The AWS Canada West (Calgary) Region is now available
The AWS Canada West (Calgary) Region, also known as ca-west-1, is now available. This second Canadian Region allows customers to architect multi-Region infrastructures that meet five nines of availability while keeping data in the country.
This page provides AWS financial institution customers with information about the legal and regulatory requirements in Canada that may apply to their use of AWS services.
Regulations
-
Can financial institutions use AWS?
Yes. Financial institutions in Canada are permitted to use cloud services, provided that they comply with applicable legal and regulatory requirements, such as those described below.
-
Who are the financial regulators?
The Office of the Superintendent of Financial Institutions, or “OSFI" is the federal regulator for all banks in Canada, and federally incorporated or registered trust and loan companies, insurance companies, cooperative credit associations, fraternal benefit societies and private pension plans. OSFI is responsible for supervising federally regulated financial institutions and pension plans to determine whether they are in sound financial condition and compliant with applicable requirements. It also issues regulations and guidance that may affect how financial services customers use AWS.
Bank of Canada, Canada’s central bank, has direct oversight over clearing and settlement systems, i.e., financial market infrastructures. The Bank of Canada has the ability to designate certain financial market infrastructures as “prominent payment systems” or “systemically important FMIs” and requires financial market infrastructures to comply with risk management standards.
Each Canadian province and territory has its own regulator to enforce securities regulations. The Canadian Securities Administrators is an umbrella organization comprised of the securities regulators from each province and territory with an objective of improving, coordinating, and harmonizing securities regulation.
-
What regulations apply to financial institutions using AWS?
Financial institutions in Canada may be subject to a number of different legal and regulatory considerations when they use cloud services. Relevant regulations and guidelines for federally regulated financial institutions (“FRFIs”) include:
OSFI Guideline No. B-10 sets out OSFI’s expectations for managing risks associated with third-party arrangements. The Guideline applies to all third-party arrangements including cloud services, but OSFI’s expectations are scaled based on the assessed level of risk and the criticality of the arrangement to the financial institution’s operations. B-10 includes specific expectations for the management of technology and cyber risk in third-party arrangements, as well as expectations specific to cloud adoption.
OSFI Guideline No. B-13 outlines OSFI's expectations for the sound management of technology and cyber risk. While there are no requirements specific to cloud services, the outcomes, principles, and expectations apply to all aspects of technology and cyber risk management, including cloud computing.
OSFI Guideline No. E-21 sets out OSFI’s expectations for regulated entities’ management of operational risk, defined as "the risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events." While not specific to the use of cloud, the expectations in this guideline apply to all aspects of a regulated entity's operations, including those enabled by cloud services.
OSFI’s advisory on Technology and Cyber Security Incident Reporting governs how federally regulated financial institutions should disclose and report technology and cyber security incidents to OSFI.
OSFI also released an updated Cyber Security Self-Assessment that helps FRFIs gauge and improve their current state of readiness with respect to emerging cyber threats. The Cyber Security Self-Assessment examines a FRFI's capability to respond to a cyber incident in areas ranging from organization and resources, to how it manages threats, risks and incidents, and allows FRFIs to rate each element on a scale from non-existent to continuous improvement.
The Bank of Canada has published risk-management standards for designated FMIs based on the “Principles for FMIs” established by the Bank for International Settlements (BIS) Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). In addition to these general standards for risk management, the Bank of Canada has published specific guidelines on Expectations for Cyber Resilience of Financial Market Infrastructures and Cyber and Information Technology Incident Reporting.
Regulations are changing rapidly in this space, and AWS is working to help customers proactively respond to new rules and guidelines. AWS encourages its financial institution customers to obtain appropriate advice on their compliance with all regulatory and legal requirements that are relevant to their business, and local regulations, guidelines and laws.
-
Key considerations for financial institutions using AWS
AWS is committed to offering customers a strong compliance framework and advanced tools and security measures that customers can use to evaluate meet, and demonstrate compliance with applicable legal and regulatory requirements.
Financial institutions who are using or planning to use AWS services can take the following steps to better understand their compliance needs:
1. Consider the purpose of the workload(s) under consideration and the relevant categories of data in order to anticipate which legal and regulatory requirements may apply.
2. Assess the level of risk and criticality of the relevant workload(s) with respect to the financial institution’s operations. Guideline No. B-10 outlines considerations for assessing the risk and criticality of third-party arrangements.
3. Review the AWS Shared Responsibility Model and map AWS responsibilities and customer responsibilities according to each AWS service that will be used. Customers can also use AWS Artifact to access AWS’s audit reports and conduct their assessment of the control responsibilities.
Customers that have further questions about how AWS services can enable their security and compliance needs, or that would like more information, can contact their account representative.
-
Key data privacy and protection considerations for financial institutions using AWS
Financial institutions in Canada using AWS should also consider applicable privacy requirements, including Canada’s Personal Information Protection and Electronic Documents Act “PIPEDA”, a Canadian federal law regulating the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces.
Certain Canadian provinces may have adopted privacy legislation substantially similar to PIPEDA. Customers should consult their own legal advisors to understand the privacy laws to which they are subject. An updated list of privacy regulations can be found in the Data Privacy Center.
The AWS whitepaper Using AWS in the Context of Common Privacy and Data Protection Considerations provides useful information to customers using AWS cloud services to store or process personal data.
Resources
-
Country-specific
-
General
-
Compliance Programs
-
Country-specific
-
Canadian Centre for Cyber Security (CCCS) Assessment
The Canadian Centre for Cyber Security (CCCS) is Canada’s authoritative source of cyber security expert guidance for Canadian government, industry, and the general public. Public and commercial sector organizations across Canada rely on the CCCS Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Process in their decision to use Amazon Web Services (AWS).
Provides information to assist Canadian defence and security organizations that are regulated by Public Services and Procurement Canada (PSPC) under the Controlled Goods Program (CGP) as they adopt and accelerate their use of the Amazon Web Services (AWS) Cloud.
The guide describes the respective roles that the customer and AWS each play in managing and securing the cloud environment, provides an overview of the regulatory requirements and guidance from PSPC, and provides additional resources that defence and security organizations can use to design and architect their AWS environment to be secure and meet CGP regulatory expectations.
This guide provides information to assist federally regulated financial institutions in Canada as they accelerate their use of Amazon Web Services (AWS) cloud services. It describes the respective roles that the customer and AWS each play in managing and securing the cloud environment, and provides an overview of regulatory requirements and guidance applicable to the use of AWS cloud services.
-
General
-
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS
This guide provides customers with sufficient information to be able to plan for and document the Payment Card Industry Data Security Standard (PCI DSS) compliance of their AWS workloads. This includes the selection of controls that meet specific PCI DSS 3.2.1 requirements, planning of evidence gathering to meet assessment testing procedures, and explaining their control implementation to their PCI Qualified Security Assessor (QSA).
This document provides information to assist customers who want to use AWS to store or process content containing personal data, in the context of common privacy and data protection considerations. It will help customers understand the way AWS services operate, including how customers can address security and encrypt their content. The geographic locations where customers can choose to store content and other relevant considerations. The respective roles the customer and AWS each play in managing and securing content stored on AWS services.
AWS has many compliance-enabling features that you can use for your regulated workloads in the AWS cloud. These features allow you to achieve a higher level of security at scale. Cloud-based compliance offers a lower cost of entry, easier operations, and improved agility by providing more oversight, security control, and central automation.
The purpose of this paper is to describe how AWS and our customers in the financial services industry achieve operational resilience using AWS services.
This paper provides insight into classification schemes for public and private organizations to leverage when moving data to the cloud. It identifies practices and models currently implemented by global first movers and early adopters, examines how implementation of these schemes can simplify cloud adoption, and recommends practices to harmonize national requirements to internationally recognized standards and frameworks.
This paper addresses: The real and perceived security risks expressed by governments when they demand in-country data residency. Commercial, public sector, and economic impact of in-country data residency policies with a focus on government data. Considerations for governments to evaluate before enforcing requirements that can unintentionally limit public sector digital transformation goals leading to increased cybersecurity risk.
This document is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment. This document includes a basic approach to evaluating AWS controls and provides information to assist customers with integrating control environments. This document also addresses AWS-specific information around general cloud computing compliance questions.
Guidelines for systematically reviewing and monitoring your AWS resources for security best practices.
-
Compliance Programs
-
CSA
ISO 27018
ISO 9001
GDPR
ISO 27001
PCI DSS Level 1
ISO 27017
SOC
We are continually adapting to evolving regulations. Check often for updates.