The Missing CSP Certification: Navigating SBP's 'Reputable' Standard
@kawishwaqar|February 15, 2026 (2w ago)0 views
The Certification Assumption
Most financial institutions in Pakistan approach cloud adoption with a reasonable assumption: the State Bank of Pakistan maintains a certification process or approved vendor list for cloud service providers. After all, how can banks select CSPs without knowing which ones meet regulatory standards?
The reality is more nuanced and more instructive.
BPRD Circular No. 01 of 2023, which governs cloud outsourcing for Pakistan's financial sector, contains no CSP certification framework. Instead, Section E states that regulated entities "may outsource all types of workloads to reputable onshore CSPs." The circular defines what "reputable" means through the institution's own due diligence process, not through a pre-approved vendor list.
This creates a fundamental shift in responsibility. Rather than relying on SBP-certified providers, banks must develop their own frameworks for evaluating cloud service providers—frameworks that satisfy regulatory expectations without explicit certification criteria.
How do you evaluate a cloud provider when the regulator defines the destination but not the path?
What BPRD Circular No. 01 of 2023 Actually Says
A close reading of BPRD Circular No. 01 of 2023 reveals the regulatory framework's actual structure—and the source of industry confusion.
The "Reputable Onshore CSP" Standard
Section E of the circular establishes the fundamental requirement for cloud outsourcing:
"REs may outsource all types of workloads to reputable onshore CSPs."
— BPRD Circular No. 01 of 2023, Section E
Source: BPRD Circular 01/2023
This single sentence contains the entire CSP selection framework. The circular does not define "reputable." It does not specify certifications required. It does not establish evaluation criteria. Instead, it places the burden of determining reputability on the regulated entity itself.
Institutional Approval vs. CSP Certification
The circular distinguishes between two scenarios:
| Scenario | SBP Requirement | Who Gets Approved |
|---|---|---|
| Onshore CSPs | "Reputable" standard | Banks evaluate; no SBP pre-approval |
| Offshore CSPs | "Subject to SBP approval" | Banks submit requests; SBP approves case-by-case |
Critical distinction: When banks seek to use offshore CSPs for material workloads, SBP approves the institution's outsourcing arrangement, not the CSP itself. There is no path for a CSP to obtain pre-certification from SBP.
What the Circular Actually Requires
The circular mandates that regulated entities conduct due diligence assessing:
- Financial stability of the CSP
- Technical capabilities and infrastructure
- Security controls and certifications
- Data sovereignty compliance
- Audit rights and access
- Documented exit strategies
However, the circular provides no specific criteria for evaluating these factors. ISO 27001, SOC 2 Type II, and other international certifications are not explicitly required or recognized. Each institution must determine what evidence sufficiently demonstrates "reputability."
The Interpretive Challenge
This framework creates interpretive space that institutions must navigate carefully. Questions without clear answers include:
- What security certifications demonstrate "reputable" status?
- How recent must financial statements be?
- What constitutes adequate audit rights?
- How should institutions evaluate CSPs without established track records?
The circular's approach trusts institutions to exercise judgment—but provides limited guidance for developing that judgment consistently across the sector.
The Two-Regulator Context: SBP vs. MoIT
A separate development adds important context to the CSP landscape in Pakistan. In 2024, the Ministry of Information Technology and Telecommunication (MoIT) established a Cloud Office and formulated accreditation criteria for cloud service providers under the Pakistan Cloud First Policy.
This creates an interesting contrast:
| Framework | Regulator | Approach | Status |
|---|---|---|---|
| SBP Cloud Guidelines | State Bank of Pakistan | "Reputable" standard; institutional due diligence | Active for financial sector |
| MoIT CSP Accreditation | Ministry of IT | Formal accreditation criteria with tiers | Established 2024 for government use |
Important distinction: MoIT's accreditation framework applies to government cloud procurement, not financial sector outsourcing. The two frameworks operate independently. A CSP accredited by MoIT is not automatically "reputable" under SBP guidelines, nor does SBP recognize MoIT accreditation as meeting its requirements.
This two-regulator landscape reflects different regulatory philosophies. MoIT has chosen to establish explicit CSP standards for government use, while SBP has opted for an institutional-due-diligence approach that places evaluation responsibility on regulated entities.
International Benchmarks: How Other Regulators Handle CSP Selection
Examining international approaches provides valuable context for understanding SBP's framework—and reveals that SBP is not alone in avoiding CSP certification.
Switzerland's Approach: Clear Criteria, No Pre-Approval
The Swiss Bankers Association (SBA) Cloud Guidelines establish detailed criteria for evaluating CSPs without maintaining an approved vendor list. The framework uses a three-tier model based on data sensitivity:
- Tier 1 (Basic): ISO 27001, financial stability, contractual compliance
- Tier 2 (Enhanced): Adds SOC 2 Type II, Tier III+ data centers, encryption standards
- Tier 3 (Financial Sector): Adds proven track record, infrastructure audit capability, dedicated support
The Swiss model demonstrates that regulators can provide specificity without creating certification bureaucracy. Banks use published criteria to conduct their own due diligence.
Singapore's Approach: Institutional Responsibility
The Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines require financial institutions to conduct comprehensive due diligence on cloud providers. MAS does not maintain a certified CSP list. Instead, it specifies assessment areas:
- Security and resilience capabilities
- Data protection measures
- Ongoing monitoring requirements
- Multi-cloud governance
The Singapore approach emphasizes that cloud adoption responsibility remains with the institution, not the regulator.
European Union: Proportionality and Registers
The European Banking Authority (EBA) Guidelines on Outsourcing require institutions to:
- Assess CSP capabilities before engagement
- Maintain outsourcing registers
- Apply proportionality based on service criticality
- Monitor sub-outsourcing arrangements
Like SBP, EBA does not certify CSPs. Unlike SBP, EBA provides more specific guidance on assessment criteria and proportionality frameworks.
Key Insight
None of these jurisdictions maintain CSP certification programs. All place evaluation responsibility on financial institutions. SBP's approach is consistent with international practice—though it provides less specific guidance than peers.
A Proposed Framework: What SBP Certification Could Look Like
While SBP has not established CSP certification, examining what such a framework could entail helps institutions understand what "reputable" might mean in practice. The following is a proposal for discussion—not an existing framework.
Tier 1: Basic Reputability
This tier represents foundational requirements that any CSP serving the financial sector should meet:
- Current ISO 27001 certification
- Audited financial statements (last 2 years)
- Data protection policies aligned with Pakistan's regulatory environment
- Documented security controls
- Contractual acknowledgment of audit rights
- Defined incident notification procedures
- Exit strategy documentation
Use case: Non-critical workloads, development environments, non-sensitive data processing.
Tier 2: Enhanced Assurance
This tier adds requirements for material workloads and sensitive data:
- All Tier 1 requirements
- SOC 2 Type II report (within 12 months)
- ISO 27017 (cloud security) and ISO 27018 (cloud privacy) certifications
- Tier III+ data center certification
- AES-256 encryption at rest; TLS 1.2+ in transit
- Tested incident response and disaster recovery plans
- Multi-tenancy isolation documentation
Use case: Material workloads, customer data processing, operational systems.
Tier 3: Financial Sector Excellence
This tier addresses the highest-sensitivity use cases:
- All Tier 1 and Tier 2 requirements
- Documented references from regulated financial institutions
- Infrastructure-level audit capabilities
- Dedicated financial sector support team
- Extended data retention (7+ years)
- Real-time security monitoring and compliance tools
- Regulatory reporting capabilities
- Enhanced SLAs with financial penalties
Use case: Core banking systems, critical financial infrastructure, highly sensitive data.
How to Use This Framework
Institutions can adapt this proposed framework to develop their own evaluation criteria:
- Map workloads to appropriate tiers based on data sensitivity and criticality
- Evaluate CSPs against tier-specific requirements
- Document decisions and rationale for regulatory examination
- Review annually as workloads and provider capabilities evolve
This framework draws on international precedents (Switzerland's SBA, Singapore's MAS) adapted to Pakistan's regulatory context.
Practical Due Diligence: A Checklist for Banks
In the absence of explicit SBP certification criteria, banks need practical frameworks for evaluating CSPs. The following checklist provides actionable guidance derived from BPRD Circular requirements and international best practices.
Security and Compliance
- [ ] ISO 27001 certification current and valid
- [ ] SOC 2 Type II report available (within 12 months for material workloads)
- [ ] Data center Tier certification (III or higher for critical workloads)
- [ ] Encryption standards documented (AES-256 at rest, TLS 1.2+ in transit)
- [ ] Incident response procedures tested and documented
- [ ] Disaster recovery and business continuity plans tested
- [ ] Penetration testing conducted within last 12 months
- [ ] Vulnerability management program documented
Financial Stability
- [ ] Audited financial statements (last 2 years)
- [ ] Evidence of operational continuity (3+ years in business preferred)
- [ ] Insurance coverage appropriate to service scope
- [ ] No material financial distress indicators
- [ ] Clear ownership structure and corporate governance
Data Residency and Sovereignty
- [ ] Data center locations documented
- [ ] Data processing stays within Pakistan for material workloads (per SBP)
- [ ] Sub-processor locations disclosed
- [ ] Data transfer mechanisms documented for any cross-border processing
- [ ] Compliance with Pakistan's data protection requirements
Audit and Oversight
- [ ] Contractual audit rights acknowledged
- [ ] Third-party audit reports available (SOC 2, ISO)
- [ ] Infrastructure audit capabilities for Tier 3 workloads
- [ ] Regular compliance reporting available
- [ ] Security incident notification procedures defined
Exit and Portability
- [ ] Data export capabilities documented
- [ ] Standard data formats supported
- [ ] Transition support commitments in contract
- [ ] Data deletion procedures documented
- [ ] No proprietary lock-in that prevents migration
Red Flags: When to Seek Additional Assurance
🚩 High concern indicators:
- CSP refuses to provide audit reports
- No documented security certifications
- Unclear data residency practices
- Financial instability or recent ownership changes
- No exit strategy or data portability provisions
- Resistance to contractual audit rights
🟡 Medium concern indicators:
- Limited track record with financial institutions
- Certifications nearing expiration
- Single data center (no redundancy)
- Outsourced critical functions to undisclosed sub-processors
Documentation Best Practices
When evaluating CSPs, document:
- Evaluation criteria used and why
- Evidence reviewed (certifications, reports, contracts)
- Decision rationale for selection or rejection
- Risk assessment and mitigation measures
- Review date and trigger events for re-evaluation
This documentation supports regulatory examination and demonstrates good faith compliance efforts.
Navigating the Ambiguity: Practical Guidance
The absence of explicit CSP certification criteria requires banks to develop robust internal frameworks. Here are practical approaches that align with SBP's expectations.
Develop Internal Evaluation Standards
Rather than waiting for SBP certification, institutions should:
- Establish evaluation committees with representation from IT, compliance, legal, and risk
- Define workload tiers based on data sensitivity and criticality
- Create tier-specific requirements drawing on international standards
- Document evaluation procedures for regulatory examination
Engage Proactively with SBP
For significant cloud initiatives:
- Request pre-engagement discussions with BPRD before major outsourcing decisions
- Submit comprehensive risk assessments with CSP evaluation documentation
- Document SBP feedback and incorporate into evaluation frameworks
- Participate in industry forums to share best practices
Leverage International Standards
While SBP doesn't require specific certifications, international standards provide useful benchmarks:
- ISO 27001: Information security management baseline
- SOC 2 Type II: Service organization controls over time
- ISO 27017: Cloud-specific security controls
- ISO 27018: Cloud privacy protection
- PCI DSS: If processing payment card data
These certifications demonstrate CSP capability even if not explicitly required by SBP.
Monitor Regulatory Developments
The regulatory landscape evolves. Institutions should:
- Monitor SBP circulars for updates to cloud outsourcing guidelines
- Track MoIT Cloud Office developments (even though separate from SBP)
- Follow international trends in financial sector cloud regulation
- Participate in industry associations advocating for clearer guidance
Risk Assessment Framework: When Is "Reputable" Enough?
Banks must make judgment calls about CSP selection. This framework provides guidance for those decisions.
Risk Factors to Consider
| Factor | Lower Risk | Higher Risk |
|---|---|---|
| Data sensitivity | Public marketing data | Core banking transaction data |
| System criticality | Internal tools | Customer-facing payment systems |
| CSP track record | 5+ years with financial institutions | New entrant, no FI references |
| Certifications | ISO 27001 + SOC 2 | No third-party certifications |
| Data residency | Clear Pakistan-only processing | Unclear sub-processor locations |
| Financial stability | Profitable, established | Startup, limited financial history |
Decision Framework
Green (Proceed with Standard Due Diligence):
- All lower risk factors
- CSP meets Tier 1 or Tier 2 proposed criteria
- Clear documentation available
Yellow (Enhanced Due Diligence Required):
- Mixed risk factors
- Missing some certifications but strong in other areas
- Limited track record but solid technical capabilities
Red (Seek Alternatives or Expert Consultation):
- Multiple higher risk factors
- Missing critical certifications for workload sensitivity
- CSP unwilling to provide documentation
- Novel or unproven technology for financial use cases
When to Engage External Experts
Consider engaging specialized cloud risk consultants or legal advisors when:
- Selecting CSPs for Tier 3 (critical) workloads
- First-time cloud outsourcing for the institution
- Complex multi-cloud or hybrid architectures
- Regulatory examination preparation
- Contract negotiations with major CSPs
Conclusion: Moving Forward with Clarity
The absence of SBP CSP certification does not mean the absence of standards. BPRD Circular No. 01 of 2023 places evaluation responsibility on regulated entities, trusting them to develop appropriate due diligence frameworks.
This approach has advantages:
- Flexibility to adapt to evolving cloud technologies
- Proportionality to match requirements to workload sensitivity
- Innovation enablement without certification bottlenecks
It also has challenges:
- Interpretive burden on institutions
- Inconsistent approaches across the sector
- Uncertainty about regulatory expectations
Practical path forward:
- Accept the framework as it exists—not as you wish it were
- Develop robust internal evaluation criteria using international benchmarks
- Document everything for regulatory examination
- Engage proactively with SBP for significant initiatives
- Monitor developments and adapt as guidance evolves
The financial institutions that navigate this ambiguity successfully will be those that treat CSP evaluation as a core competency—not a compliance checkbox. The proposed frameworks and checklists in this article provide starting points; institutions should adapt them to their specific risk profiles and regulatory contexts.
Disclaimer: This article provides analytical content for informational purposes. It does not constitute legal, compliance, or professional advice. Institutions should consult qualified advisors for specific guidance on cloud outsourcing decisions.
Current as of: February 2026
Sources:
- BPRD Circular No. 01 of 2023 - Framework on Outsourcing to Cloud Service Providers
- MoIT Cloud Office - Accreditation Criteria for CSPs
- Swiss Bankers Association Cloud Guidelines 2025
- MAS Technology Risk Management Guidelines 2021
- EBA Guidelines on Outsourcing Arrangements
Keywords: SBP Cloud Guidelines, CSP Certification, Cloud Service Provider, BPRD Circular 01/2023, Cloud Computing, Financial Sector Regulation, Due Diligence