing, we retain control over

our own business operations, including control of who can access data and how they can use it. At a

contractual level, we have dealt with this via our contract with Microsoft, which provides us with legal

mechanisms to manage the relationship including appropriate allocation of responsibilities, oversight and

of 41


remedies. At a practical level, we have selected the Dynamics 365 product since it provides us with

control over data location, authentication and advanced encryption controls. We (not Microsoft) will

continue to own and retain all rights to our data and our data will not be used for any purpose other than

to provide us with the Dynamics 365 services.

C. RISK ASSESSMENT

7. The Board of Directors and management of

FSIs should ensure that the proposed

outsourcing arrangement has been subject

to a comprehensive risk assessment (in

respect of operational, legal and reputation

risks) and that all the risks identified have

been adequately addressed before launch.

Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment).

Clearly the HKMA expects that your organization would have carried out a risk assessment. In summary,

this would need to include:

• risk identification;

• analysis and quantification of the potential impact and consequences of these risks;

• risk mitigation and control strategy; and

• ongoing risk monitoring and reporting.

Ideally this should also include all of the items listed in the next section (8). If you have any questions

when putting together a risk assessment, please do not hesitate to get in touch with your Microsoft

contact.

Yes, led by our management we have carried out a thorough risk assessment of the move to Dynamics

365. This risk assessment included:

of 41


• [ ];

• [ ]; and

• [ ].

[A copy of the risk assessment can be provided to the HKMA upon request.]

8. Specifically, the risk assessment should

cover inter alia the following:

a. the importance and criticality of the

services to be outsourced;

Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment). You will need to take a view on the

criticality of the applications concerned. Below set out sample response involving critical workload. If the

workload is not critical, appropriate adjustments should be made.

Yes.

The risk assessment covered this.

We acknowledge that the services to be outsourced are critical to our “business-as-usual” activities and

that disruption would have a material impact on our organization.

We have managed this risk through:

• our choice of service provider, which was itself the result of a formal selection process that

amongst other things covered its [competence and track record, financial services credentials,

of 41


hiring and screening processes, financial and parent company strength, inputs from its

customers and its approach to continuity planning];

• the controls we have in place to manage our relationship with the service provider (for example,

our contractual agreement, service levels and the rights of audit and inspection that we have in

place); and

• our own internal controls should an issue arise (for example, our disaster recovery planning

process).

b. Reasons for the outsourcing (e.g.

cost and benefit analysis); and


Yes.

The risk assessment covered this.

Specifically, we have chosen to use Microsoft Dynamics 365 for these services because we believe that

it will deliver benefits in terms of operating costs, service standard and security, and these requirements

were central to our selection process.

c. the impact on the FSI’s risk profile

(in respect of operational, legal and

reputation risks) of the outsourcing.


Yes, the risk assessment covered this.

• Operational risk: We managed this through our choice of service provider (see for example,

question 13), the controls we have in place to manage our relationship with the service provider

(for example, our contractual agreement, service levels, access to a Microsoft technical account

of 41


manager and the regulator rights of audit and inspection that we have in place) and our own

internal controls (for example, our business continuity and disaster recovery plans).

• Legal risk: We have in place with Microsoft a legally-binding agreement regarding our respective

roles and responsibilities in respect of the outsourcing. We chose Microsoft for this project

because we believe it can help us to comply with our legal obligations – for example, the fact that

Microsoft permits data audits by regulators was a key advantage over other cloud solutions that

we considered.

• Reputational risk: We chose Microsoft because of its reputation in this sector. It is an industry

leader in cloud computing. Dynamics 365 is built based on ISO 27001, a rigorous set of global

standards covering physical, logical, process and management controls.

9. After FSIs implement an outsourcing plan,

they should regularly re-perform this

assessment.

Paragraph 2.2.2, Guidelines on Outsourcing (Risk Assessment). The Guidelines do not specify exactly

how often this needs to be done but the HKMA may wish to know how often you plan to re-perform the

assessment (e.g. annually may be a good suggestion and/or whenever any material changes occur).

D. ABILITY OF THE SERVICE PROVIDER

10. Before selecting a service provider FSIs

should perform appropriate due diligence.

Paragraph 2.3 (Ability of Service Providers), Guidelines on Outsourcing (Risk Assessment). See question

13 below for detail regarding the specific issues that HKMA considers should be taken into account.

We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to

Dynamics 365.

As part of Microsoft’s certification requirements, they are required to undergo regular independent third

party auditing and Microsoft shares with us the independent third party audit reports. Microsoft also

of 41


agrees as part of the compliance program to customer right to monitor and supervise. We are confident

that such arrangements provide us with the appropriate level of up-front and on-going assessment of

Microsoft’s ability to meet our policy, procedural, security control and regulatory requirements.

11. In case of outsourcing of critical technology

services (e.g. data center operations), FSIs

are expected to commission a detailed

assessment of the technology service

provider’s IT control environment. The

assessment should ideally be conducted by

a party independent of the service provider.

The independent assessment report should

set out clearly the objectives, scope and

results of the assessment and should be

provided to the HKMA for reference.

Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing) which sets out

some additional controls that FSIs should take into account.

We have not had cause to commission an independent assessment since numerous independent

assessments of Microsoft’s IT control environment have already been carried out.

By way of example, Microsoft is certified for ISO 27001, which offers very high security benchmarks

available across the world.

12. FSIs should conduct an annual assessment

to confirm the adequacy of the IT control

environment of the provider of critical

technology services.

Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing).

The HKMA expects that you repeat your assessment of the adequacy of the Dynamics 365 solution at

least once a year. If you require any input from Microsoft, please do not hesitate to get in touch with your

Microsoft contact.

13. In assessing a provider, apart from the cost

factor and quality of services FSIs should

take into account the provider’s (a) financial

soundness, (b) reputation, (c) managerial

skills, (d) technical capabilities, (e)

Paragraph 2.3.1, Guidelines on Outsourcing (Ability of Service Providers) which lists these specific

considerations.

(a) Financial Soundness: Microsoft Corporation is publicly-listed in the United States and is amongst

the world’s largest companies by market capitalization. Microsoft’s audited financial statements

of 41


operational capability and capacity, (f)

compatibility with the FSI’s corporate

culture and future development strategies,

(g) familiarity with the banking industry and

(h) capacity to keep pace with innovation in

the market.

indicate its strong financial position. Accordingly, we have no concerns regarding its financial

strength.

(b) Reputation: Microsoft is an industry leader in cloud computing. Dynamics 365 is built based on ISO

27001, a rigorous set of global standards covering physical, logical, process and management

controls. Dynamics 365 is used by many of the world’s top brands. Some case studies are available

on the Microsoft website at https://customers.microsoft.com/en-us.

(c) Managerial skills: The fact that Microsoft already manages these services for financial institutions

in leading markets around the world and that it has achieved an ISO 27001 accreditation (which,

amongst other things, assesses management controls) gives us confidence that it has the necessary

managerial skills.

(d) Technical capabilities: Microsoft’s ISO 27001 accreditation confirms that it has the technical

capability required for the service.

(e) Operational capability and capacity: Microsoft has demonstrated its operational capability through

its reputation (see above) and its ISO accreditations and we have no concerns as to its operational

capacity as it is one of the largest providers of cloud computing services in the world.

(f) Compatibility with the FSI’s corporate culture and future development strategies: We are

confident that the use of Dynamics 365 will align well with our corporate culture and the fact that the

service is scalable (i.e. it can be expanded or reduced to meet our demand) means that it is

compatible with our future development strategy.

(g) Familiarity with the banking industry: Financial Institution customers in leading markets, including

in the UK, France, Germany, Australia, Singapore, Canada, the United States and many other

countries have performed their due diligence and, working with their regulators, are satisfied that

of 41


many Microsoft cloud-based solutions can meet their respective regulatory requirements. This gives

us confidence that the service provider is able to help meet the high burden of financial services

regulation and is experienced in meeting and understanding these requirements.

(h) Capacity to keep pace with innovation in the market: Microsoft has the financial, operational and

managerial capacity to lead innovation in the cloud computing market and it has demonstrated this

to date.

14. Technology service providers should have

sufficient resources and expertise to

comply with the substance of the FSI’s IT

control policies.


Yes. We are confident that Microsoft has sufficient resources and expertise to comply with the substance

of our requirements. In particular, we considered the following:

a. Competence and experience. Microsoft is an industry leader in cloud computing. Dynamics 365 is

built based on ISO 27001, a rigorous set of global standards covering physical, logical, process and

management controls.

b. Past track-record. Dynamics 365 is used by many of the top brands around the world. We consulted

various case studies relating to Dynamics 365, which are available on the Microsoft website at

https://customers.microsoft.com/en-us and also considered the fact that Microsoft has amongst its

customers some of the world’s largest organizations and financial institutions.

c. Specific financial services credentials. Financial Institution customers in leading markets,

including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many

other countries have performed their due diligence and, working with their regulators, are satisfied

that many Microsoft cloud-based solutions can meet their respective regulatory requirements. This

of 41


gives us confidence that Microsoft is able to help meet the high burden of financial services regulation

and is experienced in meeting these requirements.

d. Microsoft’s staff hiring and screening process. All personnel with access to customer data are

subject to background screening, security training and access approvals. In addition, the access

levels are reviewed on a periodic basis to ensure that only users who have appropriate business

justification have access to the systems. User access to data is also limited by user role. For example,

system administrators are not provided with database administrative access.

e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the United States and is

amongst the world’s largest companies by market capitalization. Microsoft’s audited financial

statements indicate its strong financial position. Accordingly, we have no concerns regarding its

financial strength.

f. Business resumption and contingency plan. Microsoft offers contractually-guaranteed 99.5% to

99.9% (depending on the specific solution involved) uptime, hosted out of world class data centers

with physical redundancy at disk, NIC, power supply and server levels, constant content replication,

robust backup, restoration and failover capabilities, real-time issue detection and automated

response such that workloads can be moved off any failing infrastructure components with no

perceptible impact on the service, with 24/7 on-call engineering teams.

of 41


g. Security and internal controls, audit, reporting and monitoring. Microsoft is an industry leader

in cloud security and implements policies and controls on par with or better than on-premises data

centers of even the most sophisticated organizations. We have confidence in the security of the

solution and the systems and controls offered by Microsoft. In addition to the ISO 27001 certification,

Dynamics 365 is designed for security with encryption features. Customer data in Dynamics 365

exists in two states, namely at rest on storage media and in transit from a data center over a network

to a customer device. All email content is encrypted on disk using BitLocker AES encryption.

Protection covers all disks on mailbox servers and includes mailbox database files, mailbox

transaction log files, search content index files, transport database files, transport transaction log

files, and page file OS system disk tracing/message tracking logs. Dynamics 365 also transports and

stores S/MIME (as defined above) messages. Dynamics 365 will transport and store messages that

are encrypted using client-side, third-party encryption solutions such as PGP. Microsoft Dynamics

365 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that

contain sensitive information, such as user names and email passwords. This feature can help meet

compliance requirements associated with FIPS 140-2. Field-level data encryption is especially

important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store

user names and passwords to enable integration between a Dynamics 365 instance and an email

service such as Microsoft Exchange. Additionally, Field-level data encryption is also supported for

specific system entity attributes. For more information about Field-level data encryption, see:

https://msdn.microsoft.com/en-us/library/dn481562.aspx.

15. FSIs should try to avoid placing excessive

reliance on a single outside service provider

in providing critical technology services.

Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing). You may also

want to provide details of any other suppliers you use or intend to use.

To ensure control, transparency and consistency, it is necessary for the applications and services forming

part of Dynamics 365 to be provided by one provider (i.e. Microsoft). Because of the due diligence and

risk management processes we have implemented we are of the view that use of Dynamics 365 would

of 41


not represent an excessive reliance on one service provider. The terms of our contract with Microsoft

does not limit our right to move to another provider (or to revert to a local, non-cloud based offering)

should we choose to do so.

E. OUTSOURCING AGREEMENT

Note: See also Appendix One of this guidance document for a comprehensive list of the contractual terms that HKMA mandates should be included

in the outsourcing agreement and how these are addressed by the Microsoft contractual documents.

16. The type and level of services to be

provided and the contractual liabilities and

obligations of the service provider should

be clearly set out in a service agreement

between FSIs and their service provider.

Paragraph 2.4.1, Guidelines on Outsourcing (Outsourcing Agreement).

Yes.

Microsoft’s Service Level Agreement (“SLA”) and its Business and Services Agreement (“MBSA”) apply

to the Dynamics 365 service. Amongst other things, they provide details of the contractual liabilities and

obligations of Microsoft, one of which is a contractual 99.5% to 99.9% uptime guarantee (depending on

the specific solution involved) for the Dynamics 365 product.

Please find a copy of the SLA at:

https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

MBSA is available upon request.

17. FSIs should regularly (e.g. annually) review

their outsourcing agreements. They should

assess whether the agreements should be

renegotiated and renewed to bring them in

Paragraph 2.4.2, Guidelines on Outsourcing (Outsourcing Agreement).

The HKMA seems to expect that you review your arrangements at least once per year. If you require any

input from Microsoft, please do not hesitate to get in touch with your Microsoft contact.


of 41


line with current market standards and to

cope with changes in their business

strategies.

18. The outsourcing agreement should specify

clearly, among other things, the

performance standards and other

obligations of the technology service

provider, and the issue of software and

hardware ownership.


Yes.

Microsoft’s SLA and the MBSA specify clearly the performance standards of Microsoft (for example, a

99.5% to 99.9% uptime depending on the specific solution involved) and other obligations of Microsoft

(for example, its obligations to provide access in the event of an audit/inspection). It also covers clearly

the issue of software and hardware ownership (the software and hardware are both owned by Microsoft

but use of the software and hardware are licensed to us as users of the Dynamics 365 service).

19. As technology service providers may

further sub-contract their services to other

parties, FSIs should consider including a

notification or an approval requirement for

significant sub-contracting of services and a

provision that the original technology

service provider is still responsible for its

sub-contracted services.


Microsoft is permitted to hire subcontractors under the Online Services Terms (“OST”). Microsoft

maintains a list of authorized subcontractors for Dynamics 365 that have access to our data and provides

us with a mechanism to obtain notice of any updates to that list. The actual list can be accessed via

https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-

terms#subcontractors. Contractually, if we do not approve of a subcontractor that will be given access to

our data to be added to the list, we are entitled to terminate our subscription to the Dynamics 365 services.

Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into

written agreements with Microsoft that are no less protective than the data processing terms in the OST,

and that Microsoft remains contractually responsible (and therefore liable) for its subcontractors’

compliance with Microsoft’s obligations in the OST. In addition, Microsoft’s commitment to ISO 27001

of 41


and ISO 27018 requires Microsoft to ensure that its subcontractors are subject to the same security

controls as Microsoft is subject to.

F. CUSTOMER DATA CONFIDENTIALITY

20. FSIs should ensure that the proposed

outsourcing arrangement complies with

relevant statutory requirements (e.g. the

Personal Data (Privacy) Ordinance -

PDPO) and common law customer

confidentiality. This will generally involve

seeking legal advice.

Paragraph 2.5.1, Guidelines on Outsourcing (Customer Data Confidentiality).

Microsoft recommends that you do seek legal advice on the use of cloud computing services in relation

to statutory/regulatory/common law requirements.

We are confident that the proposed use of Dynamics 365 complies with relevant statutory requirements,

including the PDPO and common law confidentiality requirements.

Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and

controls on par with or better than on-premises data centers of even the most sophisticated organizations.

In relation to the PDPO, Dynamics 365 includes the following features and commitments from Microsoft

to ensure compliance with the requirements of the PDPO: (i) Microsoft will not use our data for other

purposes other than providing the services; (ii) Microsoft has security policies and controls and security

measures which are verified by independent auditors. These measures include security features on its

hardware, software and physical data center, restricted physical data center access, Dynamics 365 is

ISO 27001 and ISO 27018 compliant and data is encrypted both at rest and via the network as it is

transmitted between data center and a user; (iii) Microsoft will inform us promptly if our data has been

accessed improperly; (iv) there are specific data retention and deletion commitments in the OST

governing handling of our data at the end of the service term.

of 41


Microsoft commits to comply with ISO 27018. In February 2015, Microsoft became the first major cloud

provider to adopt the world’s first international standard for cloud privacy, ISO 27018. The standard was

developed by the International Organization for Standardization (ISO) to establish a uniform, international

approach to protecting privacy for personal data stored in the cloud. The British Standards Institute (BSI)

has independently verified that Microsoft is aligned with the standard’s code of practice for the protection

of Personally Identifiable Information (PII) in the public cloud. The controls set out in ISO 27018 match

the protections required by the PDPO. For more information on this, follow this link.

In choosing Microsoft, we also took into account the fact that Microsoft offers access and regulatory audit

rights, thereby allowing us to comply with our regulatory obligations in this respect.

21. FSIs should have controls in place to

ensure that the requirements of customer

data confidentiality are observed and

proper safeguards are established to

protect the integrity and confidentiality of

customer information. Typical safeguards

include, among other things:

• undertakings by the service

provider that the company and its

staff will abide by confidentiality

rules, including taking account of

the data protection principles set

out in PDPO;


Microsoft recommends that you seek legal advice as to PDPO requirements.

As above, Microsoft as an outsourcing partner is an industry leader in cloud security and implements

policies and controls on par with or better than on-premises data centers of even the most sophisticated

organizations. Dynamics 365 is built based on ISO 27001, a rigorous set of global standards covering

physical, logical, process and management controls.

Regarding the specific safeguards referred to in the HKMA Supervisory Policy Manual:

• Undertakings by the service provider that the company and its staff will abide by

confidentiality rules, including taking account of the data protection principles set out in

PDPO: Yes. We have contractual confidentiality terms in our agreements with Microsoft.

http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/

of 41


• FSIs' contractual rights to take

action against the service provider

in the event of a breach of

confidentiality;

• segregation or

compartmentalization of FSIs'

customer data from those of the

service provider and its other

clients; and

• access rights to FSIs' data

delegated to authorize employees

of the service provider on a need

basis.

• FSIs' contractual rights to take action against the service provider in the event of a breach

of confidentiality: Yes. Under our contractual terms with Microsoft, we would expect to have a

breach of contract claim in this situation.

• Segregation or compartmentalization of FSIs' customer data from those of the service

provider and its other clients: Yes. Data storage and processing is segregated through Active

Directory structure and capabilities specifically developed to help build, manage, and secure

multi-tenant environments. Active Directory isolates customers using security boundaries (also

known as silos). This safeguards a customer’s data so that the data cannot be accessed or

compromised by other parties. Microsoft also provide us with our own database to maximize the

security and integrity of our data. This safeguards a customer’s data so that the data cannot be

accessed or compromised by co-tenants.

Select the following text if using Dynamics 365 dedicated version:

We have secured an offering that provides for a dedicated hosted offering, which means that our

data is hosted on hardware dedicated to us.

• Access rights to FSIs' data delegated to authorize employees of the service provider on a

need basis: Yes. Microsoft applies strict controls over which personnel roles and personnel will

be granted access to customer data. Personnel access to the IT systems that store customer

data is strictly controlled via role-based access control (“RBAC”) and lock box processes.

Access control is an automated process that follows the separation of duties principle and the

principle of granting least privilege. This process ensures that the engineer requesting access to

these IT systems has met the eligibility requirements, such as a background screen,

fingerprinting, required security training and access approvals. In addition, the access levels are

of 41


reviewed on a periodic basis to ensure that only users who have appropriate business

justification have access to the systems.

22. FSIs should notify their customers in

general terms of the possibility that their

data may be outsourced. They should also

give specific notice to customers of

significant outsourcing initiatives,

particularly where the outsourcing is to an

overseas jurisdiction.


Where you have existing outsourcing arrangements in place you would already have such notifications

in place. If so, contracting for Dynamics 365 should not require additional notifications. Microsoft

recommends that you seek legal advice on your privacy policies and consent mechanisms to ensure that

they do comply with applicable law. If you require any information from Microsoft please do get in touch

with your Microsoft contact.

23. In the event of a termination of outsourcing

agreement, for whatever reason, FSIs

should ensure that all customer data is

either retrieved from the service provider or

destroyed.


Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard

drives that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the

recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate

means of disposal is determined by the asset type. Records of the destruction are retained. All Microsoft

Online Services utilize approved media storage and disposal management services. Paper documents

are destroyed by approved means at the pre-determined end-of-life cycle. Secure disposal or re-use of

equipment and disposal of media is covered under the ISO 27001 against which Microsoft is certified.

G. CONTROL OVER OUTSOURCED ACTIVITIES

of 41


24. FSIs should have controls in place (e.g.

comparison with target service level) to

monitor the performance of service

providers on a continuous basis.

FSIs should ensure that they have effective

procedures for monitoring the performance

of, and managing the relationship with, the

service provider and the risks associated

with the outsourced activity.

Such monitoring should cover, inter alia:

• contract performance;

• material problems encountered by

the service provider; and

• regular review of the service

provider’s financial condition and

risk profile and the service

provider’s contingency plan, the

results of testing thereof and the

scope for improving it.

Paragraphs 2.3.2, Guidelines on Outsourcing (Ability of Service Providers) and paragraphs 2.6.1 and

2.6.2 (Control over Outsourced Activities) for the detailed areas that the monitoring should cover. You

may also in this context wish to refer to any internal monitoring procedures you are putting in place.

Yes. Microsoft’s SLA applies to the Dynamics 365 product. Our IT administrators also have access to the

Dynamics 365 Service Health Dashboard, which provides real-time and continuous monitoring of the

Dynamics 365 service. The Service Health Dashboard provides our IT administrators with information

about the current availability of each service or tool (and history of availability status) details about service

disruption or outage, scheduled maintenance times. The information is provided via an RSS feed.

Amongst other things, it provides a contractual 99.5% to 99.9% (depending on the specific solution

involved) uptime guarantee for the Dynamics 365 product and covers performance monitoring and

reporting requirements which enable us to monitor Microsoft’s performance on a continuous basis against

service levels.

Please find a copy of the SLA at:


25. Responsibility for monitoring the service

provider and the outsourced activity should

Paragraph 2.6.3 (Control over Outsourced Activities), Guidelines on Outsourcing.


of 41


be assigned to staff with appropriate

expertise.

If requested by HKMA, Microsoft would suggest that you provide details of the relevant personnel and a

brief summary of their experience.

26. FSIs should establish reporting procedures

which can promptly escalate problems

relating to the outsourced activity to the

attention of the management of the FSI and

their service providers.


Service Provider Escalation

As part of the support we receive from Microsoft we have access to a technical account manager who is

responsible for understanding our challenges and providing expertise, accelerated support and strategic

advice tailored to our organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems functioning. We are

confident that such arrangements provide us with the appropriate mechanisms for managing

performance and problems.

Internal escalation

[ ] You will need to describe your process for how any issues will be escalated internally.

27. The control procedures over the

outsourcing arrangement should be subject

to regular reviews by the Internal Audit.


The HKMA expects that your internal audit function would regularly review the outsourcing arrangement

so you will need to confirm this.

H. CONTINGENCY PLANNING

28. FSIs should develop a contingency plan for

critical outsourced technology services to

Paragraph 7.1.1 (Management of Technology Outsourcing), Technology Risk Principles.

of 41


protect them from unavailability of services

due to unexpected problems of the

technology service provider. This may

include an exit management plan and

identification of additional or alternate

technology service providers for such

support and services.

The HKMA clearly expects you to have a contingency plan in place, covering disaster recovery/business

continuity. This would usually include:

• performing a business impact analysis of a disaster situation;

• considering the internal mechanisms to deal with such a situation; and

• considering Dynamics 365’s own disaster recovery and business continuity safeguards.

The following outlines Dynamics 365’s own disaster recovery and business continuity safeguards:

Redundancy

• Physical redundancy at server, data center, and service levels.

• Data redundancy with robust failover capabilities.

• Functional redundancy with offline functionality.

• As an additional safeguard, Microsoft performs daily back-ups to a secure, offsite location.

Resiliency

• Active load balancing.

• Automated failover with human backup.

of 41


• Recovery testing across failure domains.

Distributed Services

• Distributed component services limit scope and impact of any failures in a component.

• Directory data replicated across component services insulates one service from another in any

failure events.

• Simplified operations and deployment.

Monitoring

• Internal monitoring built to drive automatic recovery.

• Outside-in monitoring raises alerts about incidents.

• Extensive diagnostics provide logging, auditing, and granular tracing.

Simplification

• Standardized hardware reduces issue isolation complexities.

• Fully automated deployment models.

• Standard built-in management mechanism.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

of 41


Human backup

• Automated recovery actions with 24/7 on-call support.

• Team with diverse skills on the call provides rapid response and resolution.

• Continuous improvement by learning from the on-call teams.

Continuous learning

• If an incident occurs, Microsoft does a thorough post-incident review every time.

• Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response,

and Microsoft’s plan to prevent it in the future.

• In the event the organization was affected by a service incident, Microsoft shares the post-

incident review with the organization.

29. Contingency plans should be maintained

and regularly tested by FSIs and their

service providers to ensure business

continuity, e.g. in the event of a breakdown

in the systems of the service provider or

telecommunication problems with the host

country.

Paragraph 2.7.1 (Contingency Planning), Guidelines on Outsourcing.

Microsoft carries out disaster recovery testing at least once per year. Please see also question 28 above

for a summary of the disaster recovery/business continuity safeguards provided as part of the Dynamics

365 service.

30. Contingency arrangements in respect of

daily operational and systems problems


http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

of 41


would normally be covered in the service

provider’s own contingency plan. FSIs

should ensure that they have an adequate

understanding of their service provider’s

contingency plan and consider the

implications for their own contingency

planning in the event that an outsourced

service is interrupted due to failure of the

service provider’s system.

The HKMA requirements indicate the importance of you understanding the disaster recovery/business

continuity safeguards forming part of Dynamics 365. As such, if you have any questions about these,

please do not hesitate to get in touch with your Microsoft contact.

Please see question 28 above for a summary of the disaster recovery / business continuity safeguards

provided as part of the Dynamics 365 service.

31. In establishing a viable contingency plan,

FSIs should consider, among other things,

the availability of alternative service

providers or the possibility of bringing the

outsourced activity back in-house in an

emergency, and the costs, time and

resources that would be involved.


The HKMA clearly expects you to have a plan in place if you did decide to stop using the Dynamics 365

service.

To ensure control, transparency and consistency, it is necessary for the applications and services forming

part of Dynamics 365 to be provided by one provider (i.e. Microsoft). Because of the due diligence and

risk management processes we have implemented we are of the view that use of Dynamics 365 would

not represent an excessive reliance on service provider. The terms of our contract with Microsoft does

not limit our right to move to another provider (or to revert to a local, non-cloud based offering) should we

choose to do so.

I. ACCESS TO OUTSOURCED DATA

32. FSIs should ensure that appropriate up-to-

date records are maintained in their

premises and kept available for inspection

Paragraphs 2.8.1 and 2.8.2 (Access to Outsourced Data), Guidelines on Outsourcing.

of 41


by the HKMA in accordance with §§55 and

56 of the Banking Ordinance and that data

retrieved from the service providers are

accurate and available in Hong Kong on a

timely basis.

Access to data by the HKMA’s examiners

and the FSI’s internal and external auditors

should not be impeded by the outsourcing.

FSIs should ensure that the outsourcing

agreement with the service provider

contains a clause which allows for

supervisory inspection or review of the

operations and controls of the service

provider as they relate to the outsourced

activity.

The terms of our contract with Microsoft provide that if a regulator requests, Microsoft will provide the

regulator a direct right to examine the relevant service, including the ability to conduct an on-premise

examination; to meet with Microsoft personnel and Microsoft’s external auditors; and to access related

information, records, reports and documents. Customer will at all times have access to its data using the

standard features of Dynamics 365, and may delegate its access to its data to representatives of the

HKMA.

J. ADDITIONAL CONCERNS IN RELATION TO OVERSEAS OUTSOURCING

33. Implications of the overseas outsourcing for

FSIs' risk profile - FSIs should understand

the risks arising from overseas outsourcing,

taking into account relevant aspects of an

overseas country (e.g. legal system,

regulatory regime, sophistication of

technology, infrastructure).

Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.

The answer to this question will depend on the region you are in. You may discuss this with your Microsoft

contact. Microsoft enables customers to select the region that it is provisioned from.

Dynamics 365 is hosted out of […..]. This/These location(s) has/have been vetted for

geopolitical/socioeconomic risks as set out in this checklist requirement. As part of our usual processes,

we constantly monitor the countries in which we operate.

of 41


a. Political (i.e. cross-broader conflict, political unrest etc). Dynamics 365 offers data-location

transparency so that the organizations and regulators are informed of the jurisdiction(s) in which data

is hosted. We are confident that Microsoft’s data center locations offer stable political environments.

b. Country/socioeconomic. Dynamics 365 offers data-location transparency so that the organizations

and regulators are informed of the jurisdiction(s) in which data is hosted. The centers are strategically

located around the world taking into account country and socioeconomic factors. We are confident

that Microsoft’s data center locations offer stable socioeconomic environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards,

designed to protect customer data from harm and unauthorized access. Data center access is

restricted 24 hours per day by job function so that only essential personnel have access. Physical

access control uses multiple authentication and security processes, including badges and smart

cards, biometric scanners, on-premises security officers, continuous video surveillance and two-

factor authentication. The data centers are monitored using motion sensors, video surveillance and

security breach alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Environmental controls have been

implemented to protect the data centers including temperature control, heating, ventilation and air-

conditioning, fire detection and suppression systems and power management systems, 24-hour

monitored physical hardware and seismically-braced racks. Microsoft Data centers are built in

seismically safe zones. These requirements are covered by Microsoft’s ISO 27001 accreditation for

Dynamics 365.

34. Right of access to customers’ data by

overseas authorities such as the police and

tax authorities. FSIs should generally obtain


of 41


a legal opinion from an international or other

reputable legal firm in the relevant

jurisdiction on this matter. This will enable

them to be informed of the extent and the

authorities to which they are legally bound

to provide information. Right of access by

such parties may be unavoidable due to

compulsion of law. FSIs should therefore

conduct a risk assessment to evaluate the

extent and possibility of such access taking

place. FSIs should notify the HKMA if

overseas authorities seek access to their

customers’ data. If such access seems

unwarranted the HKMA reserves the right

to require the FSI to take steps to make

alternative arrangements for the

outsourced activity.

The answer to this question will partly depend on the region you are in. You may discuss this with your

Microsoft contact. Microsoft enables customers to select the region that it is provisioned from, and adopts

strict processes in dealing with disclosure requests by third parties and authorities. Microsoft

recommends that you obtain a legal opinion from an international or other reputable legal firm in the

country where your data will be hosted on this matter.

Microsoft is transparent in relation to the location of our data. Dynamics 365 is hosted out of […..].

This/These location(s) has/have been thoroughly vetted and the circumstances in which the authorities

may have rights to access customer information are not considered unwarranted. Microsoft data center

locations are made public on the Microsoft Trust Center at https://www.microsoft.com/en-us/trustcenter.

Microsoft also provides contractual commitment on how data disclosure requests from authorities will be

handled. Microsoft will not disclose our data to law enforcement unless required by law. If law

enforcement contacts Microsoft with a demand for our data, Microsoft will attempt to redirect the law

enforcement agency to request that data directly from us. If compelled to disclose our data to law

enforcement, Microsoft will promptly notify us and provide a copy of the demand unless legally prohibited

from doing so. Over the past years, Microsoft has taken multiple court actions to challenge different law

enforcement data disclosure requests and has, through their action, established a track record and

demonstrated how they comply with their contractual commitment in this regard.

35. Notification to customers - FSIs should

generally notify their customers of the

country in which the service provider is

located (and of any subsequent changes)

and the right of access, if any, available to

the overseas authorities.


Microsoft recommends that you confirm in this section that you have informed customers where services

will be provided from (according to the specification of your final solution with Microsoft). Microsoft also

recommends that you confirm in this section that you have informed customers of the right of access

of 41


available to overseas authorities (for example in Singapore, for the purpose of the Dynamics 365 service,

depending on the specification of your final solution with Microsoft).

36. Right of access to customers’ data for

examination by the HKMA after outsourcing

- FSIs should not outsource to a jurisdiction

which is inadequately regulated or which

has secrecy laws that may hamper access

to data by the HKMA or FSIs' external

auditors. They should ensure that the

HKMA has right of access to data. Such

right of access should be confirmed in

writing by both FSIs and their home or host

authorities, as the case may be.


Dynamics 365 is hosted out of […..]. This/These location(s) has/have been thoroughly vetted and as far

as we are aware, there are no secrecy laws which would hamper access to data in the appropriate

circumstances.

There are provisions in the contract that enable the HKMA to carry out inspection or examination of

Microsoft’s facilities, systems, processes and data relating to the services. This is set out FSA.

Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework

Program, you may add this additional information about its key features: the regulator audit/inspection

right, access to Microsoft’s security policy, the right to participate at events to discuss Microsoft’s

compliance program, the right to receive audit reports and updates on significant events, including

security incidents, risk-threat evaluations and significant changes to the business resumption and

contingency plans.

37. §33 of the PDPO in respect of transfer of

personal data outside Hong Kong –

although §33 has not yet come into

operation, FSIs are advised to take account

of the provisions therein and the potential

impact on their plans in respect of overseas

outsourcing.


Section 33 of the PDPO, assuming it is in force, prohibits organizations from transferring data outside of

Hong Kong except in certain circumstances e.g. if the organization has taken all reasonable precaution

and exercised due diligence that personal data will not be handled in a manner in contravention of the

PDPO requirements (commonly referred to as the “Due Diligence Exception”). Putting in place an

enforceable contract between all parties to the transfer is a way to satisfy the Due Diligence Exception

and the Office of the Privacy Commission for Personal Data, Hong Kong (PCPD) has proposed a set of

of 41


recommended model clauses to include in such contract. Microsoft's OST has in principle covered the

core areas of the recommended model clauses and should therefore satisfy the Due Diligence Exception.

38. Governing law of the outsourcing

agreement – the agreement should

preferably be governed by Hong Kong law.


The MBSA deals with what countries laws apply if there is a legal dispute.

The governing law is that of the State of Washington, U.S., however the parties have the ability to bring

proceedings in the locations as follows:

• If Microsoft brings the action, the jurisdiction will be where our contracting entity is located;

• If we bring the action, the jurisdiction will be the state of Washington; and

Both parties can seek injunctive relief with respect to a violation of intellectual property rights or

confidentiality obligations in any appropriate jurisdiction.

39. In case of a locally incorporated FSI, a

principal concern is the ability of the HKMA

to exercise its legal powers under the

Banking Ordinance effectively if there is

limited cooperation by the service provider.

Accordingly, where a local FSI is planning

to outsource, for example, a major part of

its data processing function to outside Hong

Kong, the HKMA will expect the FSI to have

a robust back-up system and contingency


The HKMA should have no concerns about limited cooperation by Microsoft as service provider. Microsoft

understands the role that the HKMA needs to play as regulator. There are provisions in the contract that

enable the HKMA to carry out inspection or examination of Microsoft’s facilities, systems, processes and

data relating to the services.

Microsoft provides back-up system and contingency plan in place – please see the response to questions

28 and 29 above.

of 41


plan in an acceptable jurisdiction. The back-

up system should be properly documented

and regularly tested. It may be appropriate

for an independent opinion on its

effectiveness to be sought.

Microsoft carries out disaster recovery testing at least once per year.

An independent opinion on Microsoft’s effectiveness already exists by virtue of the fact that Dynamics

365 has an ISO 27001 accreditation, a rigorous set of global standards covering physical, logical, process

and management controls.

of 41

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

This table sets out the specific items that must be covered in the FSI’s agreement with the Service Provider.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PT = Product Terms

SLA = Online Services Service Level Agreement

of 41

Ref. Requirement Microsoft agreement reference

1. The service agreement between FSIs and their service

provider should clearly set out:

• The type and level of services to be provided; and

• The contractual liabilities and obligations of the service

provider.

Paragraph 2.4.1, Guidelines on Outsourcing

The contract pack comprehensively sets out the scope of the arrangement and the

respective commitments of the parties.

The services are broadly described, along with the applicable usage rights, in the PT and

OST. The services are described in more detail in OST, which includes a list of service

functionality in the Data Processing Terms section, and core features of the Dynamics

365 Services in the Online Service Specific Terms section. The MBSA addresses liability

and rights of action.

2. FSIs should have in place undertakings by the service provider

that the company and its staff will abide by confidentiality rules,

including taking into account the data protection principles set

out in the PDPO.


The MBSA deals with confidentiality. Microsoft commits not to disclose our confidential

information (which includes our data) to third parties and to only use our confidential

information for the purposes of Microsoft’s business relationship with us.

The OST states, in the General Terms section, that Microsoft will comply with all laws

and regulations applicable to its provision of Dynamics 365 services, including security

breach notification law. Microsoft is not responsible for compliance with any laws or

regulations applicable to us, or the financial services industry, that are not generally

applicable to information technology service providers.

of 41


Microsoft also makes specific commitments with respect to our data in the OST. In

summary Microsoft commits that:

1. Ownership of our data remains at all times with us.

2. Our data will only be used to provide the online services to us. Our data will not

be used for any other purposes, including for advertising or other commercial

purposes.

3. We retain the ability to access and extract our data at all material times. Except

for free trials, Microsoft will retain our data for 90 days after expiration or

termination of service, and will delete our data after the said retention period,

and in the case of Dynamics 365 services, such deletion will take place no later

than 180 days after expiration or termination or service.

4. Microsoft will not disclose our data to law enforcement unless it is legally obliged

to do so, and only after not being able to redirect the request to us.

5. Microsoft will implement and maintain appropriate technical and organizational

measures, internal controls, and information security routines intended to protect

our data against accidental, unauthorized or unlawful access, disclosure,

alteration, loss, or destruction.

6. Microsoft will notify us if it becomes aware of any security incident, and will take

reasonable steps to mitigate the effects and minimize the damage resulting from

the security incident.

of 41


3. FSIs should have contractual rights to take action against the

service provider in the event of a breach of confidentiality.


Yes.

The MBSA deals with confidentiality. Microsoft commits not to disclose our confidential

information (which includes our data) to third parties and to only use our confidential

information for the purposes of Microsoft’s business relationship with us. If there is a

breach of confidentiality by Microsoft, we are able to bring a claim for breach of contract

against Microsoft.

4. FSIs should ensure that the outsourcing agreement with the

service provider contains a clause which allows for supervisory

inspection or review of the operations and controls of the

service provider as they relate to the outsourced activity.


Yes.

The OST specifies the audit mechanisms that Microsoft puts in place in order to verify

that the online services meet appropriate security and compliance standards. This

commitment is reiterated in the FSA.

In addition, the FSA detail the examination and influence rights that are granted to us

and the HKMA. The FSA sets out a process which can culminate in the HKMA’s

examination of Microsoft’s premises, and gives us the opportunity to participate in the

Microsoft Online Services Customer Compliance Program, which is a for-fee program

that facilitates our ability to (a) assess the services’ controls and effectiveness, (b) access

data related to service operations, (c) maintain insight into operational risks of the

services, (d) be provided with additional notification of changes that may materially

of 41


impact Microsoft’s ability to provide the services, and (e) provide feedback on areas for

improvement in the services.

5. The outsourcing agreement should preferably be governed by

Hong Kong law.


The MBSA deals with what countries laws apply if there is a legal dispute.

The governing law is that of the State of Washington, U.S., however the parties have the

ability to bring proceedings in the locations as follows:

• If Microsoft brings the action, the jurisdiction will be where our contracting entity is

located;

• If we bring the action, the jurisdiction will be the state of Washington; and

• Both parties can seek injunctive relief with respect to a violation of intellectual

property rights or confidentiality obligations in any appropriate jurisdiction.

6. The outsourcing agreement should specify clearly, among

other things, the performance standards and other obligations

of the technology service provider and the issue of software

and hardware ownership.

Paragraph 7.1.1, Technology Risk Principles

Yes.

The SLA contains Microsoft’s service level commitment, as well as the remedies for the

customer in the event that Microsoft does not meet the commitment.

The software and hardware are owned by Microsoft but licensed for use by us as a

service, as is standard in any cloud services solution.

of 41


7. FSIs should consider including a notification or an approval

requirement for significant sub-contracting of services and a

provision that the original technology service provider is still

responsible for its sub-contracted services.

Paragraph 7.1.1, Technology Risk Principles

Yes.

The OST specifies that Microsoft is permitted to hire subcontractors. In the context of

Dynamics 365 services, the OST provides that Microsoft may hire subcontractors to

provide certain limited or ancillary services on its behalf.

Under the terms of the OST, Microsoft maintains a list of authorized subcontractors for

the online services that have access to our data and provides us with a mechanism to

obtain notice of any updates to that list. The actual list is published on the applicable

Microsoft Trust Center, and it sets out the identity of such subcontractors, their respective

location and the function(s) that they perform. If we do not approve of a subcontractor

that is added to the list, then we are entitled to terminate the affected online services.

The confidentiality of our data is protected when Microsoft uses subcontractors because

Microsoft commits that its subcontractors will be permitted to obtain our data only to

deliver the services Microsoft has retained them to provide and will be prohibited from

using our data for any other purpose.

Microsoft also commits that any subcontractors to whom Microsoft transfers our data will

have entered into written agreements with Microsoft that are no less protective than the

data processing terms in the OST.

Under the terms of the OST, Microsoft remains contractually responsible (and therefore

liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST. In

addition, Microsoft’s commitment to ISO 27018, requires Microsoft to ensure that its

of 41


subcontractors are subject to the same security controls as Microsoft is subject to.

Finally, the EU Model Clauses, which are included in the OST, require Microsoft to

ensure that its subcontractors outside of Europe comply with the same requirements as

Microsoft and set out in detail how Microsoft must achieve this.

HONG KONG GUIDANCE ON COMPLYING WITH...

Documents

Transcript of HONG KONG GUIDANCE ON COMPLYING WITH...