Research Brief · Solutions Architecture · APAC

APAC FinTech Architecture — 10 Jurisdictions, 12 Constraints Each

A working reference for architects who must turn regulator circulars into deployment decisions. For each of 10 APAC jurisdictions: data residency, workload isolation, cross-border transfer rules, and the binding instrument behind each — plus five architectural implications you can apply this week.

Prepared   Last reviewed   Scope   Banking, Payments, Securities Jurisdictions   10 Dimensions   12 per country Intended audience   Solutions & Security Architects
Author   James Buckett · Product Manager Contact   james.buckett@gmail.com in/jamesbuckett jamesbuckett @jamesbuckett Not legal advice   Verify currency with qualified counsel before design commitment.

Reference only. This brief distils binding instruments into architectural implications. Regulation evolves quickly — verify any rule with qualified counsel before design commitment.

Method & Framing

Each jurisdiction is assessed against twelve architectural dimensions, from regulator identity through data residency, workload-isolation mandates, cryptographic standards, and the specific legislative instruments that bind technology design. Citations reference the circular, notification, or master direction that materially constrains architecture — not the headline statute alone.

Distinctions are drawn between binding rules (statute / circular), supervisory expectation (letter, guidance, or examination practice), and industry practice (de facto standards). Areas of active regulatory flux are marked Flux.

Each country section closes with an Architectural Implications callout — five design constraints a practitioner would apply today. The document ends with a comparative matrix across the four localization / isolation dimensions that most materially determine deployment topology.

Regional Overview

At a Glance — Localization & Isolation Heat Map

A color-coded view of binding severity across the four dimensions that most directly shape deployment topology. Toggle columns to reframe the heatmap. Hover any cell for the governing instrument.

Severity by Jurisdiction · 10 × 4
Strict Moderate Light None Hover for anchor instrument
Legislative Timeline — Milestones Shaping Today's Architecture 2008 → 2026
Country 01 / 10

Indonesia

ID · IDR · UTC+7

01Regulatory Bodies

  • Otoritas Jasa Keuangan (OJK) — prudential & conduct regulator for banking, insurance, capital markets. ojk.go.id
  • Bank Indonesia (BI) — monetary authority and payment-system regulator. bi.go.id
  • Kominfo / Kemenkominfo — electronic systems & data-protection oversight. kominfo.go.id
  • BSSN — National Cyber & Crypto Agency. Technology risk is supervised jointly by OJK (TRM) and BSSN (cyber).

02Data Localization

  • BI Regulation 19/14/PBI/2017 — payment transaction data must be processed and stored within Indonesia. A hard onshore mandate for payment-system operators.
  • GR 71/2019 (Electronic System & Transaction) relaxed general mandate, distinguishing public-scope (government) from private-scope ESOs; financial services retain tighter sectoral rules.
  • OJK POJK 11/POJK.03/2022 allows offshore data processing with OJK notification/approval, subject to supervisory access.
  • Customer / transaction data for banks may be mirrored offshore with onshore primary copy and regulator access.

03System & Process Localization

  • Domestic payment routing via GPN (Gerbang Pembayaran Nasional) — switching, clearing & settlement for domestic card/QRIS transactions must occur onshore.
  • Core payment authorization and fraud screening on domestic rails must execute onshore.
  • Disaster-recovery site preference: onshore secondary; regional DR permitted for non-payment workloads with OJK consent.
  • Admin / DevOps may be performed cross-border subject to access controls and parent-level agreements approved by OJK.

04Legal Entity Segregation

  • Foreign banks typically operate through a locally-incorporated subsidiary (PT) or a licensed branch (KCBA); fintech / payment institutions must be Indonesian legal entities under BI licensing.
  • Intra-group outsourcing permitted under OJK POJK 9/POJK.03/2016 on outsourcing, with documented oversight and local board accountability.
  • Local director accountability for IT risk is supervisory practice; signatory designation required for material systems.

05Workload Isolation & Placement

  • Multi-tenant public cloud generally permitted; logical tenancy isolation acceptable for customer PII when supported by controls.
  • Payment system switching & key management for domestic rails expected in dedicated / single-tenant environments with onshore HSM.
  • Production / non-production segregation and privileged-access controls explicit in OJK TRM expectations.

06Cross-Border Data Flow

  • PDP Law 27/2022 — requires adequate protection abroad or binding contractual safeguards or data-subject consent for outbound transfer.
  • Payment transaction data cross-border transfer restricted by BI rules; OJK data requires prior notification and ongoing supervisory access.
  • Sector carve-outs: insurance (OJK) and capital markets (OJK-PM) largely aligned with banking TRM.

07Cybersecurity Standards

  • OJK POJK 11/POJK.03/2022 on IT risk management for commercial banks — aligned with ISO 27001 and NIST CSF principles.
  • Incident reporting: material cyber incidents to OJK typically within 24 hours; payment system disruption reporting to BI within 1 hour (significant).
  • Penetration testing annually; vulnerability scans quarterly; red-teaming for systemically important banks (SIB) is a supervisory expectation.

08API & Open Banking

  • SNAP (Standar Nasional Open API Pembayaran) — BI 2021 standard; mandatory for payment-service providers with phased onboarding.
  • OAuth 2.0 / RESTful JSON with signed payloads; TLS-mutual authentication for participant-to-participant calls.
  • Open-banking data-sharing beyond payments remains voluntary / industry-led.

09Cloud & Infrastructure

  • Public cloud permitted; material cloud outsourcing requires OJK notification under POJK 11/2022 and exit-plan / data-portability documentation.
  • BI requires onshore processing for payment-system operators; CSPs must hold domestic data-center presence for those workloads.
  • Concentration risk addressed by requiring demonstrable alternative provider plans.

10Licensing & Compliance Tech

  • AML/CFT obligations per Law 8/2010 and PPATK reporting; transaction monitoring with automated STR/CTR generation.
  • e-KYC via OJK POJK 12/POJK.03/2018 (digital banking) using Dukcapil population database and biometric liveness.
  • National digital ID: IKD (Identitas Kependudukan Digital) — growing integration with financial onboarding.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 preferred. BI payment rails prescribe specific cipher suites and key-rotation intervals.
  • Customer MFA mandatory for internet & mobile banking transaction-level actions.
  • No mandated national cryptographic algorithm; SNI / international standards accepted. Onshore HSM required for payment-switching keys.

12Key Legislation

  • UU ITE (Electronic Information & Transactions) — Law 11/2008, amended by Law 19/2016 and Law 1/2024
  • Government Regulation 71/2019 — Electronic Systems & Transactions binding
  • Personal Data Protection Law 27/2022 (PDP Law) Implementation phase-in
  • OJK POJK 11/POJK.03/2022 — IT risk management for commercial banks
  • BI PBI 23/6/PBI/2021 — Payment Service Providers; PBI 19/14/PBI/2017 — Payment Transaction Data

Architectural Implications

  1. Deploy payment-system workloads into an onshore Indonesian region with dedicated VPC/VNet and onshore HSM; maintain primary & DR inside Indonesia.
  2. For non-payment workloads (CRM, analytics, collaboration), cross-border processing is allowable with OJK notification — design a clean data-classification boundary so only non-sensitive / non-payment data exits.
  3. Integrate SNAP-compliant API gateway with mTLS and signed JWS payloads for participant-facing endpoints; keep key-material onshore.
  4. Implement GPN/QRIS routing gateway inside Indonesia; foreign switching not permitted for domestic transactions.
  5. Instrument 24-hour incident-notification pipeline to OJK and 1-hour payment-disruption channel to BI — both must survive CSP outage.
Country 02 / 10

India

IN · INR · UTC+5:30

01Regulatory Bodies

  • Reserve Bank of India (RBI) — banks, payment systems, NBFCs. rbi.org.in
  • SEBI — securities & capital markets. sebi.gov.in
  • IRDAI — insurance. irdai.gov.in
  • CERT-In — national CERT, incident directives & log retention. MeitY — IT ministry (DPDP Act).
  • NPCI — retail payment rails operator (UPI, IMPS, RuPay).

02Data Localization

  • RBI Circular DPSS.CO.OD.No. 2785/06.08.005/2017-18 (6 Apr 2018)payment system data must be stored only in India. Full strict localization for all PSOs, including foreign schemes.
  • KYC documents: onshore retention primary; mirroring offshore permitted subject to access and deletion guarantees.
  • DPDP Act 2023 introduces a government-notified negative list for cross-border transfer of personal data (draft rules Jan 2025).

03System & Process Localization

  • Payment authorization, clearing, settlement for domestic card/UPI/IMPS transactions must execute in India.
  • NPCI requires on-soil hosting and direct network connectivity into its data centres (Mumbai / Hyderabad / Chennai).
  • DR site must be within India, in a different seismic zone from primary (RBI guidance).
  • Administrative access from overseas must be governed, logged, and subject to CERT-In log-retention rules.

04Legal Entity Segregation

  • Foreign banks operate as branches (with RBI-imposed capital and governance conditions) or wholly-owned subsidiaries (WOS).
  • Payment Aggregators / Payment Gateways must be Indian-incorporated and licensed by RBI (Master Direction on PA-PG, 2020 updated 2024).
  • Local CIO, CISO, and board-level IT strategy committee mandated by RBI Cybersecurity Framework.
  • Group platforms allowed subject to RBI outsourcing direction and effective local control.

05Workload Isolation & Placement

  • RBI Master Direction on IT Governance, Risk, Controls & Assurance Practices, 2023 — requires segregation of production / non-production, privileged-access management, and workload classification.
  • Multi-tenant cloud permitted but dedicated environments expected for core banking solution (CBS) and HSM operations.
  • Zero-trust not explicit but strongly aligned with RBI Master Direction on Digital Payment Security Controls.

06Cross-Border Data Flow

  • DPDP Act 2023 — transfer permitted to any jurisdiction not on a negative list (to be notified). Rules pending
  • RBI payment-data localization overrides DPDP flexibilities for payment data.
  • Sectoral: SEBI Cloud Services Framework (Mar 2023) and IRDAI outsourcing regulations each require data accessibility and audit rights.

07Cybersecurity Standards

  • RBI Cyber Security Framework in Banks (2016) + Master Direction on Digital Payment Security Controls (2021).
  • CERT-In Directions (28 Apr 2022) — incident reporting within 6 hours, ICT log retention for 180 days onshore, mandatory NTP synchronization to NPL/NIC.
  • SEBI CSCRF (Aug 2024) — Cybersecurity & Cyber Resilience Framework for regulated entities.
  • Annual red-teaming for SCB/PSB; VAPT twice-yearly; ISO 27001 widely adopted; PCI-DSS for card issuers.

08API & Open Banking

  • Account Aggregator (AA) Framework — RBI-regulated NBFC-AA model for consent-driven data sharing (ReBIT specs).
  • UPI — NPCI-operated universal retail-payment API (ISO 20022-aligned). UPI 2.0/AutoPay extensions.
  • ONDC (open commerce) uses Beckn protocol — non-banking but influences payment orchestration design.
  • API security: OAuth 2.0, signed JWS, mTLS to NPCI; FAPI-like profiles being adopted.

09Cloud & Infrastructure

  • RBI draft Framework for Adoption of Cloud Services (2024) — establishes a common empanelment, exit, and concentration-risk regime. Emerging
  • SEBI Cloud Framework prescribes CSP selection, data handling, and audit rights.
  • MeitY empanelment of CSPs historically for government workloads; banks select STQC/empanelled providers for sensitive workloads.

10Licensing & Compliance Tech

  • PMLA obligations; FIU-IND reporting for STR/CTR.
  • Aadhaar e-KYC and Video KYC (RBI KYC Master Direction, amended) permitted for low-to-medium risk onboarding.
  • DigiLocker, CKYCR (Central KYC Registry) used for federated identity/KYC reuse.
  • Transaction-monitoring systems mandatory for all scheduled commercial banks.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 encouraged; approved cipher suites per RBI Master Direction on Digital Payment Security Controls.
  • Two-factor authentication mandatory for domestic card-not-present transactions (historical hallmark of RBI policy).
  • India maintains its own controlled-cryptography environment; approved vendors via CCA (Controller of Certifying Authorities) for digital signatures.
  • HSMs typically FIPS 140-2 L3; keys held onshore for payment-system functions.

12Key Legislation

  • Information Technology Act, 2000 (with SPDI Rules 2011)
  • Digital Personal Data Protection Act, 2023 (DPDP) Rules notified Jan 2025
  • RBI Master Direction on Digital Payment Security Controls, 2021
  • RBI Master Direction on IT Governance, 2023; CERT-In Directions, 2022

Architectural Implications

  1. All payment-system data — at rest, in processing, in backup — resides in India; deploy CBS, payment switch, and HSM in an Indian region with in-country DR.
  2. Design a strict data-classification and tokenisation layer so that overseas analytics or group platforms see only non-PSD, de-identified records.
  3. Stand up a CERT-In-aligned logging platform with 180-day onshore retention and NTP sync to NPL/NIC; hook into a 6-hour incident reporting workflow.
  4. Implement Account Aggregator consent-flow integration and RBI-compliant video-KYC; treat CKYCR as the canonical KYC identity store.
  5. Treat cross-border data movement as a policy-controlled egress — assume it will be restricted for a notified subset under DPDP rules.
Country 03 / 10

Taiwan

TW · TWD · UTC+8

01Regulatory Bodies

  • Financial Supervisory Commission (FSC) — integrated financial regulator. fsc.gov.tw
  • Central Bank of the Republic of China (CBC) — monetary authority, payment-system oversight.
  • National Communications Commission (NCC), Ministry of Digital Affairs (MODA) — ICT & cyber.
  • PIPC — Personal Information Protection Commission (established 2024, phased operationalization). Flux

02Data Localization

  • No general data-localization statute. Supervisory expectation: core banking and customer master data maintained onshore with regulator-access guarantees.
  • FSC may restrict cross-border transfer of specific datasets by sectoral notification under PDPA Art. 21.
  • Credit information (JCIC) & NCC Taiwan rails are strictly onshore.

03System & Process Localization

  • Core banking platform and accounting ledger must reside onshore with onshore DR (FSC practice).
  • Domestic payment clearing via Financial Information Service Co. (FISC) and TWD large-value RTGS (CBC) — on-soil only.
  • Offshore processing of non-core functions permitted following FSC Regulations Governing Outsourcing by Financial Institutions pre-approval.

04Legal Entity Segregation

  • Foreign banks operate as branches or subsidiaries; subsidiary structure required for certain regulated activities (securities, insurance).
  • Group-platform sharing allowed with pre-approved outsourcing under FSC rules; local board-level IT governance required.

05Workload Isolation & Placement

  • Multi-tenant public cloud allowed for non-core workloads; critical workloads (core banking, AML, card issuance) expected on dedicated / logically isolated environments.
  • Production/non-production segregation expected; privileged-access management audited in annual FSC examinations.
  • Taiwan CSP market dominated by domestic operators (Chunghwa Telecom, CHT HiNet) alongside hyperscale regions.

06Cross-Border Data Flow

  • PDPA Article 21 allows FSC / sector regulator to restrict cross-border transfer. Individual consent + purpose limitation otherwise.
  • Cross-strait (China) data transfer subject to additional national-security considerations.

07Cybersecurity Standards

  • FSC Regulations Governing Standards for Information System & Security Management of Electronic Banking — prescribes controls, logging, and incident reporting.
  • FSC Cybersecurity Action Plan 4.0 — red-team / threat-intel driven exercises for designated financial institutions.
  • ISO 27001 widely adopted; PCI-DSS for card issuers.
  • Material-incident reporting within prescribed hours (typically 2 hours for material service disruption).

08API & Open Banking

  • FSC Open Banking — voluntary 3-phase framework operated by Financial Information Service Co.: (1) public information, (2) customer information with consent, (3) transaction information.
  • FAPI-aligned security; mTLS between TPP and ASPSP; OAuth 2.0 with consent grants.

09Cloud & Infrastructure

  • FSC approval required for material cloud outsourcing (Regulations Governing Outsourcing, amended Jul 2019; further clarifications 2022).
  • Bank must retain the right of on-site audit at CSP, or access to SOC 2 / ISAE 3402 reports plus local attestations.
  • Exit plans and reversibility demonstrably documented.

10Licensing & Compliance Tech

  • AML/CFT under Money Laundering Control Act; MJIB (Investigation Bureau) as FIU.
  • eKYC via National Credit Card Center, TWID, and JCIC integration; FIDO-based liveness permitted.
  • Taiwan Digital ID (TWID) Federation — financial-sector integration for onboarding.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 encouraged; RSA-2048 / ECDSA-P256 for signatures.
  • MFA mandatory for customer-facing transactional banking and privileged access.
  • PKI: GCA / TWCA national CAs; digital signatures under Electronic Signatures Act (amended 2024).
  • HSMs — FIPS 140-2 L3 common; onshore preferred.

12Key Legislation

  • Banking Act Art. 45-1 (outsourcing), PDPA (1995, amended 2023)
  • Cyber Security Management Act, 2018
  • FSC Regulations Governing Outsourcing by Financial Institutions (most recent amendments 2022)
  • Electronic Signatures Act (amended 2024)

Architectural Implications

  1. Keep core banking, ledger, and customer master onshore with Taiwan-based DR; retain auditable FSC access rights for any CSP-hosted component.
  2. Obtain FSC pre-approval for material cloud outsourcing; deliver reversibility and exit design at point of approval, not after.
  3. Integrate with FISC rails and JCIC directly from onshore private connectivity; avoid cross-region routing of domestic settlements.
  4. Implement FAPI-grade Open Banking façade; align with FISC Open-Banking phase applicable to the institution's licence.
  5. Plan for continued PIPC maturation: design consent-capture, purpose-limitation tagging, and cross-border restriction hooks now, rather than retrofitting.
Country 04 / 10

Japan

JP · JPY · UTC+9

01Regulatory Bodies

  • Financial Services Agency (FSA) — integrated regulator. fsa.go.jp
  • Bank of Japan (BOJ) — monetary authority, BOJ-NET operator.
  • Personal Information Protection Commission (PPC) — APPI enforcement.
  • FISC — industry body publishing the de facto security guidelines for financial institutions.

02Data Localization

  • No statutory data-localization mandate.
  • Supervisory expectation: customer data should be accessible to FSA on request; where data is abroad, contractual audit-rights are required.
  • Resolution-planning & records-retention obligations often drive de facto onshore copies.

03System & Process Localization

  • BOJ-NET, Zengin System (domestic RTGS / ACH) require on-soil connectivity and operation by Japanese-licensed operators.
  • Customer-onboarding, core ledger, and AML transaction-monitoring usually sit on-soil by convention and operational continuity preference.
  • DR site typically a second domestic region in a different seismic zone (FISC guidance).

04Legal Entity Segregation

  • Foreign banks commonly branch; subsidiaries required for certain securities/insurance business.
  • Intra-group outsourcing permitted; FSA requires governance assurance with named local accountable officers (CIO / CISO).
  • Ring-fencing implicit through the FSA Comprehensive Supervisory Guidelines.

05Workload Isolation & Placement

  • Multi-tenant public cloud broadly permitted; FISC Security Guidelines drive logical isolation, encryption-at-rest/in-transit, and key separation.
  • Privileged-access management, segregation of duties, production/non-production separation explicitly prescribed.
  • Zero-trust principles gaining traction via FSA cyber strategy.

06Cross-Border Data Flow

  • APPI (amended 2022) — cross-border transfer requires (a) consent with information, (b) equivalent-standards country (adequacy), or (c) safeguards contract.
  • EU-Japan mutual adequacy recognition in place.
  • Sectoral: FSA may impose additional supervisory conditions in outsourcing approvals.

07Cybersecurity Standards

  • FISC Security Guidelines for Financial Information Systems (10th edition series) — de facto standard used at examination.
  • FSA Cybersecurity Policy / Practical Guidelines (updated 2024) — threat-led testing expectation for G-SIBs / D-SIBs.
  • Incident reporting "without delay"; practical expectation < 24 hours for material events.
  • ISO 27001, NIST CSF mapping common; PCI-DSS for card issuers.

08API & Open Banking

  • Open-API framework under amended Banking Act (2017) — banks publish APIs under contractual agreements with Electronic Payment Service Providers.
  • JBA (Japanese Bankers Association) API standards; OAuth 2.0 with FAPI-alignment growing.
  • Not a single mandatory scheme — bilateral/contractual rather than a centralized CDR.

09Cloud & Infrastructure

  • Cloud permitted; FSA notification for material outsourcing with exit/reversibility plans.
  • CSP selection often aligned to ISMAP (Information system Security Management & Assessment Program) — government-oriented but referenced by financials.
  • Concentration risk being highlighted in FSA supervisory communications.

10Licensing & Compliance Tech

  • Act on Prevention of Transfer of Criminal Proceeds (APTCP) — AML obligations.
  • eKYC under APTCP (2018 amendment): permissible methods include selfie + ID photo, IC-chip reading (My Number Card).
  • My Number Card-based digital ID increasingly federated into financial onboarding.
  • JAFIC as FIU for STR.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 increasingly required. CRYPTREC list informs approved algorithms.
  • MFA mandatory for customer high-risk transactions and privileged-access.
  • No mandated national cryptographic algorithm family; international standards accepted.
  • Onshore HSM preferred for core banking key material.

12Key Legislation

  • Banking Act (Act No. 59 of 1981, amended)
  • Act on the Protection of Personal Information (APPI) — amended 2022
  • FIEA (Financial Instruments & Exchange Act)
  • FISC Security Guidelines — 10th edition series (2024 revisions)

Architectural Implications

  1. Anchor core banking, BOJ-NET and Zengin connectivity in on-soil regions; align DR to a second Japanese region for seismic diversity.
  2. Use CSPs and controls mapped to FISC Security Guidelines — treat FISC alignment as the lingua franca of FSA examination.
  3. Leverage EU-Japan adequacy and contractual safeguards to enable group-platform analytics in EU/Japan axis; avoid mixing with non-adequate regions.
  4. Integrate My Number / JPKI for eKYC and strong authentication; design the onboarding service with pluggable identity evidence.
  5. Publish Open-API endpoints to FAPI-grade security; document EPSP partner onboarding as a formal change-management process.
Country 05 / 10

China (Mainland)

CN · CNY · UTC+8

01Regulatory Bodies

  • National Financial Regulatory Administration (NFRA) — prudential supervision (formed 2023, absorbing CBIRC). nfra.gov.cn
  • People's Bank of China (PBOC) — central bank & payment-system regulator.
  • China Securities Regulatory Commission (CSRC).
  • Cyberspace Administration of China (CAC) — cybersecurity & data flows; MPS — public security / MLPS enforcement.
  • State Cryptography Administration (SCA / OSCCA) — cryptography oversight.

02Data Localization

  • Cybersecurity Law (CSL 2017) — Critical Information Infrastructure Operators (CIIOs) must store personal information & important data within China.
  • PIPL 2021 + DSL 2021 reinforce onshore storage and add cross-border assessment regimes.
  • PBOC rules require payment & financial data generated in China to be stored and processed onshore; bank-card transaction data via UnionPay rails remains onshore.
  • CIIP Regulation (2021) formalises CIIO designation and associated localization.

03System & Process Localization

  • Payment processing, clearing, settlement for domestic transactions must occur onshore — CNAPS (HVPS/BEPS), NUCC, UnionPay, NetsUnion.
  • DR site must be onshore; multi-active architectures widely used in a "two-location, three-centre" pattern.
  • Administration and DevOps access from outside China generally disallowed for CIIO workloads; onshore operations teams required.

04Legal Entity Segregation

  • Foreign banks operate through branches or locally-incorporated subsidiaries; securities / fund management usually requires JV or WFOE with specific licences.
  • Group platforms abroad cannot be the primary system of record for Chinese customers' financial data; local system of record mandated.
  • Local CIO / CISO and a local IT governance board are supervisory norms.

05Workload Isolation & Placement

  • Multi-Level Protection Scheme 2.0 (MLPS 2.0) — systems graded 1–5; financial core systems typically Level 3 or higher, requiring dedicated or tightly-isolated environments.
  • Public cloud permitted for non-CIIO workloads from licensed domestic CSPs (Alibaba Cloud, Tencent Cloud, Huawei Cloud); hyperscalers operate through local partnerships (AWS × Sinnet/NWCD; Azure × 21Vianet).
  • Core banking, payment-switching, and key-management systems expected on dedicated / private cloud with onshore operations.

06Cross-Border Data Flow

  • PIPL cross-border transfer route requires one of: CAC security assessment, Standard Contract filing, or Certification.
  • March 2024 CAC "Regulations on Promoting and Regulating Cross-Border Data Flows" relaxed thresholds but thresholds still apply to financial data.
  • "Important data" catalogues being finalised sector-by-sector. Flux

07Cybersecurity Standards

  • MLPS 2.0 (GB/T 22239-2019 series), CIIP Regulation, JR/T 0071 financial-industry information-security standards.
  • Incident reporting to CAC and sector regulators under CSL (immediate / within hours for material events).
  • Regular attack-defence drills ("HW / 护网") organised by MPS / industry.

08API & Open Banking

  • No unified mandatory open-banking scheme; bilateral API arrangements and PBOC-supervised standards dominate.
  • PBOC JR/T 0185 (Open API Application) and related financial-data-sharing standards set security expectations.
  • Super-app / QR payment rails (Alipay, WeChat Pay) act as quasi-open-access rails under PBOC supervision; NetsUnion routes such transactions.

09Cloud & Infrastructure

  • Foreign CSPs operate only through licensed domestic partners; data sovereignty absolute for CIIOs.
  • Cloud outsourcing for banks subject to NFRA/PBOC outsourcing rules with explicit regulator notification / approval for material outsourcing.
  • "Distributed Application Architecture for Financial Industry" (JR/T 0201) drives banks' modernisation towards cloud-native patterns.

10Licensing & Compliance Tech

  • AML under Anti-Money-Laundering Law (2007, amended 2024); PBOC's CAMLMAC reporting.
  • eKYC relies on government ID-card verification via the Ministry of Public Security's citizen ID service; facial recognition common.
  • e-CNY — PBOC digital currency — integration increasingly expected for retail payment apps.

11Encryption & Authentication

  • Commercial Cryptography Law (2020) — mandates state-approved SM2 / SM3 / SM4 / SM9 algorithms for cryptographic protection of important data.
  • SCA-certified cryptographic modules (commercial cryptography certification) required for systems handling covered data.
  • HSMs must be SCA-approved; keys generated and held onshore.
  • MFA for customer and privileged access; payment messaging typically signed with SM2/SM3.

12Key Legislation

  • Cybersecurity Law (CSL), 2017 · Data Security Law (DSL), 2021 · Personal Information Protection Law (PIPL), 2021
  • Critical Information Infrastructure Security Protection Regulations, 2021
  • Commercial Cryptography Law, 2020 · Counter-Espionage Law (amended 2023)
  • CAC Cross-Border Data Flow Regulations, 2024 Relaxed thresholds

Architectural Implications

  1. Stand up a fully onshore stack: licensed domestic CSP or JV hyperscaler, SM-family cryptography, SCA-certified HSMs, onshore operations and SRE teams — assume no foreign administrative access.
  2. Design for MLPS Level-3+ controls from day one — rated-system graded testing, dedicated security-operations capability, and approval from MPS for system go-live.
  3. Treat cross-border data movement as a compliance project: map "important data" exposure, budget for CAC security-assessment lead times, and minimise data egress through tokenisation / aggregation.
  4. Integrate with CNAPS, NUCC, NetsUnion, and UnionPay via approved domestic connectivity; include e-CNY support in the roadmap for retail-facing applications.
  5. Build a local legal entity with local CIO / CISO, local board governance, and a local system of record — group platforms abroad cannot be the book of record for Chinese data.
Country 06 / 10

Hong Kong SAR

HK · HKD · UTC+8

01Regulatory Bodies

  • Hong Kong Monetary Authority (HKMA) — banking & payment systems. hkma.gov.hk
  • Securities and Futures Commission (SFC) — securities, asset management, virtual assets.
  • Insurance Authority (IA).
  • Office of the Privacy Commissioner for Personal Data (PCPD) — PDPO enforcement.

02Data Localization

  • No statutory data localization. HKMA requires records to be "readily available" in Hong Kong and accessible to the regulator on demand.
  • Section 33 of PDPO (cross-border transfer provision) remains not in force, but PCPD guidance encourages use of the recommended Model Clauses.
  • Mainland China data-protection regime may bite on HK entities handling CN customers' data.

03System & Process Localization

  • HKD RTGS (CHATS), FPS (Faster Payment System) operate onshore under HKMA/HKICL; participants require direct onshore connectivity.
  • Core banking records and customer data accessible onshore; offshore processing allowed under SA-2 outsourcing rules with HKMA non-objection.
  • DR typically intra-territory plus a regional secondary; HKMA expects documented site-resilience.

04Legal Entity Segregation

  • Locally-incorporated banks or branches both permitted; SFC-licensed corporations for securities business.
  • Group outsourcing permitted under HKMA SA-2 supervisory policy manual (outsourcing) and TM-E-1 (electronic banking).
  • HKMA "Manager-in-Charge" regime assigns named individuals accountability for technology and cyber.

05Workload Isolation & Placement

  • Multi-tenant public cloud broadly accepted; HKMA Circular on cloud computing (Aug 2022) formalises cloud usage expectations and introduces the Shared Assessments Programme for CSP due-diligence reuse.
  • Logical isolation, encryption with customer-managed keys, and segregation of duties expected.
  • Zero-trust / network-segmentation aligned with HKMA Cyber Resilience Assessment Framework (C-RAF).

06Cross-Border Data Flow

  • PDPO permits cross-border transfer with data-subject consent and appropriate safeguards; Section 33 not yet in force.
  • GBA cross-boundary data pilots (wealth-management connect, mBridge e-CNY experiments) create sector-specific data-sharing arrangements with mainland.

07Cybersecurity Standards

  • HKMA CFI 2.0 (Cybersecurity Fortification Initiative 2.0) — three pillars: C-RAF assessment, iCAST intelligence-led attack simulation, CIR professional development.
  • SFC Cybersecurity Guidelines for licensed corporations; IA cybersecurity code.
  • Incident reporting to HKMA "as soon as practicable" — practical < 24 hours for material events; significant disruption reportable immediately.

08API & Open Banking

  • HKMA Open API Framework — four-phase plan (Phase I product info → Phase IV transactional); Phase IV implementation ongoing.
  • API security: OAuth 2.0, mTLS, signed JWTs.
  • Commercial Data Interchange (CDI) — consent-based sharing of corporate data across banks to accelerate SME credit.

09Cloud & Infrastructure

  • Material outsourcing requires HKMA non-objection under SA-2; explicit cloud risk-management expectations.
  • Concentration-risk assessment formalised; exit plans must be realistic and rehearsed.
  • CSPs with HK region presence (AWS HK, Azure HK, Alibaba HK) widely used; GCP via regional alternatives.

10Licensing & Compliance Tech

  • AMLO — AML/CTF obligations; JFIU for STR.
  • eKYC via HKMA "remote onboarding" guidance (2019/2020) — biometrics + ID authentication; iAM Smart digital-identity platform for consented KYC.
  • Virtual-asset onboarding under SFC VATP licensing regime (Jun 2023).

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 preferred; approved cipher-suites per HKMA TM-E-1 / industry practice.
  • Strong customer authentication mandatory for high-risk transactions; 2FA long-standing norm.
  • No national crypto standard; FIPS-certified HSMs typical; onshore preferred for regulator access.

12Key Legislation

  • Banking Ordinance (Cap. 155) · Personal Data (Privacy) Ordinance (PDPO)
  • HKMA SPM TM-E-1 (Risk Management of E-Banking) · SA-2 (Outsourcing)
  • HKMA Cybersecurity Fortification Initiative 2.0 (2020, refreshed 2023)
  • SFC Cybersecurity Guidelines · HKMA Cloud Computing Circular, Aug 2022

Architectural Implications

  1. Use onshore HK regions for customer data, CHATS/FPS connectivity, and the primary system of record; regional DR permitted but demonstrate recovery and regulator access.
  2. Design to C-RAF and iCAST from outset — threat modelling, red-team readiness, and SOC maturity should be part of the target-state architecture, not a compliance afterthought.
  3. Expose Open-API Phase III/IV endpoints with FAPI-grade security and CDI integration for SME credit journeys.
  4. Leverage iAM Smart for consented customer identity and remote onboarding; design journeys to fail open to branch/RVM where identity assurance insufficient.
  5. For GBA cross-boundary flows, treat mainland customer data with PRC-grade controls (SM-family crypto, PIPL) — do not blend into HK-only data estate.
Country 07 / 10

Singapore

SG · SGD · UTC+8

01Regulatory Bodies

  • Monetary Authority of Singapore (MAS) — integrated regulator and central bank. mas.gov.sg
  • Personal Data Protection Commission (PDPC) — PDPA enforcement. pdpc.gov.sg
  • Cyber Security Agency (CSA) — national cyber under Cybersecurity Act 2018. csa.gov.sg

02Data Localization

  • No statutory data-localization mandate. MAS "permits" cross-border processing provided timely regulator access to records in Singapore is preserved (MAS Notice 658 and related outsourcing notices).
  • Data must be retrievable and FI must retain legal custody; CSP reps/warranties required.

03System & Process Localization

  • Domestic rails — MEPS+ (SGD RTGS), FAST, PayNow — onshore under MAS/ABS governance.
  • Processing may occur offshore subject to outsourcing controls and a demonstrable ability to recover to an onshore or equivalently-controlled site.
  • DR is principle-based: proportionate to criticality; offshore DR allowed if risk-managed.

04Legal Entity Segregation

  • Full banks, wholesale banks, DPT licensees — each with specific licensing. DPT under Payment Services Act 2019.
  • MAS permits group outsourcing with robust governance, local CIO / CISO, and a locally-accountable Board IT Committee for significant FIs.

05Workload Isolation & Placement

  • Multi-tenant public cloud fully accepted; MAS TRM 2021 articulates expected controls (IAM, segregation, encryption, logging).
  • MAS Cloud Advisory (Jun 2021) — addresses concentration risk, exit strategy, business-continuity.
  • Zero-trust, defence-in-depth, API-gateway security are current supervisory expectations.

06Cross-Border Data Flow

  • PDPA 2012 (amended 2020) — transfer permitted with consent and comparable protection (e.g., contractual safeguards); ASEAN Model Contractual Clauses increasingly used.
  • Singapore is an APEC CBPR / ASEAN DEFA participant — supports interoperable data flows.
  • MAS-imposed conditions in outsourcing agreements govern sectoral cross-border data movement.

07Cybersecurity Standards

  • MAS Technology Risk Management Guidelines (Jan 2021) — the anchor document for FI technology / cyber practice.
  • MAS Notice 655 (Cyber Hygiene) — binding baseline controls (patch, MFA, privilege, malware, secure config, security-update).
  • Incident reporting under Notice 644 — within 1 hour of detection of a relevant incident; root-cause report within 14 days.
  • AASE (Adversarial Attack Simulation Exercises) — threat-led red-team testing for systemically-important FIs.

08API & Open Banking

  • SGFinDex — consent-based financial data exchange across participating banks, CPF, HDB, IRAS, insurers, via Singpass authentication.
  • MAS/ABS Finance-as-a-Service API Playbook — security patterns (OAuth 2.0, FAPI, mTLS).
  • Open-banking is facilitated and standardised rather than compelled.

09Cloud & Infrastructure

  • CSP selection under MAS outsourcing notices; explicit regulator access, audit, confidentiality, and exit clauses required.
  • Concentration risk actively monitored; MAS examples require realistic exit/failover scenarios.

10Licensing & Compliance Tech

  • AML/CFT under MAS Notice 626 (Banks) and equivalents for other FIs; STRO as FIU.
  • Singpass / Myinfo — national digital identity & government-verified attributes for eKYC.
  • Singpass Face Verification for remote onboarding.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 encouraged; MAS TRM prescribes strong cipher suites and PFS.
  • MFA universal for customer and privileged access; SMS-OTP increasingly disallowed in favour of app-based authentication.
  • HSMs — FIPS 140-2 L3+ common; key management with dual control and split knowledge.

12Key Legislation

  • Banking Act 1970 · Payment Services Act 2019 · Securities & Futures Act
  • PDPA 2012 (amended 2020)
  • Cybersecurity Act 2018 (CII designation regime)
  • MAS TRM Guidelines, 2021 · MAS Notices 655 / 644 / 634 / 1121 · MAS Cloud Advisory, 2021

Architectural Implications

  1. Architect freely across regions under MAS principle-based guidance — but evidence timely regulator access to records held in Singapore, with contractual and technical guarantees.
  2. Bake MAS TRM 2021 and Notice 655 controls into CI/CD pipelines — hardening baselines, patch SLAs, MFA, privileged-access management.
  3. Hit the 1-hour MAS Notice 644 incident-reporting SLA with runbooks, automation, and a rehearsed comms path — design detection-to-notification as an engineered pipeline.
  4. Build on Singpass / Myinfo for onboarding and SGFinDex for data-sharing; FAPI-grade API security is the minimum bar.
  5. Prove exit strategy: portability, data-extraction, and alternative-provider topologies must be tabletop-tested and documented.
Country 08 / 10

Malaysia

MY · MYR · UTC+8

01Regulatory Bodies

  • Bank Negara Malaysia (BNM) — banking, payment systems, Islamic finance. bnm.gov.my
  • Securities Commission Malaysia (SC).
  • Department of Personal Data Protection (JPDP) — PDPA enforcement (under Communications Ministry).
  • NACSA / CyberSecurity Malaysia — national cyber coordination.

02Data Localization

  • BNM Policy Document on Outsourcing (2019) requires BNM concurrence for storage of customer information outside Malaysia for material outsourcing.
  • Historical BNM expectation that primary copy of customer data resides onshore; offshore only with concurrence.
  • PDPA 2010 originally operated a whitelist of approved jurisdictions for transfer; 2024 amendments moved to an "adequacy"-based model — implementation guidance pending. Flux

03System & Process Localization

  • Domestic payment rails — RENTAS (RTGS), DuitNow (retail instant) — operated onshore by PayNet under BNM oversight.
  • Core banking / customer data processing primarily onshore; offshore for material workloads requires BNM concurrence and evidence of access.
  • DR typically onshore for critical systems; regional DR permitted for non-critical.

04Legal Entity Segregation

  • Foreign banks operate as locally-incorporated subsidiaries under FSA 2013 / IFSA 2013.
  • Local CIO / CISO required; Board Risk / Technology committees expected.
  • Group platforms permitted with BNM-approved outsourcing; data-access, audit, and sub-outsourcing controls apply.

05Workload Isolation & Placement

  • BNM RMiT (Risk Management in Technology, 2020) — segregation of production/non-production, dedicated environments for critical systems, strong IAM & privileged-access.
  • Multi-tenant public cloud accepted with concurrence; dedicated / logical isolation for critical systems such as core banking, payment switch.

06Cross-Border Data Flow

  • PDPA 2010 Section 129 (post-2024 amendment): transfer permitted to jurisdictions with comparable protection or on consent / specified grounds.
  • BNM Outsourcing Policy: cross-border outsourcing requires concurrence and risk-assessment (including geopolitical, legal, concentration risk).

07Cybersecurity Standards

  • BNM RMiT — comprehensive technology-risk standard: cyber, cloud, outsourcing, data-leakage, resilience.
  • Incident reporting: material cyber incidents reportable to BNM promptly; RMiT requires escalation protocols and root-cause timelines.
  • Cyber Security Bill 2024 introduces CII-sector requirements, licensing of service providers. Recently enacted
  • Annual penetration testing; SOC capability; threat-led exercises for D-SIBs.

08API & Open Banking

  • BNM "Open Data & Application Programming Interfaces" policy (2018) — phased open APIs, initially for product information; PayNet API platform delivers DuitNow-based payment APIs.
  • Open-banking framework currently voluntary but converging on FAPI-grade security.

09Cloud & Infrastructure

  • BNM concurrence for material cloud outsourcing; assessment covers CSP resilience, data access, regulator audit-rights, exit.
  • Hyperscale regions (AWS MY, Azure MY, Google MY) recently launched / launching — expected to accelerate onshore cloud adoption. Cloud regions 2024–2026

10Licensing & Compliance Tech

  • AML/CFT under AMLA 2001; BNM AML/CFT and TFS for FIs (AML/CFT Policy); FIED as FIU.
  • eKYC under BNM e-KYC Policy Document (2020) — permits fully digital onboarding with liveness and document-verification requirements.
  • MyDigital ID — emerging national digital identity; integration expected.

11Encryption & Authentication

  • TLS 1.2 minimum (TLS 1.3 moving); AES-256, RSA-2048 / ECDSA-P256 standard.
  • MFA mandatory for customer-facing transactional access; BNM policy on replacement of SMS OTP for high-risk operations.
  • HSMs FIPS 140-2 L3 typical; onshore preferred for key-ceremonies and card issuance.

12Key Legislation

  • Financial Services Act 2013 (FSA) · Islamic Financial Services Act 2013 (IFSA)
  • Personal Data Protection Act 2010 (amended 2024)
  • Cyber Security Act 2024
  • BNM RMiT, 2020 · BNM Outsourcing Policy, 2019 · BNM e-KYC Policy, 2020

Architectural Implications

  1. Default to onshore hosting of customer data and critical systems; treat cross-border processing as a BNM-approval exercise with documented risk-assessment and exit plan.
  2. Build to BNM RMiT as the baseline controls catalogue; map architecture patterns directly to RMiT appendices for audit defensibility.
  3. With new Malaysian hyperscale regions, revisit legacy offshore outsourcing decisions — onshore cloud is becoming the path-of-least-friction.
  4. Integrate BNM-compliant e-KYC with liveness and document verification; engineer for MyDigital ID federation as it matures.
  5. Stand up an incident-escalation pipeline aligned to RMiT reporting expectations; anticipate Cyber Security Act 2024 CII licensing implications for your CSP and service providers.
Country 09 / 10

Australia

AU · AUD · UTC+10

01Regulatory Bodies

  • Australian Prudential Regulation Authority (APRA). apra.gov.au
  • Australian Securities & Investments Commission (ASIC) — conduct & markets.
  • Reserve Bank of Australia (RBA) — payment-system oversight (Payment Systems (Regulation) Act 1998).
  • AUSTRAC — AML/CTF. OAIC — privacy. ASD / ACSC — national cyber.

02Data Localization

  • No statutory data-localization mandate. APRA expects records to be accessible and entities to retain effective control.
  • Privacy Act APP 8 — disclosing entity remains accountable for cross-border-transferred data; reasonable-steps obligation.
  • Security of Critical Infrastructure (SOCI) Act amendments (2022) — obligations on critical-infrastructure sectors including banking.

03System & Process Localization

  • Domestic rails — RITS (RTGS), NPP (New Payments Platform), BECS — operated onshore by RBA / NPPA.
  • Offshore processing allowed under CPS 230 / CPS 231-style controls; APRA-notifiable service providers and documented resilience required.
  • DR generally onshore for critical systems; cross-region permissible with demonstrated recovery.

04Legal Entity Segregation

  • Foreign ADIs operate as branches (FABs) or locally-incorporated subsidiaries; subsidiary required for retail deposit-taking.
  • CPS 220 risk management; CPS 510 governance — board-level accountability for operational and technology risk.
  • Material service providers (intra-group or external) scoped under CPS 230 Operational Risk Management (effective 1 Jul 2025).

05Workload Isolation & Placement

  • CPS 234 (Information Security, 2019) — controls proportionate to threat and criticality; segregation of environments expected.
  • Multi-tenant public cloud fully accepted under APRA Information Paper on cloud computing (2018, refreshed).
  • Zero-trust, MFA, patching SLAs, and SOC capability are standard expectations.

06Cross-Border Data Flow

  • APP 8 under Privacy Act 1988; disclosing entity remains accountable unless safe-harbour conditions met.
  • Privacy Act reform tranche-1 (2024) added statutory tort / children-code; tranche-2 expected to sharpen cross-border rules. Flux
  • APRA outsourcing/OR rules govern banking-sector movements contractually.

07Cybersecurity Standards

  • APRA CPS 234 (Information Security, 2019) — legally binding prudential standard.
  • APRA CPS 230 (Operational Risk Management, effective 1 Jul 2025) — supersedes CPS 231/232 for outsourcing/BCM; includes service-provider register & tolerances.
  • SOCI Act / RMP rules — Risk Management Program obligations for CI sectors; mandatory cyber-incident reporting (12h / 72h).
  • ACSC Essential Eight widely adopted; ISO 27001 / NIST CSF mappings common.

08API & Open Banking

  • Consumer Data Right (CDR) — legislated in 2019, operational across banking, energy, and expanding. FAPI 1.0 Advanced profile, mTLS, PAR.
  • Data Standards Body (DSB) publishes and maintains the CDR Standards; ACCC/OAIC administer accreditation and privacy.
  • Insurance, super, non-bank lending addressed in tranches; reform debate ongoing in 2025–26.

09Cloud & Infrastructure

  • APRA permits cloud; under CPS 230, material service providers must be registered, tolerances set, and providers regularly tested for exit/substitution.
  • Concentration risk and sovereign-cloud considerations increasingly raised in supervisory dialogue.

10Licensing & Compliance Tech

  • AML/CTF under AML/CTF Act 2006; AUSTRAC regulations; transaction monitoring and TTR / SMR obligations.
  • Australian Government Digital ID — expanded under the Digital ID Act 2024; myGovID / (rebranded "Digital ID") interoperable framework. Phasing in
  • Document Verification Service (DVS) commonly used; VoI (Verification of Identity) standards.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 strongly encouraged; ACSC-approved cryptographic algorithms (AACP) guide protection of classified data and inform financial baselines.
  • MFA mandatory for customer-facing high-risk and privileged access under CPS 234.
  • FIPS-certified HSMs; onshore preferred for customer-authentication keys and CDR cryptographic material.

12Key Legislation

  • Banking Act 1959 · Privacy Act 1988 (tranche-1 reforms 2024)
  • Security of Critical Infrastructure Act 2018 (amended 2022)
  • APRA CPS 234 (2019) · CPS 230 (effective 1 Jul 2025) · CPG 234 / CPG 235
  • Consumer Data Right (CDR) — Treasury Laws Amendment (CDR) Act 2019 · Digital ID Act 2024

Architectural Implications

  1. Adopt CPS 230 tolerances as a first-class architectural input — per-service impact tolerances drive capacity, resilience, and dependency design, not just BCM plans.
  2. Build to CPS 234 control objectives and map to APRA-expected evidence; use this mapping as the source of truth for SOC, testing, and assurance scopes.
  3. Expose CDR endpoints at FAPI 1.0 Advanced; treat the DSB register integration and consent dashboard as product-grade features, not compliance artefacts.
  4. Register material service providers; pre-plan SOCI-notifiable cyber-incident workflows (12-hour critical, 72-hour other) end-to-end.
  5. Integrate the Digital ID Act 2024 federation as the strategic identity-evidence source; retain DVS / VoI fallback for edge cases.
Country 10 / 10

Thailand

TH · THB · UTC+7

01Regulatory Bodies

  • Bank of Thailand (BOT) — banks, payment systems. bot.or.th
  • SEC Thailand, OIC (insurance).
  • PDPC — Personal Data Protection Committee under MDES.
  • NCSA (National Cyber Security Agency) under the Cybersecurity Act 2019.
  • ETDA — Electronic Transactions Development Agency; digital-ID and trust services.

02Data Localization

  • No general data-localization law; BOT can impose onshore conditions in licensing.
  • PDPA (2019, in force 2022) restricts cross-border transfer absent adequacy / safeguards / consent.
  • BOT notification on IT Risk management expects regulator access to records in Thailand.

03System & Process Localization

  • Domestic rails — BAHTNET (RTGS), PromptPay (instant retail), ICAS (cheque) — operated onshore.
  • Offshore processing allowed under BOT outsourcing rules with notification / approval and ongoing oversight.
  • DR typically onshore for critical systems; regional DR acceptable with demonstrated recovery.

04Legal Entity Segregation

  • Foreign banks commonly operate as branches / subsidiaries under Financial Institutions Business Act 2008.
  • Local IT / cyber governance assigned; board-level oversight expected.
  • Intra-group service arrangements permitted with BOT-compliant outsourcing governance.

05Workload Isolation & Placement

  • Multi-tenant public cloud accepted under BOT IT risk rules; material workloads (core banking, payment switching) expected on isolated / dedicated environments.
  • BOT's IT & cyber risk notification prescribes IAM, production/non-production segregation, and logging controls.

06Cross-Border Data Flow

  • PDPA cross-border: permitted to jurisdictions with adequate protection (PDPC determines), or under binding corporate rules / standard contractual terms / consent.
  • BOT may impose specific conditions on outsourcing agreements involving cross-border data.

07Cybersecurity Standards

  • BOT Notification on IT Risk Management and the Cyber Resilience Assessment Framework for FIs.
  • Cybersecurity Act 2019 designates CII and empowers NCSA to demand incident reporting and preventive measures.
  • Incident reporting to BOT promptly; to PDPC under PDPA within 72 hours for personal-data breaches.
  • ISO 27001, NIST CSF and PCI-DSS widely adopted.

08API & Open Banking

  • BOT is advancing an open-data / open-banking framework under the Financial Landscape Consultation (2022 and subsequent directions).
  • API standards emerging; PromptPay and PromptBiz provide de-facto payment-API experiences.
  • ETDA digital-services standards inform API security baseline.

09Cloud & Infrastructure

  • Cloud outsourcing under BOT IT Outsourcing Notification; material outsourcing requires notification / non-objection with demonstrable controls.
  • Local hyperscale regions (AWS BKK, Google TH, Azure TH) emerging, reducing friction for onshore cloud.

10Licensing & Compliance Tech

  • AML/CFT under AMLA 1999; AMLO as FIU.
  • NDID (National Digital ID) — federated identity platform enabling eKYC across FIs; BOT & ETDA-endorsed.
  • Biometric facial-recognition onboarding permitted under BOT eKYC guidance.

11Encryption & Authentication

  • TLS 1.2 minimum; TLS 1.3 encouraged; standard cipher suites.
  • MFA required for customer-facing high-risk and privileged access.
  • ETDA PKI framework; HSMs typically FIPS 140-2 L3; onshore preferred for PromptPay / domestic card rails.

12Key Legislation

  • Financial Institutions Business Act 2008
  • Personal Data Protection Act 2019 (enforcement 2022)
  • Cybersecurity Act 2019
  • BOT IT Risk Management Notification & BOT IT Outsourcing Notification

Architectural Implications

  1. Keep BAHTNET / PromptPay / ICAS connectivity and their supporting workloads onshore; use Thailand CSP regions as they mature to align customer-data primary copies.
  2. Integrate NDID as the default eKYC and step-up identity evidence provider; design identity journeys to degrade gracefully where NDID is unavailable.
  3. Build to BOT IT risk & cyber-resilience expectations; mirror the Cyber Resilience Assessment Framework controls into the target-state operating model.
  4. Engineer PDPA compliance (72-hour breach notification, consent management, cross-border safeguards) into identity, marketing, and analytics platforms.
  5. Treat BOT outsourcing rules as gated-decision architecture — material cloud / offshore changes assume a BOT consultation cycle, not post-hoc notification.
Synthesis

Comparative Matrix — Localization & Isolation Severity

Scoring across the four dimensions that most materially determine deployment topology: where data lives, where processing runs, whether a local legal entity is compelled, and how strictly workloads must be segregated. Severity reflects the binding floor, not aspiration.

Jurisdiction Data Localization System / Process Localization Legal Entity Segregation Workload Isolation Notable anchor
China CN Strict Strict Strict Strict CSL / DSL / PIPL · MLPS 2.0 · SM crypto
India IN Strict Strict Moderate Moderate RBI payment-data localization (2018)
Indonesia ID Moderate Strict Moderate Moderate BI PBI 19/14/PBI/2017 · OJK POJK 11/2022
Malaysia MY Moderate Moderate Moderate Moderate BNM RMiT · Outsourcing Policy
Taiwan TW Moderate Moderate Moderate Moderate FSC Outsourcing Regulations
Thailand TH Light Moderate Light Moderate BOT IT risk / outsourcing notifications
Hong Kong HK Light Moderate Light Moderate HKMA SA-2 / TM-E-1 · CFI 2.0
Singapore SG Light Light Light Moderate MAS TRM · Notices 655 / 644
Japan JP Light Light Light Moderate FISC Security Guidelines · APPI
Australia AU None Light Light Moderate APRA CPS 234 / CPS 230 · CDR · SOCI

Severity reflects the author's assessment of binding rules as of 17 April 2026 and is intended as a design-input heuristic, not a legal conclusion. All multi-tenant workload placement requires institution-level controls regardless of the matrix score; the "Workload Isolation" rating captures the minimum segregation expectation.

Synthesis · Interactive

Comparison Lab

Select up to three jurisdictions to see their binding-severity profile side by side across the four topology-shaping dimensions. Useful for triaging a regional build when you must pick a primary, a secondary, and an exception.

Pick Jurisdictions 0 / 3 selected
Select a jurisdiction above to begin.
Synthesis · Playbook

Architecture Decision Flow — Where Does This Workload Live?

A compact decision tree for siting a new workload. Start at the top; follow the path that matches your data classification, jurisdiction and regulator posture. Terminal nodes give the binding architecture the rule set implies, not a legal conclusion.

Placement Decision Tree Binding · APAC · 2026
New workload in APAC jurisdiction Decision 01 Is the workload a domestic payment rail, switching, or systemically-important service? No Yes Terminal · STRICT Onshore primary processing Dedicated / single-tenant enclave Onshore HSM · local DR CN · IN · ID · (HK/TH payment rails) Decision 02 Does the workload process customer PII or regulated records? Yes No Decision 03 Is the jurisdiction in the Strict or Moderate band? Strict Moderate Light / None Terminal · STRICT Onshore primary copy Regulator-accessible Cross-border mirror only CN · IN Terminal · MODERATE Onshore + mirror Regulator notification Approved cross-border ID · MY · TW Decision 04 Adequacy / SCCs / consent in place for outbound transfer? Terminal · LIGHT Regional hub / offshore permitted Multi-tenant with controls Privacy notice + safeguards SG · JP · HK · AU · TH Yes No Terminal · MODERATE Retain onshore until transfer basis established Execute SCC / consent workflow pending adequacy decision Overlay · Workload Isolation — applies to all terminals above Multi-tenant OK with controls · Single-tenant enclave required for payment-rail and key-management workloads
Decision Strict terminal Moderate terminal Light terminal Arrows read top-down · dashed = overlay
Reference

Glossary

Abbreviations, instruments, and architectural terms used throughout this brief. Filter by category or search by abbreviation, full name, or jurisdiction.

No matching terms
A.01

Regulators & Supervisory Bodies

BIIndonesia
Bank Indonesia

Central bank; owns payment-system oversight and the PBI instruments that mandate onshore processing for domestic payments.

OJKIndonesia
Otoritas Jasa Keuangan

Integrated financial-services authority; regulates banking, capital markets, and non-bank institutions. Issues POJK circulars governing IT risk and data.

RBIIndia
Reserve Bank of India

Central bank and banking regulator; author of the 2018 Payment Data Localization circular and the IT Outsourcing Master Direction (2023).

FSCTaiwan
Financial Supervisory Commission

Unified financial regulator; issues Outsourcing Regulations that govern cloud use and cross-border processing for licensed institutions.

FISCJapan
Center for Financial Industry Information Systems

Industry body that publishes the FISC Security Guidelines — the de facto baseline for control selection in Japanese financial IT.

CACChina
Cyberspace Administration of China

Cyberspace regulator; administers cross-border data transfer assessments under CSL / DSL / PIPL and operates the security review regime.

HKMAHong Kong
Hong Kong Monetary Authority

Central-banking authority; supervises authorized institutions and issues SA-2 (outsourcing), TM-E-1 (cloud) and the Cyber Fortification Initiative.

MASSingapore
Monetary Authority of Singapore

Integrated central bank and regulator; publishes the TRM Guidelines and Notices 655 / 644 that shape deployment topology and cyber hygiene.

BNMMalaysia
Bank Negara Malaysia

Central bank; issues RMiT (Risk Management in Technology) and the Outsourcing Policy Document binding on financial institutions.

APRAAustralia
Australian Prudential Regulation Authority

Prudential regulator for ADIs, insurers, and super funds; issues the CPS prudential standards including CPS 234 and CPS 230.

BOTThailand
Bank of Thailand

Central bank; publishes IT Risk and Outsourcing Notifications that govern cloud adoption and outsourced processing by financial institutions.

PDPCSG · TH · MY
Personal Data Protection Commission

Data-protection authority across several APAC jurisdictions (title used in SG, TH, MY); enforces PDPA obligations and breach notification.

A.02

Legal Instruments & Prudential Standards

PBIIndonesia
Peraturan Bank Indonesia

Binding regulation issued by BI. PBI 19/14/PBI/2017 is the payment-system localization instrument.

POJKIndonesia
Peraturan OJK

Binding circular from OJK. POJK 11/2022 sets IT risk and data-management requirements for commercial banks.

GR 71/2019Indonesia
Government Regulation 71 of 2019

Defines Electronic System Operator (ESO) scope; splits public-sector ESOs (onshore-only) from private-sector ESOs (cross-border permitted).

Master DirectionIndia
RBI Master Direction

Consolidated binding guidance from RBI. The IT Outsourcing and IT Governance Master Directions (2023) frame cloud and third-party use.

DPDP ActIndia
Digital Personal Data Protection Act 2023

India's omnibus personal-data law; introduces consent-based processing and negative-list cross-border transfer mechanics.

APPIJapan
Act on Protection of Personal Information

Japan's principal privacy statute; imposes consent and adequacy tests for cross-border transfers of personal data.

CSLChina
Cybersecurity Law (2017)

Foundational PRC cyber statute; introduces CIIO (Critical Information Infrastructure Operator) designation and onshore-storage mandate.

DSLChina
Data Security Law (2021)

Classifies data by importance (General / Important / Core) and regulates transfer and processing accordingly.

PIPLChina
Personal Information Protection Law (2021)

GDPR-style personal-data statute; cross-border transfer requires standard contract, CAC assessment, or certification.

MLPS 2.0China
Multi-Level Protection Scheme 2.0

Graded cybersecurity classification (Level 1–5) with prescriptive control baselines; financial workloads typically rated Level 3+.

SA-2Hong Kong
HKMA Supervisory Policy Manual SA-2

Outsourcing policy for authorized institutions; governs cloud adoption, exit planning, and supervisory-access rights.

TM-E-1Hong Kong
HKMA TM-E-1 Risk Management of E-Banking

Supervisory guidance on internet/mobile-banking risk management; referenced for cloud-resilience and customer-data handling.

CFI 2.0Hong Kong
Cyber Fortification Initiative 2.0

HKMA's tiered cyber-resilience framework (C-RAF / iCAST); rolling out through 2026 with sharper threat-intel requirements.

TRMSingapore
MAS Technology Risk Management Guidelines

Principles-based IT-risk framework binding on MAS-regulated entities; anchors cyber hygiene, resilience, and third-party controls.

Notice 655 / 644Singapore
MAS Notices on Cyber Hygiene / Tech Risk

Binding notices prescribing baseline cyber-hygiene controls and reporting obligations for banks and payment-services providers.

RMiTMalaysia
Risk Management in Technology

BNM policy document setting prescriptive IT-risk, cloud-adoption, and outsourcing requirements for financial institutions.

CPS 234Australia
APRA Prudential Standard CPS 234 — Information Security

Binding information-security standard; mandates board accountability, control testing, and incident-notification obligations.

CPS 230Australia
APRA Prudential Standard CPS 230 — Operational Risk

Operational-risk, business-continuity, and service-provider management standard; in force from July 2025.

SOCIAustralia
Security of Critical Infrastructure Act

Critical-infrastructure regime; imposes asset-register, risk-management, and mandatory cyber-incident reporting for designated sectors.

CDRAustralia
Consumer Data Right

Economy-wide data-portability regime; accredits recipients and governs open-banking data exchange.

PDPASG · TH · MY
Personal Data Protection Act

Personal-data protection statute used (with local variations) in Singapore, Thailand, and Malaysia; governs consent, purpose, and transfer.

A.03

Architectural & Security Concepts

Data Localization
Onshore storage mandate

A binding requirement to store specified data within a jurisdiction's physical borders — often extended to processing and backup copies.

Data Residency
Contractual location commitment

A softer, often commercial notion than localization: a commitment that data will be held in a chosen region, typically not statute-driven.

Workload Isolation
Tenant / network / compute separation

Segregation of regulated workloads from other tenants — at the network, compute, identity, or key-management layer — per regulator expectation.

Legal Entity
In-country incorporated operator

A local, regulator-licensed entity that must itself operate the system — constraining both control plane and contractual structure.

Sovereign Cloud
Jurisdictionally-bounded cloud region

A cloud region operated under local law with staffing, key-custody, and administrative access confined to the jurisdiction.

HSM
Hardware Security Module

Tamper-resistant cryptographic device that generates, stores, and operates on keys; mandated by multiple regulators for card-network and PII workloads.

BYOK / HYOK
Bring / Hold Your Own Key

Customer-controlled key material in cloud KMS; HYOK keeps the key outside the provider's boundary entirely, often in a customer-operated HSM.

SM CryptoChina
Shangmi national cryptographic standards

PRC national algorithms (SM2 asymmetric, SM3 hash, SM4 block cipher) required for regulated financial systems in mainland China.

BCP / DR
Business Continuity / Disaster Recovery

Planning and infrastructure for continued operation through disruption; most APAC regulators prescribe RTO / RPO targets and drill cadence.

CIIOChina
Critical Information Infrastructure Operator

CSL-designation that triggers onshore storage, security review of foreign products, and heightened supervisory obligations.

Supervisory Access
Regulator inspection rights

Contractual and technical provisions giving regulators on-site and remote access to outsourced systems and logs; required in most APAC outsourcing rules.

Exit Plan
Third-party unwind blueprint

Documented plan to transition off a critical outsourced service inside a defined window; commonly required for material cloud arrangements.