Governing development finance organisations: measuring development impact

Governance is important for both private and public sector organisations. For development finance organisations (such as IFC, CDC, Africa Development Bank and Asia Development Bank) which are publicly funded and invest in developing countries it is critical. A key part of governance is measuring the development impact that they have through setting goals and measuring the impact of their investments.

The objectives of development finance organisations are often framed at a very broad level of abstraction:

“[IFC’s] goals are to end extreme poverty by 2030 and boost shared prosperity in every developing country.”

“CDC’s mission is to support the building of businesses throughout Africa and South Asia, to create jobs and make a lasting difference to people’s lives in some of the world’s poorest places.”

One of the governance challenges faced by these organisations is understanding how their day to day activities, and in particular their investments, contribute towards the achievement of these objectives. This is in part governed by the setting of goals and measurement of the impact of each investment.

By way of example, the IFC governs its development impact by:

  1. setting goals (IFC Development Goals);
  2. using its Development Outcome Tracking System (DOTS) to measure the development results of investment (and advisory) services, as shown below:










3.  the evaluation of outcomes and impact.

By contrast, CDC (focused on the growth of businesses and the creation of jobs) places appears to place more emphasis on assessing its ability to make development impact at the time of making each investment decision:

“We remain interested in achieving and measuring positive impact across a broader dimension, but the job creation focus ensures we direct capital thoughtfully and prioritise our limited resources behind a mission that inspires us.  We believe job creation is essential in both Africa and South Asia where two thirds of the those of working age are today without formal jobs and where demographic growth will greatly exacerbate this challenge over the next decade.  At an individual level, employment has a transformative effect on the life of an individual and his/her family and dependents.

We have therefore created an ex ante tool that turns theory into practice and ensures we invest our capital towards our objective of creating jobs, especially in the more challenging places. This new methodology, designed with the help of our shareholder and academics and economists, is embedded in our investment processes and we use it to assess every investment opportunity at Investment Committee for its potential to create the impact that we are seeking.”

Whilst in reality the approaches adopted by the various organisations are not so different, it would appear that the three stage governance process adopted by the IFC across the life-cycle of investments provides greater opportunity for scrutiny, reflection and learning at all stages of the investment process than that adopted by CDC.







Posted in ASEAN, Brunei, Cambodia, Foreign direct investment, Government policy, India, Indonesia, Laos, Malaysia, Myanmar, Philippines, Thailand, Vietnam | Tagged , , | Leave a comment

Hong Kong privacy regulator recognises ISO/IEC 27018

This guest post is written by @matthew1hunter and @aisling1odwyer.

Regular readers of this blog will know we have been tracking the impact of ISO/IEC 27018:2014 –Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018). We see this as the go-to standard for customers of public cloud computing services.  In a significant move, the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner) has recently recognised the value of ISO/IEC 27018 in its revised Cloud Computing Information Leaflet (Information Leaflet).

The Information Leaflet is a helpful piece of guidance which sets out the practical steps cloud customers should take to ensure they comply with the Hong Kong privacy laws when using cloud computing services.  In the leaflet the Privacy Commissioner recognises ISO/IEC 27018 as “a comprehensive reference that has met the need to assist the selection of cloud providers by data users”.

Recap on ISO/IEC 27018

We previously covered the publication ISO/IEC 27018, and also discussed how ISO/IEC 27018 would be a useful tool for customers looking to ensure compliance with privacy laws in Singapore and other countries.

We predicted regulators would begin to recognise and refer to ISO/IEC 27018 in setting privacy standards for customers of cloud computing services. Hong Kong provides the most recent example of this.  We also predicted the adoption of ISO/IEC 27018 by market-leading cloud service providers (CSPs).

Why Hong Kong and its Privacy Commissioner matter

Hong Kong was one of the early adopters of privacy laws in Asia, and has an established and well-respected privacy regime. Its Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996 and the independent Privacy Commissioner has played an active role in promoting and maintaining high privacy standards since then.

It is very significant that that Privacy Commissioner in Hong Kong has recognised the benefits of ISO/IEC 27018 in its Information Leaflet.  This endorsement sets the stage for wider recognition of ISO/IEC 27018 as the go-to international standard for protecting personal information in the cloud.

When regulators accept ISO/IEC 27018 as the global gold standard for CSPs, this makes the lives of customers, CSPs and regulators easier.  It is easier for customers and CSPs to ensure compliance with one international standard that facilitates compliance with most national-level privacy laws, rather than starting with the each of the national-level privacy laws.

Does ISO/IEC 27018 help customers in Hong Kong?

Hong Kong’s privacy laws, set out in the PDPO, place obligations on organisations in relation to the collection, processing, use and deletion of data. Organisations that wish to use cloud computing services need to assess how they can implement such services and continue to comply with the PDPO, and in particular, its six data protection principles.

The revised Information Leaflet alerts customers to their obligations under the PDPO and highlights three overarching points cloud customers should have in mind when choosing a CSP. These points are:

  1. Rapid transborder data flow: CSPs may have data centres in multiple jurisdictions and customers need to know their data will have the same level of protection wherever it is stored.
  2. Loose outsourcing arrangements: Customers need to know that any CSP sub-contractors are subject to the same standards as their CSP, and that there are legally enforceable contracts in place between the CSP and its sub-contractors.
  3. Standard services and contracts: Customers need to carefully evaluate whether their specific security and personal data privacy protection needs are met by any standard contract offered.

It is helpful then to note that the controls introduced by ISO/IEC 27018 help customers to address these points.  Taking each in turn:

  1.  CSPs are required to disclose and document where personal data will be processed and the controls in ISO/IEC 27018 are applicable no matter where the personal data is located;
  2. ISO/IEC 27018 requires CSPs to be transparent about their use of sub-contractors and enter into written agreements with any sub-contractors, preventing weak, informal outsourcing arrangements; and
  3. ISO/IEC 27018 imposes strict security standards that CSPs must adhere to, which are applicable even where the CSP and the customer are contracting on standard terms.

In summary: Hong Kong’s privacy laws impose a range of obligations on customers, some of which apply to the customer’s use of cloud computing services.  ISO/IEC 27018 is a helpful tool for customers to rely on to meet those obligations.  If a customer’s CSP commits to comply with ISO/IEC 27018, this should reassure the customer that the CPS’s solution will help the customer to comply with the relevant obligations under Hong Kong’s privacy laws.


The recognition of ISO/IEC 27018 by the Hong Kong regulator shows that the standard is a robust tool, capable of addressing important questions customers will have to consider when choosing a CSP.

Hong Kong now joins privacy regulators in Australia, Belgium, Canada, Germany and Slovenia (among others) who have all recognised the benefit ISO/IEC 27018 offers as a global standard for CSPs.  We anticipate that more CSPs will commit to ISO/IEC 27018 and also that more customers will look for CSPs that commit to the standard (e.g. by adding a requirement in their RFPs for CSPs to be compliant with ISO/IEC 27018).

Posted in Cloud computing, Data protection, Outsourcing, Regulatory action, Services, Software, Technology | Tagged | Leave a comment

Global IT tariffs eliminated? WTO wakes up?

Used under a creative commons licence granted by Alejandro Linares Garcia

Used under a creative commons licence granted by Alejandro Linares Garcia

“Mr. Praline: Look, matey, I know a dead parrot when I see one, and I’m looking at one right now.

Owner: No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue, idn’it, ay? Beautiful plumage!”

– Monty Python

Based on a press release from the World Trade Organisation, and tweets from its Director-General Roberto Azevedo it would appear that the WTO is about to defy persistent reports of its death and come back to life with its first agreement on tariff elimination in  eighteen years.

Covering a wide range of technology and IT products including new generation semi-conductors, GPS navigation equipment and medical equipment, including magnetic resonance imaging products and ultra-sonic scanning apparatus, the proposed agreement will lead to the elimination of import tariffs in a uniform and non-discriminatory manner – the [no WTO member is treated worse than the] ‘most-favoured nation’ principle. The WTO estimates that the value of trade covered by the prospective agreement amounts to USD 1 trillion.

In recent decades, the process required to reach agreement at the WTO has resulted in deadlock and an increased focus on regional trade negotiations such as TPP, in part because these are perceived as being easier to reach agreement by virtue of involving a smaller group of participants amongst whom a common goal can be agreed. Further, whilst students of David Ricardo still extol the virtues of free-trade, in recent years the WTO has come under both attack from populist anti-globalisation movements and domestic anti-trade liberalisation political pressure in many countries against trade liberalisation.

Against this backdrop, why does it now seem likely that the WTO will reach an agreement including the world’s largest trading blocs (US, China and EU) as well as much of SE Asia?The simple answer to this question is that everyone has something to gain. The reason for this is the global spread of technology – almost every country has technology exporters of some sort (bearing in mind that many manufacturing facilities for MNCs are in low wage economies) and/or see clear benefits in importing technology.

It is welcome to see that the global community still sees the benefit of global trade agreements – the next big question is whether this will lead to a wider reinvigoration of the WTO as means of advancing trade negotiations, as opposed to regional negotiations like the TPP?






Posted in ASEAN, China, EU, Government policy, Hardware, Technology, US | Tagged , | Leave a comment

Good news from Korea for FSI cloud customers and CSPs

A guest post by @matthew1hunter and @danieljung88

This week the Korean financial services regulator announced regulatory changes that will make it easier for financial services institutions (FSIs) in Korea to use cloud computing services.  First, FSIs will now be allowed to engage cloud service providers (CSPs) whose data hosting infrastructure is located overseas.  Second, FSIs will no longer need approval from the regulator to use cloud computing services.  Third, FSIs will no longer need to sign the regulator’s standard form contract with CSPs, so the parties can agree their own contract. 

In this post, we look at what has changed, how do the changes compare with regulations in other countries and why these changes are good news.  You should also note that this is the second of two recent steps forward for cloud computing in Korea; in April this year we posted a report on Korea’s new (and the world’s first) cloud-specific law.

What has changed?

The Financial Services Commission (FSC) and the Financial Services Supervisor (FSS) announced in a joint press release (on the 9 June 2015) revisions to the Regulation on Financial Institutions’ Outsourcing of Data Processing Business & IT Facilities (dated June 2013) (the Regulation).  The FSC stated that with these changes it “intends to reduce financial institutions’ burden relating with outsourcing of data processing”.

There are four changes:

  1. FSIs will be allowed to offshore data processing to a professional IT company whose infrastructure is located outside of Korea.
  1. FSIs will no longer be required to obtain the approval from the FSC in order to outsource IT facilities.
  1. FSIs will be allowed to outsource their data processing without notifying all the information to the FSS prior to outsourcing data processing.  Instead they can report the outsourcing after the event to the FSS.  FSIs will only be required to notify an outsourcing in advance to the FSS if customers’ financial transaction information will be outsourced.
  1. FSIs will no longer be required to sign the standard form contract when contracting with CSPs, as long as the contract includes the regulatory requirements (e.g. obligations to permit the regulator to supervise and inspect the CSP).

How do the Korean regulations compare now to those in other countries?

These changes bring the Korean regime more into line with the regimes in many other countries in the Asia-Pacific region, including Singapore, New Zealand, Australia, Hong Kong and Japan.

For more information on the regulations that impact the use of cloud computing by FSIs in the Asia-Pacific region, see our report, published with the Asia Cloud Computing Association (the ACCA Report).

These changes also bring the Korean regime into line with the recommendations made in the ACCA Report.  The report sets out recommendations to regulators.  The aim of the recommendations is to make it easier for FSIs to use cloud computing services.  The ACCA Report states that regulators should: allow the use by FSIs of offshore CSPs; not require FSIs to obtain approval for the use of cloud computing services; and not be prescriptive about the content of contracts between FSIs and CSPs.  Korea now scores well against these recommendations and the report will be updated in the next version.

Why are these changes good news for FSIs and CSPs?

  • These changes will make it easier for FSIs in Korea to use cloud computing services.  FSIs around the world are benefiting from cloud computing services.  The services offer many benefits to FSIs, including security, agility, reliability, scalability and (not to forget) potential cost savings. Korean FSIs should and now will be able to benefit in the same way as FSIs in other countries.
  • These changes will help domestic FSIs in Korea to compete more evenly with international FSIs. Before now, international FSIs could transfer data to their other locations around the world for processing.  Domestic FSIs were unable to enjoy the benefits of offshore service providers.  Now all FSIs can transfer data offshore, to other branches (for international FSIs) and to IT service providers, including CSPs.
  • These changes should make it easier in the future for other cloud customers in Korea (not just FSIs) to use cloud computing services. The FSI sector is generally recognized as a heavy user of IT services and this activity is heavily regulated.  Potential cloud customers in other sectors may look towards the FSI sector for a lead.  The more the FSI sector opens up to the use of cloud, the more other sectors are likely to follow.
  • These changes may influence other regulators in the region to take similar approaches. Regulators talk, and they watch one another.  There has been plenty of discussion about increased rules on data sovereignty.   In these discussions it is helpful to be able to point to regulators, like the FSC in Korea, that allow international transfers of data.  The focus should not be on the location of the data, but always on whether or not the data is adequately protected.  The more markets that follow this lead, the better.
  • The changes will increase and improve competition in the Korean CSP market.  International CSPs will be able to compete to provide services to FSI cloud customers in Korea, where they were previously unable to.  CSPs who were reluctant to enter into the Korean market, may now be persuaded to do so.  We believe that increased competition is healthy for customers and between competitors.

We believe this is a good step forward for the cloud computing market in Korea.  We hope that more regulators will follow suit.  We will keep you posted on further developments.

Posted in Cloud computing, Data protection, Korea | Tagged | Leave a comment

3 new data privacy tools from Singapore’s data regulator

Singapore’s Personal Data Protection Commission (PDPC) has been busy. It has just published a number of new resources to help businesses comply with the Personal Data Protection Act. Here are the three we have identified as having the biggest practical application for companies in Singapore.

1. Sample clauses and guidance for marketing consents.

For companies collecting data for marketing purposes, these standard clauses will help. They cover a broad range of scenarios, including consent in the context of membership applications and lucky draws, and language for the withdrawal of consent. The PDPC has also published some guidance to support the sample clauses.

2. Guide to securing data “in electronic medium”.

For organisations which store data in an electronic format (so, pretty much everyone), these guidelines list certain specific IT security measures that can be implemented to enhance security, split into “good practice” and “enhanced practice”.

3. Guide to managing data breaches.

The PDPC has published a step-by-step guide to managing data breach situations, from development of a data breach management plan through to containing the breach, assessing the risk and impact, reporting the incident (including a requirement that the PDPC should be notified of breaches, particularly those involving sensitive data) and preventing future breaches.

Singapore’s business-friendly approach

Of course, none of the tools above represent an automatic route to compliance and the required approach will differ from one organisation to the next. Nonetheless, the growing pool of resources from the PDPC covers a broad range of practical measures that organisations should now be implementing. It also underlines the PDPC’s strategy of being a business-friendly data protection regulator, in line with Singapore’s mission of becoming the world’s first smart city and the data processing hub for South-East Asia.

Posted in Telecoms | Leave a comment