To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
On the 18 February 2016, Singapore’s Infocomm Development Agency (IDA) published its decision on the framework for the allocation of an additional 235 MHz of spectrum. This follows their earlier consultations. Key points are set out below:
Two stage process to encourage market entry by new entrant (4th MNO)
The IDA wants to encourage market entry by a fourth mobile network operator (MNO), so has split the auction into two stages. First, a ‘new entrant’ spectrum auction for 60 MHz (comprising 2x 10 MHz in the 700 band, 2 x 10 MHz in the 900 MHz band and 20Mhz of the 2.3 GHz TDD band ) from which the existing MNOs are excluded, followed by a second auction of the remainder of the spectrum to the incumbent MNOs and new entrant (if any). The reserve price for the new entrant spectrum has been lowered from SGD 40 million to SGD 30 million. The process has been designed to limit market entry to only one additional MNO.
New entrant needs to pre-qualify
Any new entrant needs to pre-qualify for the auction. To pre-qualify a bidder must:
The last condition means that any consortia will need to be formed prior to qualification for bidding.
In addition, pre-qualification will also require bidders to demonstrate:
No other material regulatory assistance for new entrant
Apart from the spectrum allocation and price, there is no other regulatory assistance for the new entrant. The IDA has decided not to mandate wholesale roaming access for the new entrant, and is not proposing to relax any regulatory obligations.
Auction processes defined
The new entrant auction will be a simple ascending round auction, and the second auction a more complex ‘Clock Plus’ format.
The IDA will make available a an information package for potential new entrants which will be available on 3 March. The IDA will issue further auction documents setting out more detail.
Governance is important for both private and public sector organisations. For development finance organisations (such as IFC, CDC, Africa Development Bank and Asia Development Bank) which are publicly funded and invest in developing countries it is critical. A key part of governance is measuring the development impact that they have through setting goals and measuring the impact of their investments.
The objectives of development finance organisations are often framed at a very broad level of abstraction:
“[IFC’s] goals are to end extreme poverty by 2030 and boost shared prosperity in every developing country.”
“CDC’s mission is to support the building of businesses throughout Africa and South Asia, to create jobs and make a lasting difference to people’s lives in some of the world’s poorest places.”
One of the governance challenges faced by these organisations is understanding how their day to day activities, and in particular their investments, contribute towards the achievement of these objectives. This is in part governed by the setting of goals and measurement of the impact of each investment.
By way of example, the IFC governs its development impact by:
By contrast, CDC (focused on the growth of businesses and the creation of jobs) places appears to place more emphasis on assessing its ability to make development impact at the time of making each investment decision:
“We remain interested in achieving and measuring positive impact across a broader dimension, but the job creation focus ensures we direct capital thoughtfully and prioritise our limited resources behind a mission that inspires us. We believe job creation is essential in both Africa and South Asia where two thirds of the those of working age are today without formal jobs and where demographic growth will greatly exacerbate this challenge over the next decade. At an individual level, employment has a transformative effect on the life of an individual and his/her family and dependents.
We have therefore created an ex ante tool that turns theory into practice and ensures we invest our capital towards our objective of creating jobs, especially in the more challenging places. This new methodology, designed with the help of our shareholder and academics and economists, is embedded in our investment processes and we use it to assess every investment opportunity at Investment Committee for its potential to create the impact that we are seeking.”
Whilst in reality the approaches adopted by the various organisations are not so different, it would appear that the three stage governance process adopted by the IFC across the life-cycle of investments provides greater opportunity for scrutiny, reflection and learning at all stages of the investment process than that adopted by CDC.
“Mr. Praline: Look, matey, I know a dead parrot when I see one, and I’m looking at one right now.
Owner: No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue, idn’it, ay? Beautiful plumage!”
– Monty Python
Based on a press release from the World Trade Organisation, and tweets from its Director-General Roberto Azevedo it would appear that the WTO is about to defy persistent reports of its death and come back to life with its first agreement on tariff elimination in eighteen years.
Covering a wide range of technology and IT products including new generation semi-conductors, GPS navigation equipment and medical equipment, including magnetic resonance imaging products and ultra-sonic scanning apparatus, the proposed agreement will lead to the elimination of import tariffs in a uniform and non-discriminatory manner – the [no WTO member is treated worse than the] ‘most-favoured nation’ principle. The WTO estimates that the value of trade covered by the prospective agreement amounts to USD 1 trillion.
In recent decades, the process required to reach agreement at the WTO has resulted in deadlock and an increased focus on regional trade negotiations such as TPP, in part because these are perceived as being easier to reach agreement by virtue of involving a smaller group of participants amongst whom a common goal can be agreed. Further, whilst students of David Ricardo still extol the virtues of free-trade, in recent years the WTO has come under both attack from populist anti-globalisation movements and domestic anti-trade liberalisation political pressure in many countries against trade liberalisation.
Against this backdrop, why does it now seem likely that the WTO will reach an agreement including the world’s largest trading blocs (US, China and EU) as well as much of SE Asia?The simple answer to this question is that everyone has something to gain. The reason for this is the global spread of technology – almost every country has technology exporters of some sort (bearing in mind that many manufacturing facilities for MNCs are in low wage economies) and/or see clear benefits in importing technology.
It is welcome to see that the global community still sees the benefit of global trade agreements – the next big question is whether this will lead to a wider reinvigoration of the WTO as means of advancing trade negotiations, as opposed to regional negotiations like the TPP?
Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services. Privacy regulators recognise and refer to the new standard. Cloud customers are using it in their RFP requirements and in their assessments of CSPs. And CSPs themselves can and should adopt and commit to the new standard.
A guest post by Matthew Hunter (@matthew1hunter) and Daniel Jung.
We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).
In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA). We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services. We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.
In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations. We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.
The latest ISO 27018 developments
Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).
These regulators and others are continuing to consider the use of ISO 27018. The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud. The PDPC in Singapore is also considering the use of ISO 27018.
Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards. These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.
Cloud customers have been, in the past, slow to adopt cloud services. In part, this has been because of regulatory concerns. But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services. We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.
Cloud services providers
CSPs can now adopt and commit to ISO 27018.
Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018. An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers. We expect to see other CSPs follow suit.
No standalone certification is available as yet for ISO 27018. However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018. By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance. To remain compliant, CSPs must undergo yearly independent reviews. This is what the likes of Microsoft will do.
The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018. Like other ISO standards before it, ISO 27018 will become the norm.
What next for ISO 27018?
Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance. ISO 27018 is already becoming the norm (just like other ISO standards).
We expect this to continue. The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs. In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore. It is in the interest of governments to allow cloud services to be adopted in the public and private sectors. The benefits of cloud services are clear. But at the same time the compliance challenge will not disappear. The regulation of data is on the rise (and rightly so). Data should be regulated; it is a valuable and sensitive asset. This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.
Myanmar is currently largely a cash economy. In this post we consider the types of mobile banking and payments solutions we predict will first gain traction in the Myanmar market: remittance services and banking the unbanked.
Outside Myanmar, the way people bank and pay has been revolutionised: from the introduction of credit cards, telephone banking and mobile banking to the launch of PayPal and Bitcoin. The global growth of e-commerce has been accompanied by an increasing demand for online and mobile payments systems.
It is possible to imagine places where the use of cash might disappear entirely in the future.Whilst the rest of the world has still not fully exploited the benefits of mobile banking and payments, Myanmar has yet to start.
Mobile banking and payment solutions
What do we mean by mobile banking and mobile payments?
Mobile banking means banking done from a mobile device. Banks provide a portal to access banking services across mobile platforms, including via its website, apps for tablet and apps for smartphones. The introduction of mobile banking usually requires banks with legacy systems to re-engineer their delivery methods (i.e. to digitise service delivery).
Mobile payments means using a mobile device for the initiation, authorisation and realisation of a payment transaction. Mobile payments systems allow payments to be made a mobile device via a proximity payment or via a mobile remote payment. Depending on the way the solution works, the parties involved can include customers, merchants, mobile payment service providers, telecoms companies and banks.
There has been rapid innovation and disruption globally. From traditional payment systems (e.g. Visa) and Internet payment systems (e.g. PayPal) to varying mobile payment systems (e.g. M-Pesa, Apple Pay) and retailer-led systems (e.g. integration of customer behavioural data and store-cards). There’s no winning ‘secret formula’ across global markets. In some countries there are constrains to potential approaches. In every market partnerships and alliances have been and are still critical to success (between e.g. telecommunication companies, technology manufacturers, traditional banks, payment companies and retailers).
The market in Myanmar and where to start
Both the telecoms and banking sectors are very underdeveloped in Myanmar.
There are a low number of access points, low customer awareness, a lack of services and a lack of infrastructure and processes. However, these are focus sectors for investment by the Myanmese government and investors, and by foreign investors.
It is tempting to imagine that Myanmar can leapfrog ahead and adopt sophisticated mobile banking and payments solutions for all because it is unencumbered by legacy IT systems and processes and can dive straight into the deep end. However, as Myanmar also lacks access points, awareness, services, infrastructure and processes, the starting point must still be basic.
One of the biggest current challenges is the lack of distribution networks for getting cash in/out. In our view, remittance services will be one of the first services to be developed.
There’s no point developing fancy mobile banking solutions and payments if people can’t get cash in/out. Providing the most basic banking services for a largely unbanked population will the next major focus followed by basic payment services.
It is common for Myanmese families to work and live apart, and as economic development and foreign investment drives urbanisation it will only increase. Domestic remittance services are need to help families to send money to each other. There are also a large number of overseas Myanmese workers and so international remittance services are needed.
The challenge for this in Myanmar is that there is a bottleneck of cash in/out points. A secondary challenge is that it is difficult to authenticate parties. Telcos have the ability to address both of these challenges, because they offer outlets and a means to authenticate users. One solution therefore is for the banks and the telcos to partner and integrate a basic remittance offering.
Banking the unbanked
Most Myanmese citizens have no bank account today. Experience from Africa shows that a move from a cash system to a banking or quasi-banking system brings widespread benefits. Again, however, the banks have the enormous challenge of building distribution (i.e. branch access), whereas the telcos are already building distribution and reach. Bank and telco partnerships are therefore a likely formula to success because the scale of the distribution network is critical.
Structuring and negotiating a successful mobile banking partnership
Banks have a clear role to play to build the banking services in Myanmar. However, they do not have the networks or the technology to succeed alone. Partnerships with telcos are most likely to offer success but what do the parties to such a partnership need to consider to make it work?
First, the parties must have a clearly defined idea of what the ‘end to end’ system will look like and which role each of the parties will play.
Second, the parties must consider the regulatory risks. Do one or both of parties need a licence and can they comply with the licence requirements?
The commercial aspects of the deal will also need to be agreed. Who is responsible for taking what actions and providing which services? Can each party fulfill their relevant obligations? What are the consequences if a party fails to meet its obligations? And what is the price or reward for each party?
Parties involved in these kinds of negotiations should never assume that the other parties know what they are doing. The mobile payments and mobile banking space can be very complex and parties who are more familiar with in the space will use often use jargon. You should not be afraid to ask simple and basic questions, especially in a new market. Finally, don’t be wowed by complex solutions. It’s definitely better to walk before you can run, so we predict the winners will be those who keep it simple and do the basics first.
This post was co-written with @matthew1hunter.
A key challenge for organisations who want to use cloud services is to do so in a way that is compliant with the organisations’ obligations under data protection laws.
This guest post by Matt Hunter (@matthew1hunter) and Daniel Jung explains how ISO 27018 is relevant and why companies considering cloud solutions should look to cloud providers who meet this standard.
Around the world, companies are coming under increasing pressure to comply with data protection laws. Singapore is no different. In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into force. Will the new international standard, ISO 27018, help customers in Singapore to overcome the data protection challenge when using cloud services? Our conclusion is yes. If a cloud customer engages a cloud service provider (CSP) that complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the PDPA relevant to the use of cloud services. Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help its customer comply with its key legal obligations under the PDPA.
The PDPA places obligations on companies when it comes to the collection, use and disclosure of personal data. One of the consequences of the PDPA is that companies in Singapore who want to engage the services of a CSP must consider how the cloud solutions will comply with the relevant obligations under the PDPA. Similarly, CSPs who want to offer cloud solutions to customers in Singapore must consider how their cloud solutions will comply with the relevant obligations under the PDPA.
In August 2014 the International Organization for Standardization (ISO) published a new standard specifically applying to how CSPs protect and managed data on behalf of their customers. “ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (widely known as ISO 27018). One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their cloud customers.
So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018? Can ISO 27018 help cloud customers and CSPs alike to ensure compliance with PDPA requirements? In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018 and look at the practical steps that cloud customers and CSPs can take to ensure compliance.
How do ISO 27018 and the PDPA compare?
PDPA requirement: An organisation must obtain the consent of an individual in order to process personal data about the individual.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and prohibits processing for any other purposes. This requirement will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that are inconsistent with the consent the customer has obtained from individuals.
PDPA requirement: An organisation must notify individuals about the purposes for which their data will be processed.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and it requires the CSP to disclose information about sub-processors and data location to the customer. These requirements will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that have not been notified to individuals and the customer can provide extra information in its notice to individuals about sub-processors and locations of processing.
PDPA requirement: An organisation must cease to retain personal data as soon as the purpose for which the personal data was collected is no longer being served by the retention of the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the customer.
PDPA requirement: An organisation must, upon the request of an individual, provide the individual with access to the personal data that an organisation holds about the individual and correct the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to assist its customer to comply with a data subject’s access requests and correction requests.
PDPA requirement: An organisation must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to take certain types of security measures, to adopt and implement security awareness policies and to subject their services to independent information security reviews at regular intervals.
PDPA requirement: An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires a contract to be executed between the data controller (the customer) and the data processor (the CSP), that contains minimum security arrangements and an obligation to process data in accordance with the data controller’s requirements. Further, it also requires the CSP to seek consent from the customer before engaging any sub-contractors.
PDPA requirement: An organisation must not transfer personal data outside of Singapore unless the transfer is made in accordance with the requirements of the PDPA to ensure that the organisation provides a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data, so the customer can be sure that its personal data will be protected to the same standard of protection.
PDPA requirement: An organisation must implement policies and procedures in order to meet their obligations under the PDPA and shall make information about its policies and procedures publicly available.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to execute a contract with the customer to ensure that data is processed in accordance with the customer’s instructions (including instructions as to policies and procedures that are adopted by the customer).
Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements.
What about other countries?
The same conclusion appears to us to apply in other countries as well. The PDPA is similar to the data protection laws in many other countries, including Australia, European countries, Hong Kong, Japan, Korea, Malaysia and New Zealand. If a cloud customer in any of these countries engages a CSP who complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the data protection laws in its country.
How can a CSP demonstrate compliance with ISO 27018?
There are a few options:
There is no silver bullet to ensure overall compliance with an organisation’s obligations under privacy laws. However, in relation to cloud solutions, ISO 27018 is a welcome step towards ensuring that such cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting customer confidence in cloud solutions. Customers should check that their CSPs (existing or potential) comply with ISO 27018. This will help customers to be confident that the cloud solutions (existing or potential) comply with the relevant obligations under the PDPA (or the relevant laws in other countries). CSPs should demonstrate compliance with ISO 27018 in order to be confident that their cloud solutions will help their customers to comply with the relevant obligations under the PDPA (or the relevant laws in other countries).
The Monetary Authority of Singapore (“MAS“) is consulting on a new notice and guidelines on outsourcing. Having already commented on its positive message for cloud services, this post addresses the rest of the consultation. In summary, we think:
Background MAS first issued its ‘Guidelines on Outsourcing’ in 2004 (and updated them in 2005). Under this consultation:
Interested parties should submit views and comments to MAS by email to firstname.lastname@example.org by 7 October 2014. What we like
Some important points we would like to see MAS clarify
Some less important points that could helpfully be clarified
Next steps: Customers, suppliers and advisors have until 7 October to submit a reply to the MAS. Let’s see to what extent they address the points noted above.
There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.
The MAS doesn’t use the word “cloud” expressly in its consultation. However, the MAS has made important changes to the outsourcing guidelines. The changes are relevant to cloud services and, most importantly, there are positive references to cloud services. Cloud is OK provided you follow MAS’s rules.
In summary, these are positive steps for customers and service providers of cloud services. As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail. Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment. This is good news.
Apart from cloud, the new notice and update guidelines should be welcomed. There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog. However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.
Myanmar is a country with tremendous opportunities, but also tremendous risks. I was fortunate enough to host and chair a seminar in Singapore yesterday on responsible investment into Myanmar.
Introduction by Rt. Hon Hugo Swire MP
The seminar started with an introduction and overview by the Rt. Hon Hugo Swire MP, Minister of State, Foreign and Commonwealth Office. Hugo provided an overview of Myanmar’s historical context (including explaining that, in deference to Daw Aung San Suu Kyi, the British Government calls Myanmar Burma) and current UK government actions to support its development and reintegration with the international community, in particular giving examples of how the UK is working to improve the business environment as a whole by strengthening the Myanmar government’s capacity for economic governance, transparency and accountability.
A framework for responsible investment
The next speaker, Richard Welford, Chairman, CSR Asia, set out a framework for responsible and inclusive investment into Myanmar. Author of CSR Asia’s report “Responsible and Inclusive Business in Myanmar” report, he explained that responsibility encompassed developing six aspects of Myanmar’s capital (in the economic, not geographic sense) and addressing three areas to increase inclusion:
Development of capitals through responsibility
Richard explained his view that responsible companies will contribute to development of
Myanmar’s capitals through their business activities, in particular how companies make their profits and how they provide benefits to stakeholders through their economic activities. The six capitals are:
Including the poorest members of society
Richard went on to explain that “inclusive” business is a commercially viable and scalable way to incorporate low-income populations into corporate value chains. It aims to combat the poverty challenge in Myanmar and provides access to goods, services and livelihood opportunities for the poorest. The report outlines three ways of including poor people in Myanmar:
More details on responsibility and inclusion (including practical steps) can be found in the full report.
CSR in ASEAN context
The final speaker, Thomas Thomas, CEO, ASEAN CSR Network is the lead author of the report on CSR and human rights in ASEAN for the ASEAN Intergovernmental Commission on Human Rights. He explained the context for CSR across the ASEAN region and provided his perspective on practical steps companies could take.
The seminar closed with a lively interaction panel discussion of questions from the floor.