INDONESIA BANKS GUIDANCE ON COMPLYING WITH …download.microsoft.com/download/9/4/F/94FE8273-550A-4BAB-88EF-67A... · confidential page 1 of 50 10006608-2 indonesia –banks guidance

Confidential

Page 1 of 50

10006608-2

INDONESIA –BANKS

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES INSTITUTIONS

USING CLOUD COMPUTING (AZURE)

Last updated: March 2015

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using

cloud computing. In this guidance financial services institutions means banks (“FSIs”).

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7, Part A, sets out some information, tips and template responses for each of the items included in the information sheet of Annex to BI Circular

Letter No. 9/30/DPNP. Part A should assist you to collate the report which you are required to submit to the OJK in order to obtain the OJK’s approval.

Part B sets out additional questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant

to the use of cloud services. Although there is no requirement to answer the questions in Part B in a checklist like this one, we have received feedback

from FSIs that a checklist approach like this is very helpful. Part A and Part B can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to

compliance with their requirements.

Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.

Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment. Instead, it is

intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal

and regulatory obligations.

Confidential

Page 2 of 50

10006608-2

2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?

The use of cloud services is considered to be an “outsourcing arrangement” and subject to regulatory supervision.

The relevant documents are as follows. We have included a hyperlink where the documents are available online and, where available, the links are to

English translations that have been prepared by public authorities. However, the translations are not always the latest versions or official translations

since they have not been updated periodically. Therefore, they should be used only for reference and should not be relied upon.

Bank Indonesia Regulation 9/15/PBI/2007 on Implementation of Risk Management in the Use of Information Technology by Commercial Banks (“BI

Regulation 9/2007”)

BI Circular Letter No. 9/30/DPNP dated 12 December 2007 (“BI Circular Letter No. 9/30”), which can be viewed as the implementing guidelines to

BI Regulation 9/2007 (note, only the appendix which contains the detailed guidelines is available in English and not the appendix including the

information sheet which must be completed as explained in section 5 above)

Indonesian Banking Law (“Law No.10 of 1998”)

Law No.11 of 2008 on Electronic Transaction and Information (“ITE Law”)

Note: Under Government Regulation No. 82 of 2012 on Electronic System and Transaction (“GR 82”), operators of an electronic system used for

providing public services are required to locate their data centers and disaster recovery centers within Indonesia. GR 82 provides that further details will

be set out in subsidiary regulations, including guidance on what entities will be considered as providing public services. Based on current draft subsidiary

regulations to GR 82, it appears that GR 82 will apply primarily to public sector entities. Therefore it is unlikely that GR 82 will apply to non-public sector

customers, including FSIs (and therefore the requirement for local data centers and local disaster recovery centers does not apply to FSIs).

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Financial Services Authority of Indonesia (“OJK”) is the government agency which regulates and supervises FSIs (having taken over the

responsibilities of The Central Bank of Indonesia (“BI”) as of 31 December 2013).

http://www.ojk.go.id/en/bank-indonesia-regulation-number-9-15-pbi-2007

http://www.ojk.go.id/en/circular-letter-number-9-30-dpnp

http://www.ica-ap.coop/sites/default/files/Indonesia%20Act%20ammended%20in%2098.PDF

http://www.bu.edu/bucflp/files/2012/01/Law-No.-11-Concerning-Electronic-Information-and-Transactions.pdf

Confidential

Page 3 of 50

10006608-2

Note: As a result of OJK taking over the responsibilities of BI as of 31 December 2013, it is expected that the OJK may make changes to the above

documents or issue a new one in due course. No timetable or details are available at the current time however.

4. IS REGULATORY NOTIFICATION OR APPROVAL REQUIRED?

Yes.

FSIs must report on any intended outsourcing arrangements to the OJK and obtain approval. Cloud services would be considered outsourcing

arrangements subject to this approval requirement.

5. IS/ARE THERE (A) SPECIFIC FORM(S) OR QUESTIONNAIRE(S) TO BE COMPLETED?

Yes.

FSI’s need to complete and submit a report to OJK as part of the approval process explained above which includes various letters and plans. The

content of report shall conform with the information sheet as set out in an annex to BI Circular Letter No. 9/30/DPNP dated 12 December 2007 (which is

unfortunately only available in Bahasa). Section 7, Part A, sets out some information, tips and template responses for each of the items included in the

information sheet of Annex to BI Circular Letter No. 9/30/DPNP

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

Yes.

The OJK does specifically mandate contractual requirements that must be agreed by FSIs with their service providers. These can be found in various

sections of the BI Regulation 9/2007 and also in BI Circular Letter No. 9/30. Appendix One contains a list of the requirements that must be included in

contracts with cloud service providers and details of where in the Microsoft contractual documents these requirements are covered.

Confidential

Page 4 of 50

10006608-2

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point

raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Template response and guidance

PART A: REPORT REQUIREMENTS

This section contains the items set out in the information sheet of Annex to BI Circular Letter No. 9/30/DPNP which should be collated into a report to

be submitted to OJK in order to obtain the OJK’s approval.

1. Name and address of the cloud service provider. Annex to BI Circular Letter No. 9/30/DPNP.

The Service Provider is the regional licensing entity for Microsoft Corporation, a

global provider of information technology devices and services, which is publicly-

listed in the USA (NASDAQ: MSFT). Microsoft’s full company profile is available

here: https://www.microsoft.com/en-us/news/inside_ms.aspx.

For the correct Service Provider name relevant for your region, please review your

Microsoft license agreement. Please also obtain the address details from your

Microsoft contact.

[Address to be inserted.]

2. Summary of requirements and due diligence conducted by the bank Annex to BI Circular Letter No. 9/30/DPNP.

https://www.microsoft.com/en-us/news/inside_ms.aspx

Confidential

Page 5 of 50

10006608-2


with regard to its plan to have a data center abroad. Details regarding the due diligence that OJK expects to be carried out on potential

service providers and solutions can be found in The Guidelines Annex to BI

Circular Letter No. 9/30/DPN, Chapter II, section 2.3(c) (which states that FSIs

must carry out a selection process with reference to the FSI’s own guidelines on

outsourcing as well as policies and internal procedures); and Chapter X, sections

10.3.2 which includes details regarding the service provider selection process and

due diligence including RFP proposal that OJK would expect you to have

undertaken – which are reflected in the following.

The process covered:

a. The outlining of our business requirements for the use of third parties to

provide the services. We identified the functions and activities to be

outsourced, the potential risks of such outsourcing. As a result we produced a

document with a detailed illustration of our expectations in respect of the

services from the service provider, please see attached. The Guidelines

Annex to BI Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.1(a) to (g)

contains a list of the items that OJK would expect you to include in this

document of requirements.

b. A request for proposal (RFP) stage. A copy is attached. Note: you may want

to add in details of how many different providers you approached and any

other details of how you ran this process. See the Guidelines Annex to BI

Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.2 for more details.

c. Due diligence in relation to the potential service providers. In particular

we looked at the following: Note this is a list which is found in the Guidelines

Confidential

Page 6 of 50

10006608-2


Annex to BI Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.2.3, but

that list is expressed as a including the minimum aspects which should be

covered so you may well want to add to this.

The service provider company’s history: Microsoft is an industry leader in

cloud computing. Azure was built based on ISO/IEC 27001 standards and was

the first major business productivity public cloud service to have implemented

the rigorous set of global standards covering physical, logical, process and

management controls. Microsoft Corporation, the parent company, is publicly-

listed in the United States and is amongst the world’s largest companies by

market capitalization.

The service provider’s qualifications, background and reputation: 40% of

the world’s top brands use Azure. Some case studies are available on the

Microsoft website. FSI customers in leading markets, including in the UK,

France, Germany, Australia, Hong Kong, Canada, the United States and many

other countries have performed their due diligence and, working with their

regulators, are satisfied that Azure meets their respective regulatory

requirements. This gives us confidence that the service provider is able to

help meet the high burden of financial services regulation and is experienced

in meeting these requirements.

References from other companies using the same services from the

service provider: We consulted various case studies relating to Azure, which

are available on the Microsoft website and also considered the fact that

Microsoft has amongst its customers some of the world’s largest organizations

and FSIs. FSI customers in leading markets, including in the UK, France,

http://office.microsoft.com/en-us/business/office-365-customer-stories-office-testimonials-FX103045622.aspx

http://office.microsoft.com/en-us/business/office-365-customer-stories-office-testimonials-FX103045622.aspx

Confidential

Page 7 of 50

10006608-2


Germany, Australia, Hong Kong, Canada, the United States and many other

countries have performed their due diligence and, working with their

regulators, are satisfied that Azure meets their respective regulatory

requirements. This gives us confidence in our choice of service provider.

The financial condition of the service provider including a review of its

audited financial report: Microsoft Corporation is publicly-listed in the United

States and is amongst the world’s largest companies by market capitalization.

Microsoft’s audited financial statements indicate that it has been profitable for

each of the past three years. Its market capitalization is in the region of USD

280 billion. Accordingly, we have no concerns regarding its financial strength.

The capability and effectiveness of the service provider: The due

diligence carried out in all of the other areas listed here gives us confidence in

the capability and effectiveness of Microsoft.

The technology and system architecture: This will of course depend in part

on the solution that you choose. Your Microsoft contact will be able to provide

you with details and diagrams which you can use for this purpose once

decided.

The internal control environment, security history and scope of any

audit: Microsoft is an industry leader in cloud security and implements policies

and controls on par with or better than on-premises data centers of even the

most sophisticated organizations. As detailed elsewhere, we have confidence

in the security of the solution and the systems and controls offered by the

service provider. In addition to the ISO/IEC 27001 certification (with

Confidential

Page 8 of 50

10006608-2


independent third party audit), Azure is designed for security with controls for

encryption of data at rest and SSL/TLS encryption of data in transit. In

addition, all personnel with access to customer data are subject to background

screening, security training and access approvals. In addition, the access

levels are reviewed on a periodic basis to ensure that only users who have

appropriate business justification have access to the systems. User access to

data is also limited by user role. For example, system administrators are not

provided with database administrative access.

The service provider’s compliance with existing laws and regulations: As

a world leading technology provider with an excellent track record, experience

in serving clients in the financial services sector and being subject to

independent audit and scrutiny, we have no grounds for concern regarding

Microsoft’s compliance with existing laws and regulations.

Trust and success in the relationship management with sub-contractors:

Microsoft is contractually required to maintain a list of authorized

subcontractors which is updated periodically. The actual list is available on the

Microsoft Trust Centre. If we do not approve of a subcontractor that is added

to the list, then we have rights to terminate the affected online services.

Microsoft is experienced in using trusted sub-contractors (to provide limited

services on its behalf, such as providing customer support. Any such

subcontractors will be permitted to obtain our data only to deliver the services

Microsoft has retained them to provide, and they are prohibited from using

such data for any other purpose. Microsoft remains responsible for its

subcontractors’ compliance and all subcontractors will have entered into

written agreements with Microsoft requiring that the subcontractor abide by

http://azure.microsoft.com/en-us/support/trust-center/

Confidential

Page 9 of 50

10006608-2


terms no less protective than Microsoft’s agreement with us.

Insurance cover: Microsoft self-insures and, in view of the size and reputation

of the organization, we are comfortable with this position.

The service provider’s ability to provide disaster recovery and business

continuity: Microsoft offers contractually-guaranteed uptime, hosted out of

world class data centers with physical redundancy at disk, NIC, power supply

and server levels, constant content replication, robust backup, restoration and

failover capabilities, real-time issue detection and automated response such

that workloads can be moved off any failing infrastructure components with no

perceptible impact on the service, 24/7 on-call engineering teams.

The service provider’s implementation of risk management: Microsoft as

an outsourcing partner is an industry leader in risk management for the service

it is providing. One of the key risks that Microsoft is required to manage is

security. Microsoft’s cloud security is marketing leading and Microsoft

implements policies and controls on par with or better than on-premises data

centers of even the most sophisticated organizations. Azure was built based

on ISO/IEC 27001 standards, a rigorous set of global standards covering

physical, logical, process and management controls. The Microsoft Azure

security features (being the product that the organization will be using) consist

of three parts: (a) built-in security features including encryption of data when in

transit and at rest; (b) security controls; and (c) scalable security. These

include 24-hour monitored physical hardware, isolated customer data,

automated operations and lock-box processes, secure networks and

Confidential

Page 10 of 50

10006608-2


encrypted data.

The results report of any independent third party assessment: As part of

Microsoft’s certification requirements, they are required to undergo regular

independent third party auditing and Microsoft shares with us the independent

third party audit reports. The Microsoft service is subject to the SSAE16 SOC1

Type II audit, an independent, third party audit and Microsoft will make this

available to us. Microsoft will also make available the ISO/IEC 27001 audit

report to us.

d. We also undertook the following: See Guidelines Annex to BI Circular Letter

No. 9/30/DPN, Chapter X, section 10.3.2.4 which sets out these requirements.

An evaluation of the implementation of risk management by the service

provider.

A check to ensure that the service provider would provide the necessary

reports to enable the monitoring of the service provider’s performance

including to determine if any monitoring program is required. For example, we

have access rights (at any time) to the online dashboards, which provide live

information in relation to Microsoft’s services’ performance against

performance measures.

A cost-benefit analysis for the different options in accordance with our IT

strategic plan and business plan. See Guidelines Annex to BI Circular Letter

No. 9/30/DPN, Chapter I, section 1.2.2 for details of what OJK expects in

terms of an IT strategic plan. See also the high level obligation in Article

Confidential

Page 11 of 50

10006608-2


18,(2)(a)(3).

Ensuring that representatives of our IT work unit were able to present their

opinions and analysis of the results of the due diligence and selection process.

Ensuring that the service provider would implement IT control adequately

including physical security and logical security. This included ensuring that

Microsoft would submit to us the latest result of any independent third party

audits. As part of Microsoft’s certification requirements, they are required to

undergo regular independent third party auditing and Microsoft shares with us

the independent third party audit reports. The Microsoft service is subject to

the SSAE16 SOC1 Type II audit, an independent, third party audit and

Microsoft will make this available to us. Microsoft will also make available the

ISO/IEC 27001 audit report to us.

A check using annual reports and other sources to confirm that we are able to

monitor and evaluate the reliability of the service provider periodically.

Microsoft would also be happy to connect you with other FSI customers who

have taken up Microsoft’s online services and you could include details of

such customer references here. Please contact your Microsoft contact if you

would like to do this.

A check to confirm that our databases are accessible to OJK in a timely

manner for both current and past data. Microsoft contractually commits to us

that we will have access to our data at all times (see OST, page 11).

3. Draft agreement between the FSI and the cloud provider. Annex to BI Circular Letter No. 9/30/DPNP.

Confidential

Page 12 of 50

10006608-2


A copy is enclosed.

Note: please ask your Microsoft contact for a copy.

4. Summary of the risk analysis undertaken by the cloud provider for

the proposed provision of cloud services to the FSI.

Annex to BI Circular Letter No. 9/30/DPNP. Also Article 10(3), BI Regulation

9/2007.

Note: This ‘risk analysis’ is something that Microsoft as opposed to the FSI needs

to prepare. However no further details are available relating to what exactly the

regulator is looking for and what it should include so this may be one aspect that

the FSI and Microsoft discussed with OJK. Note that under the FSA you are also

provided with access to Microsoft’s independent third party audit reports and we

have the right to review Microsoft’s Information Security Policies, along with other

information we may reasonably request regarding Microsoft’s security practices

and policies. In order to meet the objectives and demands of a robust service,

Microsoft regularly conducts penetration testing and vulnerability assessments

against the service through its commitment to Security Development Lifecycle and

ISO certification. The output of testing is tracked through a risk register which is

audited and reviewed on a regular basis to ensure compliance to Microsoft’s

security practices. In order to protect both the system and customer data,

Microsoft does not provide copies of the testing reports however the tests

conducted typically include the OWASP top ten and also include the use of

independent verified security teams (CREST certified). Microsoft is happy to make

available the ISO and SSAE 16 audit reports which cover vulnerability

assessments.

Confidential

Page 13 of 50

10006608-2


5. Summary analysis of costs and benefits for the implementation of

cloud services.

Annex to BI Circular Letter No. 9/30/DPNP and Article 18,(2)(a)(3). You will need

to provide details of the cost benefit analysis that you have conducted. There may

be some cross-reference or duplication with your response to question 2 above.

See attached.

6. A description of the current and future intended IT architecture once

cloud services have been implemented.

Annex to BI Circular Letter No. 9/30/DPNP. Note, what you set out in your

attachment here will of course depend on the solution that you have decided to

deploy. Your Microsoft contact will be happy to work with you to provide a suitable

attachment for inclusion here.

See attached.

7. A monitoring plan that will be used by the FSI for the implementation

of the cloud services.

Annex to BI Circular Letter No. 9/30/DPNP. This is an overview document which

must be prepared and submitted by the FSI. See Guidelines Annex to BI Circular

Letter No. 9/30/DPN, Chapter I, section 1.3.3 for details of what OJK expects FSIs

to do in terms of risk measurement and monitoring which should be factored into

the plan which you provide. Guidelines Annex to BI Circular Letter No. 9/30/DPN,

Chapter III, section 3.3.12 also states that the FSI must assign personnel with the

obligation to monitor the services of any IT service provider by using a procedure

which at least includes service surveillance, error reporting and documentation

related to service delivery. Further high level obligations on FSIs in relation to

monitoring can be found in Article 6(5; 7(2)(f); 10(1);12(1)(f); and 15(2); 18(2)(3).

You may find it useful to reference the following monitoring and reporting facilities

which Microsoft provides in your response:

Confidential

Page 14 of 50

10006608-2


Monitoring for security incidents:

Microsoft’s systems, including its real-time monitoring facilities, enable us to fulfill

our reporting obligations to OJK in the event of a security breach or incident

occurring.

Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive

strategy aimed at predicting and preventing any security breach before it happens.

This involves continuous improvements to built-in security features, including port

scanning and remediation, perimeter vulnerability scanning, OS patching to the

latest updated security software, network-level DDOS (distributed denial-of-

service) detection and prevention, and multi-factor authentication for service

access. Wherever possible, human intervention is replaced by an automated, tool-

based process, including routine functions such as deployment, debugging,

diagnostic collection, and restarting services. Azure continues to invest in systems

automation that helps identify abnormal and suspicious behavior and respond

quickly to mitigate security risk. Microsoft is continuously developing a highly

effective system of automated patch deployment that generates and deploys

solutions to problems identified by the monitoring systems—all without human

intervention. This greatly enhances the security and agility of the service.

In the event that a security incident or violation is detected, Microsoft Customer

Service and Support notifies Azure subscribers by updating the Service Health

Dashboard that is available on the Azure portal. We would have access to

Microsoft’s dedicated support staff who has a deep knowledge of the service.

Microsoft provides a Recovery Time Objective (“RTO”) of 30 min or less for

Virtual Machines and Storage, 1 hour or less for Virtual Network, and a Recovery

Confidential

Page 15 of 50

10006608-2


Point Objective (“RPO”) of 1 minute or less for Storage.

Reporting and information:

Microsoft’s Service Level Agreement (“SLA”) applies to the Azure product. Our IT

administrators also have access to the Azure Service Health Dashboard, which

provides real-time and continuous monitoring of the Azure service. The Service

Health Dashboard provides our IT administrators with information about the

current availability of each service or tool (and history of availability status) details

about service disruption or outage, scheduled maintenance times. The information

is provided via an RSS feed.

Amongst other things, it provides a contractual uptime guarantee for the Azure

product and covers performance monitoring and reporting requirements which

enable us to monitor Microsoft’s performance on a continuous basis against

service levels.

As part of the support we receive from Microsoft, we also have access to a

technical account manager who is responsible for understanding our challenges

and providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems

functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

Audit:

We are confident that in our choice of Microsoft as Service Provider we have far

Confidential

Page 16 of 50

10006608-2


more extensive audit rights than most if not all other Service Provider’s offer. This

was an important factor in our decision to choose this Service Provider. This is a

key component of our monitoring plan.

In particular, the following audit protections are made available by Microsoft:

1. As part of Microsoft’s certification requirements, they are required to

undergo regular independent third party auditing (via the SSAE16 SOC1

Type II audit, a globally-recognized standard), and Microsoft shares with

us the independent third party audit reports. Microsoft also agrees as

part of the compliance program to a customer right to monitor and

supervise. We are confident that such arrangements provide us with the

appropriate level of assessment of Microsoft’s ability to meet our policy,

procedural, security control and regulatory requirements.

2. The OJK is given a contractual right of audit/inspection over Microsoft’s

facilities, so that it can assess and examine systems, processes and

security and regulatory compliance.

8. A letter from the FSI stating the availability of access by internal and

external auditors and the OJK to obtain data and information as

demanded.

Annex to BI Circular Letter No. 9/30/DPNP. Guidelines in Annex to BI Circular

Letter No. 9/30/DPNP, Chapter IX contains details of OJK’s expectations in

relation to the FSI’s own internal audit function. This letter is concerned with the

FSI’s own internal auditor’s ability to audit the FSI’s data and information (even

where that happens to be maintained by a third party) as opposed to an audit right

over systems and infrastructure. FSI data and information will be owned by the FSI

and accessible at any time. See also Article 18, BI Regulation 9/2007.

Confidential

Page 17 of 50

10006608-2


Microsoft does give audit rights to financial services regulators and provides FSIs

with access to its data and information at all times. Your Microsoft contact would

be happy to help you with the wording of such letter if that would be helpful.

See attached.

9. If the FSI is a branch office of a foreign bank or owned by a foreign

financial institution, the following items should also be provided:

(i) A letter from the supervisory authority/regulator of the

country/state where the cloud service provider is located (i.e.

where the contracting entity is based), declaring that the

cloud service provider is under its jurisdiction;

(ii) A letter from the local monitoring authority (which would be

the applicable regulator where the data centers and disaster

recovery centers are located – essentially so that OJK can

ensure that there is no impediment from the local authority to

have the data centers inspected by OJK) in the event that

OJK wishes to conduct an inspection on the data centers or

disaster recovery center;

(iii) A letter from the FSI confirming that it will periodically submit

an evaluation report (as per (iv) below conducted by the

related foreign bank (and should also include the proposed

timeline for submission of such report);

(iv) An evaluation report from the foreign bank concerning the

Annex to BI Circular Letter No. 9/30/DPNP.

Note: There is no further detail provided regarding what these letters or the

evaluation report should contain etc. This is an area where the FSI and Microsoft

may like to discuss what the OJK’s expectations are with the OJK and if there are

any ways that Microsoft is able to help the FSIs in obtaining these, for example

because Microsoft already has relationships with the relevant regulators.

Confidential

Page 18 of 50

10006608-2


implementation of risk management conducted by the cloud

service provider.

10. A copy of a master plan by the FSI relating to (i) improvement of

quality toward its customers and (ii) improvement of human

resources in connection with the implementation of cloud services.

Annex to BI Circular Letter No. 9/30/DPNP. OJK is very keen to ensure that FSIs

make efforts to increase and invest in the competency of human resources related

to the management of IT through adequate training and education programs (see

for example the Guidelines to BI Circular Letter No. 9/30/DPNP, Chapter I,

sections 1.2.1.2(7) and (8) and 1.2.4. Your Microsoft contact would be happy to

discuss ways in which Microsoft can help you with this, if that would be helpful.

See attached.

PART B: ADDITIONAL REQUIREMENTS WHEN USING AN OVERSEAS PROVIDER

Note that the following additional requirements are set out in the Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section 10.3.4

and are required in order to obtain OJK’s approval to the outsourcing. Whilst they are not specifically included in the information sheet for inclusion

in the report set out in Part A above, OJK will likely expect you to provide evidence to support that you and the intended outsourcing meet these

requirements so it is useful to have this information to hand or to even submit it with your report.

11. FSIs must conduct analysis and a feasibility study on government

policies and the political, social and economic and legal environment

in the countries where the IT services will be carried out.

Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section

10.3.4(a). BI Regulation 9/2007 contains high level obligations in relation to risk

management and security. The answer to this question will depend on the region

you are in. You may discuss this with your Microsoft contact. Microsoft enables

customers to select the region that it is provisioned from

Azure is hosted out of […..]. This/These location(s) has/have been vetted for

geopolitical/socioeconomic risks as set out in this checklist requirement. As part of

Confidential

Page 19 of 50

10006608-2


our usual processes, we constantly monitor the countries in which we operate. .

We specifically considered the following:

a. Political (i.e. cross-broader conflict, political unrest etc). Azure offers

data-location transparency so that the organizations and regulators are

informed of the jurisdiction(s) in which data is hosted. We are confident that

Microsoft’s data center locations offer extremely stable political environments.

b. Country/socioeconomic. Azure offers data-location transparency so that the

organizations and regulators are informed of the jurisdiction(s) in which data is

hosted. The centers are strategically located around the world taking into

account country and socioeconomic factors. We are confident that Microsoft’s

data center locations offer extremely stable socioeconomic environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to

exacting standards, designed to protect customer data from harm and

unauthorized access. Data center access is restricted 24 hours per day by job

function so that only essential personnel have access. Physical access control

uses multiple authentication and security processes, including badges and

smart cards, biometric scanners, on-premises security officers, continuous

video surveillance and two-factor authentication. The data centers are

monitored using motion sensors, video surveillance and security breach

alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft Data centers

are built in seismically safe zones. Environmental controls have been

Confidential

Page 20 of 50

10006608-2


implemented to protect the data centers including temperature control,

heating, ventilation and air-conditioning, fire detection and suppression

systems and power management systems, 24-hour monitored physical

hardware and seismically-braced racks. These requirements are covered by

Microsoft’s ISO/IEC 27001 accreditation for Azure.

e. Legal. We will have in place a binding negotiated contractual agreement with

Microsoft in relation to the outsourced service, giving us direct contractual

rights. We also took into account the fact that Azure was built based on

ISO/IEC 27001 standards, a rigorous set of global standards covering

physical, logical, process and management controls. Finally, we took into

account the fact that Microsoft offers access and regulator audit rights thereby

allowing us to comply with our regulatory obligations in this respect.

12. FSIs need to analyze their ability to monitor the service provider

effectively and including its ability to carry out the business continuity

plan and early termination.


10.3.4(a). In addition to explaining your own internal processes, you may in this

context also wish to mention the contractual vendor management rights that you

have under your agreements with Microsoft, including the rights of audit and

inspection. Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter VI

sets out OJK’s expectations in relation to your own business continuity plan. See

also Articles 12 and 13, BI Regulation 9/2007 which contain the high level

obligations in relation to business continuity.

We have the ability to monitor Microsoft effectively. For example, we have access

rights (at any time) to the online dashboards, which provide live information in

relation to Microsoft’s services’ performance against performance measures. We

also, as part of the support we receive from Microsoft, have access to a technical

Confidential

Page 21 of 50

10006608-2


account manager who is responsible for understanding our challenges and

providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems

functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

We are able to monitor Microsoft’s business continuity plans. Microsoft has

provided us with detailed information in relation to its business continuity plans.

Business continuity management forms part of the scope of the accreditation that

Microsoft retains in relation to the online services, and Microsoft contractually

commits to maintain a data security policy that complies with these accreditations

(see OST, page 13). Business Continuity Management also forms part of the

scope of Microsoft’s annual third party compliance audit. In addition, if a business

continuity incident occurs, Microsoft does a thorough post-incident review every

time Microsoft’s post-incident review consists of analysis of what happened,

Microsoft’s response, and Microsoft’s plan to prevent it in the future. In the event

the organization was affected by a service incident, Microsoft shares the post-

incident review with the organization

In relation to termination, our agreement with the Microsoft is terminable by us for

convenience at any time by providing not less than 60 days’ notice. Any sub-

agreements to the MBA are terminable by us for convenience at any time by

providing not less than 30 days’ notice. In addition, we have standard rights of

termination for material breach. This gives us the flexibility and control we need to

manage the relationship with Microsoft because it means that we can terminate

the arrangements whether with or without cause. Aside from these contractual

Confidential

Page 22 of 50

10006608-2


remedies, it is important to note that we are always in control of our data. As such,

we could (at any time) chose to migrate our data to an alternate service provider

with or without relying on the above contractual remedies.

13. FSIs must carry out a country risk analysis which shows that there

are no significant impacts from the location of the country including in

the event of a dispute with the country where the service provider is

located.


10.3.4(b).

See our response to question 11 above. We do not have concerns regarding the

location of the services.

We have obtained legal advice in relation to our ability to bring a claim in the event

of a dispute and are comfortable that our rights are protected.

14. FSIs must conduct an assessment on the local regulations in the

countries where the service provider is established that require the

service provider to provide information disclosure on customer’s data

(even though there may be confidentiality restrictions and controls in

the service agreement).


10.3.4(c).

Ultimately it is for the FSI to be comfortable on this point. This is one area that

Microsoft and the FSI could discuss with OJK to understand further what their

expectations and concerns are here. Microsoft has provided some further

information here, that may assist:

Microsoft is transparent in relation to the location of our data. Microsoft data

center locations are made public on the Microsoft Trust Center. By participating in

the Microsoft Online Services Customer Compliance Program under section 2d of

the FSA, we will have access to Microsoft’s data center roadmap which will give us

advance warning of new data center locations.

If there is any regulatory request to access data, Microsoft will not disclose our


Confidential

Page 23 of 50

10006608-2


data to law enforcement authorities unless it is legally obliged to do so, and only

after not being able to redirect the request to us (see OST, page 8). Otherwise,

Microsoft will not disclose our data to other people looking for access.

15. FSIs may only make agreements with other parties which operate in

a jurisdiction which generally supports the clause and agreement of

confidentiality. FSIs must ensure that the service agreement with the

service provider also includes the choice of law and FSI should be

able to understand the possible impact from the choice of law

provisions in order to be able to resolve disputes or legal problems in

the future.


10.3.4(d). See also Article 11, BI Regulation 9/2007.

MBSA section 11h sets out the choice of law provision. Either, the contract is

governed by the laws of the State of Washington if the contract is with a Microsoft

affiliate located outside of Europe; or the contract is governed by the laws of

Ireland if the contract is with a European Microsoft affiliate.

MBSA section 11e sets out the jurisdictions in which parties should bring their

actions. Microsoft must bring actions against the customer in the countries where

the customer’s contracting party is headquartered. The customer must bring

actions against: (a) in Ireland if the action is against a Microsoft affiliates in

Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate

outside of Europe; or (c) in the country where the Microsoft affiliate delivering the

services has its headquarters if the action is to enforce a Statement of Services.

We have sought legal advice on our rights and any risks in relation to the

jurisdictional issues relating to the arrangement and are comfortable with the

position, in particular in relation to the enforceability of the confidentiality clause.

16. The FSI must ensure that the database structure of every application

used is owned by the FSI and stored in the FSI’s office in Indonesia

and that there are officers of the FSI inside the state which


10.3.4(e).

We have selected the Azure product because it provides us with control over our

Confidential

Page 24 of 50

10006608-2


understand the database structure including the technical references

of said database. FSIs must ensure that the placement of data

centers outside Indonesia does not obstruct attempts to observe and

reconstruct the FSI’s activities inside the state (i.e. accounting and

accounts) in a timely manner.

data, including data location, access and authentication. We (not Microsoft) will

continue to own and retain all rights to our data and our data will not be used for

any purpose other than to provide us with the Azure services, and Microsoft

commits to these points in its contract with our organization. Our officers inside

the state have access at all times to our data held by Microsoft (and Microsoft

commits to this point in its contract with our organization).

Clause 1f of the FSA gives the customer the opportunity to participate in the

Microsoft Online Services Customer Compliance Program, which is a for-fee

program that allows that facilitates the customer’s ability to assess the services’

controls and effectiveness and to communicate with Microsoft’s subject matter

experts. Therefore, this program provides a facility through which the FSI, if

necessary, can find out more about the database structure, including the technical

references of the database.

We have carried out a thorough review of Microsoft’s data center locations where

our data will be processed and we are confident that the country risks and

potential obstacles in exercising oversight and management of the arrangements

are adequately dealt with in our contract with Microsoft.

17. FSIs cannot place data centers in a jurisdiction where access to

information by OJK or other parties appointed by OJK to act on

behalf of OJK on the data center/the service provider can be

obstructed by legal or administrative restrictions.


10.3.4(f) The answer to this question will depend on the region you are in. You

may discuss this with your Microsoft contact. Microsoft enables customers to

select the region that it is provisioned from.

The data centers will be in [….]. We have no reasons to believe that there would

be any obstruction in the form of administrative or legal restrictions in those

Confidential

Page 25 of 50

10006608-2


countries which would impact OJK’s or other parties’ appointed by OJK from

accessing relevant information.

18. FSIs must conduct a review on how the outsourcing would still

enable the access from the FSI’s auditor from internal, external or

OJK to obtain necessary data and information for the carrying out of

IT promptly whenever necessary.


10.3.4(g).

We have carried out a review and are confident that in Microsoft we are choosing

a provider that not only has data centers in safe jurisdictions but one that provides

contractual commitments to audit rights which are more extensive than most

service providers. We have a number of rights in relation to audit in our contract

with Microsoft:

a. In our contract with Microsoft (see the FSA) we have the opportunity to

participate in the Microsoft Online Services Customer Compliance Program,

which is a for-fee program that allows us (a) to evaluate the services provided

and (b) to review Microsoft’s internal control environment. Specifically, this

compliance program facilitates our ability to (a) assess the services’ controls

and effectiveness, (b) access data related to service operations, (c) maintain

insight into operational risks of the services, (d) be provided with additional

notification of changes that may materially impact Microsoft’s ability to provide

the services, and (e) provide feedback on areas for improvement in the

services.

b. We have access rights (at any time) to the online dashboards, which provide

live information in relation to Microsoft’s services’ performance against

performance measures.

Confidential

Page 26 of 50

10006608-2


c. Under our contract with Microsoft, Microsoft will also make its Online

Information Security Policy available to us, along with other information

reasonably requested by us regarding Microsoft security practices and

policies.

d. In addition, as part of Microsoft’s certification requirements, they are required

to undergo regular independent third party auditing and Microsoft shares with

us the independent third party audit reports. Under the FSA, section 2c,

Microsoft will provide to us copies of its audit reports so that we can verify

Microsoft’s compliance with its obligations.

e. There are provisions in our contract with Microsoft that enable our regulators

to carry out inspection or examination of Microsoft’s facilities, systems,

processes and data relating to the services. These are set out in Section 2a of

the FSA.

f. Under Section 2a of the FSA we are entitled to delegate our rights of access to

the service to representatives of our regulator. We are also entitled under

Section 2a to share the information and resources with our regulator that

Microsoft makes available to us under the contract. This includes copies of

Microsoft’s audit reports and information about findings of Microsoft’s

independent third party auditors. The examination and influence rights that

are granted to the regulator and the process can culminate in the regulator’s

examination of Microsoft’s services, records, reports and premises.

19. FSIs must notify OJK if there are authorities out of Indonesia which

request access on information about FSI’s customers or if a situation


Confidential

Page 27 of 50

10006608-2


arises where the right of access of the FSI or OJK to obtain

information and documents is restricted or refused.

10.3.4(h).

Yes.

We will make such a notification to OJK in any such event.

We note also that Microsoft will not disclose our data to a law enforcement

authority unless it is legally obliged to do so, and only after not being able to

redirect the request to us (see OST, page 8).

20. OJK should have the ability to terminate the service agreement in the

event that any such obstruction to conduct an assessment on the

data centers etc. occurs.


10.3.4(i).

We have termination rights that allow us to terminate the contract with Microsoft at

will and also in the event of a material breach. We are therefore able to terminate

the contract e.g. in the event that there is an obstruction to conduct an assessment

of the data centers.

We note also that Microsoft is under a contractual obligation to provide audit rights

to OJK. These rights are set out in the FSA.

21. The cost benefit assessment must demonstrate that the benefits for

the FSI exceed the costs including the potential of increasing quality

of service to customers.


10.3.4(j). You will need to outline here details of the cost benefit analysis you have

undertaken in order to demonstrate you are able to meet this requirement. You will

likely want to cross-reference your responses to the other questions on cost

benefit assessments set out in part A.

Confidential

Page 28 of 50

10006608-2


22. The FSI’s assessment must include product development and

human resources planning. FSIs are required to improve the

capability of the FSI’s human resources in relation to IT or business

transactions or offered products even though the carrying out of IT is

located outside of Indonesia.


10.3.4(k). We would suggest that in this respect you can refer OJK to the response

you give and documents you provide under question 11 above.

Confidential

Page 29 of 50

10006608-2

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

This table sets out the specific items that the OJK requires be covered in your agreement with Microsoft.

Key:

A cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

OST = Online Service Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

SLA = Online Services Service Level Agreement

Confidential

Page 30 of 50

10006608-2

Ref. Requirement Microsoft agreement reference

1. The use of information technology service providers by

an FSI must be based on a written agreement which

contains at least the ability of said information

technology service provider to render services and or

as mentioned in paragraph (2) letter (b) – see below.

Article 18, paragraph (3), BI Regulation 9/2008

The contract pack is in writing and comprehensively sets out the scope of the arrangement and

the respective commitments of the parties. The online services are ordered under the

Enrollment, and the order will set out the online services. Sales of Microsoft product to

enterprise customers are made via a Microsoft reseller, who sets the end price with the

customer.

2. Service providers must implement sufficient information

technology control principles which are verified by audit

results carried out by independent parties.

Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(1)

Microsoft commits (see OST, page 9) to help protect the security of our information, to

implement, maintain and follow appropriate technical and organizational measures to protect

our information against accidental, unauthorized or unlawful access, disclosure, alteration, loss,

or destruction. These security measures are set out in more detail on pages 11 to 13 of the

OST.

The OST specifies the audit mechanisms that Microsoft puts in place in order to verify that the

online services meet appropriate technology controls and standards. This commitment is

reiterated in the FSA. Under the FSA, section 2c, Microsoft will provide to us copies of its audit

reports so that we can verify Microsoft’s compliance with its obligations.

In addition, Clauses 1e and 1f of the FSA detail the examination and influence rights that are

granted to the customer and the regulator. Clause 1e sets out a process which can culminate in

the regulator’s examination of Microsoft’s premises.

Confidential

Page 31 of 50

10006608-2


3. Service providers must provide access to necessary

data and information for the FSI’s internal auditor, for

external auditors appointed by the FSI and the auditor

of FSI promptly when required.


There are a number of provisions in our contract with Microsoft under which Microsoft is obliged

to provide us with necessary data and information.

1. The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify

that the online services meet appropriate security and compliance standards.

2. Under the OST Microsoft must also provide us with information about security incidents

(page 5).

3. Under the OST, on a confidential need-to-know basis, and subject to our agreement to non-

disclosure obligations Microsoft specifies, Microsoft will make the Online Information

Security Policy available to us, along with other information reasonably requested by

Customer regarding Microsoft security practices and policies (page 13).

4. Under the FSA, section 2c, Microsoft will provide to us copies of its audit reports so that we

can verify Microsoft’s compliance with its obligations.

5. Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft

Online Services Customer Compliance Program, which is a for-fee program that facilitates

the customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data

related to service operations, (c) maintain insight into operational risks of the services, (d)

be provided with additional notification of changes that may materially impact Microsoft’s

ability to provide the services, and (e) provide feedback on areas for improvement in the

services.

Confidential

Page 32 of 50

10006608-2


4. Service providers must declare their acceptance to be

audited by OJK for given services.


There are provisions in our contract with Microsoft that enable our regulators to carry out

inspection or examination of Microsoft’s facilities, systems, processes and data relating to the

services. These are set out in Section 2a of the FSA.

Under Section 2a of the FSA we are entitled to delegate our rights of access to the service to

representatives of our regulator. We are also entitled under Section 2a to share the information

and resources with our regulator that Microsoft makes available to us under the contract. This

includes copies of Microsoft’s audit reports and information about findings of Microsoft’s

independent third party auditors. The examination and influence rights that are granted to the

regulator and the process can culminate in the regulator’s examination of Microsoft’s services,

records, reports and premises.

5. The service provider must guarantee the security of all

information including the FSI’s secrecy and customer’s

personal information.


MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose

our confidential information (which includes our data) to third parties and to only use our

confidential information for the purposes of Microsoft’s business relationship with us. Further,

Microsoft commits to take reasonable steps to protect our confidential information, to notify us if

there is any unauthorized use or disclosure of our confidential information and to cooperate with

us to help to regain control of our confidential information and prevent further unauthorized use

or disclosure of it.

Microsoft also makes specific commitments with respect to safeguarding our data in the OST. In

summary Microsoft commits that:

Confidential

Page 33 of 50

10006608-2


1. Ownership of our data remains at all times with us (see OST, page 8).

2. Our data will only be used to provide the online services to us and our data will not be used

for any other purposes, including for advertising or other commercial purposes (see OST,

page 8).

3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do so,

and only after not being able to redirect the request to us (see OST, page 8).

4. Microsoft will implement and maintain appropriate technical and organizational measures,

internal controls, and information security routines intended to protect our data against

accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see

OST, page 8 and pages 11-13 for more details).

5. Microsoft will notify us if it becomes aware of any security incident, and will take reasonable

steps to mitigate the effects and minimize the damage resulting from the security incident

(see OST, page 9).

6. Service providers may sub-contract part of their

services only with a written agreement.


Yes.

Microsoft commits that any subcontractors to whom Microsoft transfers our data will have

entered into written agreements with Microsoft that are no less protective than the data

processing terms in the OST (OST, page 11).

The confidentiality of our data is protected when Microsoft uses subcontractors because

Microsoft commits that its subcontractors “will be permitted to obtain Customer Data only to

Confidential

Page 34 of 50

10006608-2


deliver the services Microsoft has retained them to provide and will be prohibited from using

Customer Data for any other purpose” (OST, page 9).

Microsoft maintains a list of authorized subcontractors for the online services that have access

to our data and provides us with a mechanism to obtain notice of any updates to that list (OST,

page 10). The actual list is published on the applicable Trust Center. If we do not approve of a

subcontractor that is added to the list, then we are entitled to terminate the affected online

services.

7. Service providers must report on every critical

occurrence with possible consequences of significant

monetary loss and/or disturbance to the operational

activities of the FSI.


Yes.

Microsoft will notify us if it becomes aware of any security incident, and will take reasonable

steps to mitigate the effects and minimize the damage resulting from the security incident (see

OST, page 9).

8. Service providers must periodically submit the result of

information technology audits carried out by

independent auditors on the carrying-out of data

centers, disaster recovery centers and/or technology

based transaction processes to OJK through the related

FSI.


Under Section 2a of the FSA we are entitled to delegate our rights of access to the service to

representatives of our regulator. We are also entitled under Section 2a to share the information

and resources with our regulator that Microsoft makes available to us under the contract. This

includes copies of Microsoft’s audit reports and information about findings of Microsoft’s

independent third party auditors. Microsoft commits to providing the customer with a summary

of Microsoft’s annual audit report, which is performed by an independent third party and

measures compliance against Microsoft’s certifications. The OST specifies the audit and

monitoring mechanisms that Microsoft puts in place in order to verify that the online services


Confidential

Page 35 of 50

10006608-2


meet appropriate security and compliance standards.

9. Service providers must provide an adequate and

properly tested disaster recovery plan.


Business Continuity Management and disaster recovery form part of the scope of the

accreditation that Microsoft retains in relation to the online services, and Microsoft commits to

maintain policies that comply with these accreditations (see page 13 of the OST). Business

continuity management and disaster recovery also form part of the scope of Microsoft’s annual

third party compliance audit.

In addition, RTO requirements are set out in the SLA.

10. Service provider must be willing to accept the possibility

of early termination.


Yes.

We have the right to terminate our contract with Microsoft for convenience (MBSA section 8) by

providing 60 calendar days prior written notice. Under the same section, we may also terminate

the contract if Microsoft is in material breach or default of any obligation that is not cured within

30 calendar days’ notice of such breach. These rights give us the flexibility and control we need

to manage the relationship with Microsoft because it means that we can terminate the

arrangements whether with or without cause. We have also assessed the timeliness and

expense of these termination provisions and we are comfortable with these.

If we exercise this right Microsoft contractually commits to retain our data stored in the Online

Service in a limited function account for 90 days after expiration or termination of our

subscription so that we may extract the data (OST, page 5). Microsoft does not charge us a fee

Confidential

Page 36 of 50

10006608-2


to extract the data.

11. Scope of work/service. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(a)

The contract pack is in writing and comprehensively sets out the scope of the arrangement and

the respective commitments of the parties. The online services are ordered under the

Enrollment, and the order will set out the online services.

The services are broadly described, along with the applicable usage rights, in the Product List

and OST. The services are described in more detail in OST, which includes a list of service

functionality at OST, page 10 and core features of the Azure Services at pages 15-25.

12. Cost and duration of the agreement. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(b)

Sales of Microsoft product to enterprise customers are made via a Microsoft reseller, who sets

the end price with the customer. In general, the customer is required to commit to annual

payments (payable in advance) based upon the customer’s number of users.

Enrollments have a three year term, and may be renewed for a further three year term.

13. Rights and obligations of the FSI and of the service

provider.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(c)

Yes.

The contract pack comprehensively sets out the scope of the arrangement and the respective

commitments of the parties.

MBSA section 6 deals with liability. In summary: The liability of both parties is limited at an

Confidential

Page 37 of 50

10006608-2


annual cap of the fees payable for the online services. However, subject to the terms of the

MBSA, the liability of the parties under Section 5 of the MBSA (Defense of infringement,

misappropriation, and third party claims) is unlimited.

MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity against third party

infringement and breach of confidence claims. Subject to the terms of the MBSA, Microsoft’s

liability under section 5 is unlimited.

14. Security guarantee and confidentiality agreement. Data

should only be accessible by the FSI.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(d)

Yes.

MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose

our confidential information (which includes our data) to third parties and to only use our

confidential information for the purposes of Microsoft’s business relationship with us. Further,

Microsoft commits to take reasonable steps to protect our confidential information, to notify us if

there is any unauthorized use or disclosure of our confidential information and to cooperate with

us to help to regain control of our confidential information and prevent further unauthorized use

or disclosure of it.

We retain the ability to access our data at all times (OST, page 11), and Microsoft will deal with

our data only in accordance with the terms of the Enrollment and the OST.

Following termination Microsoft will (unless otherwise directed by us) delete our data after a 90

day retention period OST, page 5).

Microsoft also makes specific commitments with respect to safeguarding our data in the OST. In

Confidential

Page 38 of 50

10006608-2


summary Microsoft commits that:

1. Ownership of our data remains at all times with us (see OST, page 8).

2. Our data will only be used to provide the online services to us and our data will not be used

for any other purposes, including for advertising or other commercial purposes (see OST,

page 8).

3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do so,

and only after not being able to redirect the request to us (see OST, page 8).

4. Microsoft will implement and maintain appropriate technical and organizational measures,




5. Microsoft will notify us if it becomes aware of any security incident, and will take reasonable

steps to mitigate the effects and minimize the damage resulting from the security incident

(see OST, page 9).

15. An SLA containing performance standards such as

agreed service levels and performance targets. Such

SLA must remain valid even in the event of a change of

the FSI or service provider.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(e) and (f)

The SLA contains Microsoft’s service level commitment, as well as the remedies for us in the

event that Microsoft does not meet the commitment. The terms of the SLA current at the start of

the applicable initial or renewal term of the Enrollment are fixed for the duration of that term.

A copy of the SLA is available here:

Confidential

Page 39 of 50

10006608-2


http://azure.microsoft.com/en-us/support/legal/sla/

16. Monitoring and reports in relation to the SLA. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(g)

The customer may monitor the performance of the online services via the administrative

dashboard, which includes information as to Microsoft’s compliance with its SLA commitments.

SLA contains the performance measures.

The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify that

the online services meet appropriate security and compliance standards.

Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online

Services Customer Compliance Program, which is a for-fee program that facilitates the

customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data related

to service operations, (c) maintain insight into operational risks of the services, (d) be provided

with additional notification of changes that may materially impact Microsoft’s ability to provide

the services, and (e) provide feedback on areas for improvement in the services.

In addition, the customer can review the manner in which Microsoft provides the online

services. As set out on page 13 of the OST, the customer is entitled to access the Microsoft

Online Information Security Policy, which is the document where Microsoft sets out its

information security management processes. Microsoft also commits to providing the customer

with a summary of Microsoft’s annual audit report, which is performed by an independent third

party and measures compliance against Microsoft’s certifications. Where required by the

Regulator, Microsoft will also work with us to allow us to inspect or audit the services.

http://azure.microsoft.com/en-us/support/legal/sla/

Confidential

Page 40 of 50

10006608-2


17. Limits on the potential risks to be sustained by the FSI

and service provider including:

(i) Limiting the risk of changes in the scope of the

contract;

(ii) Changes on the scope of the business and the

size of the service provider’s business;

(iii) Changes in legal requirement and regulations;

(iv) Legal aspects including copyrights, patents and

trademarks.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(h)

(i) Section 11k of the MBSA states that the contract may be amended only by a formal

written agreement signed by both parties.

(ii) The contract allows the customer to terminate the arrangement with Microsoft for

convenience (MBSA section 8) which means the customer has the right to terminate in

the event of a change in the scope of the business and the size of the service provider’s

business.

(iii) MBSA section 11m states that Microsoft and the customer each commit to comply with

all applicable privacy and data protection laws and regulations. Again, if there are

changes in legal requirements and regulations, the customer may terminate the

contract for convenience, although in reality it is more likely that the parties will discuss

in good faith how to address such changes. In the FSA Microsoft also commits in

section 2a of the FSA to work together in good faith to resolve a request of a regulator.

(iv) Microsoft is contractually obliged (under section 5 of the MBSA) to defend the customer

from any third party claims that copyrights, patents and trademarks of third parties have

been infringed by the services.

18. If the service provider subcontracts parts of their

activities, the FSI must give its agreement in writing.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(i)

Yes.

See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.

Microsoft maintains a list of authorized subcontractors for the online services that have access

Confidential

Page 41 of 50

10006608-2


to our data and provides us with a mechanism to obtain notice of any updates to that list (OST,

page 10). The actual list is published on the applicable Trust Center. If we do not approve of a

subcontractor that is added to the list, then we are entitled to terminate the affected online

services.

19. Details on the provision of online communication

facilities, security on data access and transmission to

and from the data center, disaster recovery center and

IT based transaction processing, backup, contingency,

record protection including hardware, equipment,

software and data files, to ensure the continuity of the

IT services, and the security of any necessary source

documents to and from the data center, disaster

recovery center and IT based transaction processing.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(j), (k) and (l)

As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for

the facilities in which Microsoft information systems that process Customer Data are located.

Business Continuity Management (“BCM”) forms part of the scope of the accreditation that

Microsoft remains in relation to the online services, and Microsoft commits to maintain a data

security policy that complies with these accreditations (see OST, page 13). BCM also forms part

of the scope of Microsoft’s annual third party compliance audit.

Microsoft will implement and maintain appropriate technical and organizational measures,




Pages 9-11 of the OST contain general commitments around data location. Microsoft will

ensure that Customer Data will always be stored and processed in accordance with the EU and

Swiss Safe Harbour Frameworks as maintained by the US Government. Microsoft also commits

that Customer Data transfers out of the EU will be governed by the EU Model Clauses set out at

pages 29-33 of the OST. Also, as noted on page 11 of the OST: “Any subcontractors to whom

Microsoft transfers Customer Data, even those used for storage purposes, will have entered

into written agreements with Microsoft that are no less protective than the DPT”.


Confidential

Page 42 of 50

10006608-2


20. The parties should have adequate insurance cover. MBSA section 10 deals with insurance. In practice, Microsoft maintains self-insurance

arrangements for much of the areas where third party insurance is typically obtained. Microsoft

has taken the commercial decision to take this approach, and does not believe that this

detrimentally impacts upon its customers given that Microsoft is an extremely substantial entity.

21. Willingness to be audited by the FSI’s internal audit

function, OJK or external parties assigned by the FSI or

OJK and the availability of information for the purposes

of such assessment including rights of logical and

physical access on data managed by the service

provider.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(m)

The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to

verify that the online services meet appropriate security and compliance standards. This

commitment is reiterated in the FSA.

The FSA details the examination and influence rights that are granted to the customer and OJK.

The FSA sets out a process which can culminate in the regulator’s examination of Microsoft’s

premises. The customer also has the opportunity to participate in the Microsoft Online Services

Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability

to (a) assess the services’ controls and effectiveness, (b) access data related to service

operations, (c) maintain insight into operational risks of the services, (d) be provided with

additional notification of changes that may materially impact Microsoft’s ability to provide the

services, and (e) provide feedback on areas for improvement in the services.

The customer may monitor the performance of the online services via the administrative

dashboard, which includes information as to Microsoft compliance with its SLA commitments.

In addition, the customer can review the manner in which Microsoft provides the online

services. As set out on page 13 of the OST, the customer is entitled to access the Microsoft

Online Information Security Policy, which is the document where Microsoft sets out its

information security management processes. Microsoft also commits to providing the customer

Confidential

Page 43 of 50

10006608-2


with a summary of Microsoft’s annual audit report, which is performed by an independent third

party and measures compliance against Microsoft’s certifications. Where required by the

Regulator, Microsoft will also work with us to allow us to inspect or audit the services.

22. Requirement on the service provider to submit technical

documents to the FSI in relation to the services provider

including on IT process flow and database structure.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(n)

The customer can review the manner in which Microsoft provides the online services. As set out

on page 13 of the OST, the customer is entitled to access the Microsoft Online Information

Security Policy, which is the document where Microsoft sets out its information security

management processes. Microsoft also commits to providing the customer with a summary of

Microsoft’s annual audit report, which is performed by an independent third party and measures

compliance against Microsoft’s certifications.

23. A requirement on the service provider to report on any

critical occurrence that can cause financial losses

and/or disturb the FSI’s operations.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(o)

Microsoft will notify us if it becomes aware of any security incident, and will take reasonable

steps to mitigate the effects and minimize the damage resulting from the security incident (see

OST, page 9).

In addition, the customer also has the opportunity to participate in the Microsoft Online Services

Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability

to \be provided with additional notification of changes that may materially impact Microsoft’s

ability to provide the services.

24. In relation to the outsourcing of any data centers,

disaster recovery or IT based processing, the service

provider must submit their latest financial statements to

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(p)

Microsoft Corporation is publicly-listed in the United States and is amongst the world’s largest

Confidential

Page 44 of 50

10006608-2


the FSI and a report on the periodic assessment by an

independent party on the IT facilities which are the

object of this agreement.

companies by market capitalization. Microsoft’s audited financial statements indicate that it has

been profitable for each of the past three years. Its market capitalization is in the region of USD

280 billion. Accordingly, we have no concerns regarding its financial strength.

The OST specifies the audit mechanisms that Microsoft puts in place in order to verify that the

online services meet appropriate technology controls and standards. This commitment is

reiterated in the FSA. Under the FSA, section 2c, Microsoft will provide to us copies of its audit

reports so that we can verify Microsoft’s compliance with its obligations.

25. The responsibilities of the service provider in providing

human resource with relevant qualifications and

competence in accordance with the service provided.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(q)

MBSA section 4(a)(i) deals with professional conduct. Microsoft warrants that its services will

be performed with professional care and skill.

Note also that all Microsoft’s staff involved in the provision of the services are on-boarded and

trained ready for their day-to-day responsibilities.

26. Plans for the training of staff including the number of

staff to be trained and forms of training and required

cost. Service providers must conduct a knowledge

transfer to the FSI so that there are personnel in the

FSI’s IT work units that understand the IT used in the

FSI especially IT process flow and database structure

from the application system provided by the service

providers.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(r)

Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online

Services Customer Compliance Program, which is a for-fee program that facilitates the




the services, and (e) provide feedback on areas for improvement in the services. This program

provides a knowledge transfer facility to the customer’s personnel.

Confidential

Page 45 of 50

10006608-2


27. Ownership and licence of IP and assets. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(s)

Ownership of Customer Data remains at all times with the customer (see OST, page 7).

The software and hardware are owned by Microsoft but licensed for use by the customer as a

service, as is standard in any cloud services solution.

28. A guarantee that service providers will provide support

and maintenance services to FSIs during a certain

period of time after implementation.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(t)

The SLA contains Microsoft’s service level commitment, as well as the remedies for the

customer in the event that Microsoft does not meet the commitment. The terms of the SLA

current at the start of the applicable initial or renewal term of the Enrollment are fixed for the

duration of that term.

29. Provisions relating to termination of the contract

including where requested by the FSI.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(u)

We have a number of termination rights in our contract with Microsoft. The contract allows the

customer to terminate the arrangement with Microsoft for convenience (MBSA section 8) which

means the customer has the right to terminate in the event of default including change of

ownership, insolvency or where there is a breach of security or confidentiality or demonstrable

deterioration in the ability of the Service Provider to perform the service as contracted. Online

services may also be terminated or suspended in the circumstances described in section 6d of

the EA, and as specified in the OST, pages 5, 11 and 30.

We also have control over the use we make of, and data we load into, the online service.

30. Terms to restrict cancellation or breach of the contract. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(v)

Confidential

Page 46 of 50

10006608-2


Microsoft may only termination the contract by giving 60 days’ notice which restrict its right to

cancel the contract (MBSA section 8). Section 11k of the MBSA states that the contract may be

amended only by a formal written agreement signed by both parties.

MBSA section 6 deals with liability. In summary: The liability of both parties is limited at an

annual cap of the fees payable for the online services. However, subject to the terms of the

MBSA, the liability of the parties under Section 5 of the MBSA (Defense of infringement,

misappropriation, and third party claims) is unlimited.

MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity against third party

infringement and breach of confidence claims. Subject to the terms of the MBSA, Microsoft’s

liability under section 5 is unlimited.

31. Provisions relating to compliance with existing laws and

regulations in Indonesia including dispute and conflict

resolution provisions.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(w)

MBSA section 11m states that Microsoft and the customer each commit to comply with all

applicable privacy and data protection laws and regulations.

MBSA sections 11e and 11h deal with how a dispute under the contract is to be conducted.

MBSA section 11e sets out the jurisdictions in which parties should bring their actions.

Microsoft must bring actions against the customer in the countries where the customer’s

contracting party is headquartered. The customer must bring actions against: (a) in Ireland if the

action is against a Microsoft affiliates in Europe; (b) in the State of Washington, if the action is

against a Microsoft affiliate outside of Europe; or (c) in the country where the Microsoft affiliate

delivering the services has its headquarters if the action is to enforce a Statement of Services.

MBSA section 11h sets out the choice of law provision. Either, the contract is governed by the

Confidential

Page 47 of 50

10006608-2


laws of the State of Washington if the contract is with a Microsoft affiliate located outside of

Europe; or the contract is governed by the laws of Ireland if the contract is with a European

Microsoft affiliate.

32. Provisions regarding the possibility of changing, making

new agreements or taking over activities of the service

providers or termination of agreement before the end of

the duration of the agreement.

Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.2

Section 11k of the MBSA states that the contract may be amended only by a formal written

agreement signed by both parties.

We, at all times, retain control over the use we make of, and data we load into, the online

service.

In addition, we have a number of termination rights in our contract with Microsoft. The contract

allows the customer to terminate the arrangement with Microsoft for convenience (MBSA

section 8) which means the customer has the right to terminate in the event of default including

change of ownership, insolvency or where there is a breach of security or confidentiality or

demonstrable deterioration in the ability of the Service Provider to perform the service as

contracted.

Following termination Microsoft will (unless otherwise directed by the customer) delete the

Customer Data after a 90 day retention period. From a technical perspective the wide

availability and usage of Microsoft’s products means that Customer Data can generally be

extracted in a format compatible with commonly available alternative products. This permits the

FSI to readily bring the services back in-house or move them to another supplier.

33. FSIs should be able to measure the risks and efficiency

of the IT service and promptly notify if there are certain

(i) The customer may monitor the performance of the online services via the administrative

dashboard, which includes information as to Microsoft compliance with its SLA commitments.

Confidential

Page 48 of 50

10006608-2


conditions as the following:

(i) declining performance of FSI’s activities

conducted by the service provider;

(ii) the inadequate level of solvability of the service

provider in the process to liquidation or

declared bankrupt by a court of law;

(iii) breach of the regulation relating to FSI’s

secrecy and customer’s personal information;

and/or

(iv) conditions which cause FSIs to be unable to

provide necessary data in timely manner for an

effective monitoring by OJK.

The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify that

the online services meet appropriate security and compliance standards. The monitoring tools

provide real-time information to the FSI.

(ii) Microsoft Corporation is publicly-listed in the United States and is amongst the world’s

largest companies by market capitalization. We are able to monitor Microsoft’s audited financial

statements (which currently indicate that it has been profitable for each of the past three years).

Its market capitalization is in the region of USD 280 billion. Accordingly, we have no concerns

regarding its financial strength.

(iii) Microsoft will notify the customer if it becomes aware of any security incident, and will take

reasonable steps to mitigate the effects and minimize the damage resulting from the security

incident (see OST, page 9). As set out on page 13 of the OST, Microsoft maintains a record of

security breaches with a description of the breach, the time period, the consequences of the

breach, the name of the reporter, and to whom the breach was reported, and the procedure for

recovering data.

(iv) We are entitled to provide information that Microsoft provides to us to our regulator.

Microsoft also commits to work with us in good faith to resolve a request from our regulator. In

addition Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft

Online Services Customer Compliance Program, which is a for-fee program that facilitates the




the services, and (e) provide feedback on areas for improvement in the services.

Confidential

Page 49 of 50

10006608-2


34. Requirements on FSIs after acknowledgement of

abovementioned conditions.

(i) Report to OJK within 3 working days at the

latest.

(ii) Decide the ensuring actions to be taken to

resolve problems, including the termination of

the use of services if necessary.

(iii) Report to OJK immediately after the FSI halts

the use of the service before the end of the time

duration of the agreement.

Our contract with Microsoft provides us with the relevant notification for the items listed above

(please see our answer to the question above).

It is then our responsibility to satisfy these requirements in relation to our notification to the OJK.

We note that Microsoft commits in the FSA to work with us in good faith to resolve any requests

from our regulator. We also note that our contract allows us to terminate the arrangements with

Microsoft for convenience (MBSA section 8) which means that we have the right to terminate if

any of the events that we notify to OJK should require us to do so.

35. FSI’s adequate contingency plan to maintain the

continuity of the business when halting the use of

services before the end of contract.

As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for

the facilities in which Microsoft information systems that process Customer Data are located.

Business Continuity Management (“BCM”) forms part of the scope of the accreditation that

Microsoft remains in relation to the online services, and Microsoft commits to maintain a data

security policy that complies with these accreditations (see OST, page 13). BCM also forms part

of the scope of Microsoft’s annual third party compliance audit.

When halting the use of the services, the FSI is able to bring the services back in-house or

move them to another supplier. In order to do this, all that is required from Microsoft is a copy of

the data that is held by Microsoft. Following termination Microsoft will (unless otherwise

directed by the customer) delete the Customer Data after a 90 day retention period. From a

technical perspective the wide availability and usage of Microsoft’s products means that

Customer Data can be extracted in a format that is readily reusable. This permits the FSI to

Confidential

Page 50 of 50

10006608-2


readily bring the services back in-house or move them to another supplier.

Documents

INDONESIA BANKS GUIDANCE ON COMPLYING WITH …download.microsoft.com/download/9/4/F/94FE8273-550A-4BAB-88EF-67A... · confidential page 1 of 50 10006608-2 indonesia –banks guidance