Instructions No. 6 of 2022 Regarding the Regulation of the Information Technology Environment

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Instructions No. (6) of 2022 Regarding the Regulation of the Information Technology Environment

Based on the provisions of Law Decree No. (9) of 2010 regarding Banks, particularly Articles (43) and (72) thereof, in accordance with the powers delegated to us, and to achieve the public interest, we have issued the following Instructions:

Article (1) Definitions

The words and phrases contained in these Instructions shall have the meanings specified below, unless the context indicates otherwise:

• Cloud Computing: A remote service provided over the internet by a service provider to a user in a shared environment owned by the provider, enabling the user to benefit from various services at any time and from any location, such as Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).
• Software as a Service (SaaS): Renting software and applications from a service provider according to a pay-per-use model.
• Platform as a Service (PaaS): Providing a complete environment to the user that includes an operating system, programming language execution environment, databases, and web servers, enabling the user to develop, run, and deploy their own applications on the cloud infrastructure and control their settings.
• Infrastructure as a Service (IaaS): Providing the necessary hardware, servers, and technologies to enable the user to deploy, run, and control their own operating systems and applications.
• Co-Location Service: Renting space from a service provider to host the bank's primary data center, disaster recovery site, or high-availability data center, or part thereof, so that it operates without any intervention from the provider, while the provider supplies the necessary space, cooling systems, power, physical security, and privacy.
• Service Provider: The entity that provides cloud computing or co-location services.
• User: The bank that uses cloud computing or co-location services.
• Primary Data Center: The space occupied by devices, equipment, and systems through which data is processed and stored, including infrastructure, security, and protection systems.

1

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

• High Availability Data Center: A backup data center containing a live copy of systems and data that is exactly identical and available at all times to what exists in the primary data center.
• Core Banking System: The system used to provide and conduct banking operations permitted by law, which includes recording, posting, and classifying financial and banking transactions.
• Disaster Recovery Site (DRS): The backup site for the primary data center that the bank may use temporarily to restore its operations to normal in the event the primary data center experiences any failure or natural disaster that causes work to stop.
• Critical Operations: Operations whose interruption cannot be tolerated for a period determined based on a business impact analysis.
• Recovery Time Objective (RTO): The acceptable time period to restore activities, operations, and services after an event occurs.
• Recovery Point Objective (RPO): The maximum permissible amount of data loss for the purpose of resuming critical operations when restoring the service.
• Critical Systems: Systems whose interruption or malfunction causes critical operations to fail.
• Data: All information, documents, and records pertaining to a natural or legal person, regardless of form or source, including account transactions, movements, statements, banking and financial dealings, deposits, trusts, obligations, and rented safe deposit boxes that the bank has accessed or obtained.
• Data Confidentiality: Maintaining all data obtained by the bank, as well as financial transactions and movements, and protecting them from unauthorized access and viewing.
• Data Privacy: Taking all necessary measures and precautions to ensure that no client-specific data or information is disclosed to any parties or used for other purposes without the client's prior consent.

Article (2) Objective and Scope of Application

1. The provisions of these Instructions aim to regulate the information technology environment of banks and enable them to manage their operations effectively and securely.
2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business in Palestine.

2

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Article (3) Cloud Computing Service

A bank may use cloud computing, provided it complies with the following:

1. Obtain prior written approval from the Palestine Monetary Authority before using cloud computing services for critical systems and systems containing sensitive data, and notify the Palestine Monetary Authority only for other systems.
2. If the system is hosted outside Palestine, the bank must comply with the following: a. Ensure permanent availability of the core banking system within Palestine. b. Transfer data between sites in real-time and ensure achievement of Recovery Time Objective and Recovery Point Objective values in accordance with the provisions of paragraph (4) of this Article. c. Continuously monitor the high-availability site and conduct periodic inspections.
3. Take all measures to ensure data and system confidentiality, accuracy, and availability, and apply technical controls that guarantee data security, integrity, and privacy, protecting them from unauthorized access, use, or modification on communication lines, storage devices, and databases. Conduct due diligence when selecting a service provider, and ensure that legislation regarding data protection, confidentiality, anti-money laundering, and counter-terrorism financing exists in the service provider's country.
4. Establish disaster recovery procedures, provided they comply with the following regarding critical operational processes: a. Take all measures to prevent the loss or destruction of any data pertaining to the bank's operations. b. Take all measures to prevent the interruption of systems used in critical operations, provided that an availability rate of no less than 99.95% is maintained. c. Procedures and measures must include verifying the readiness of the disaster recovery site and conducting specific inspections.
5. Provide a daily backup of data and information for systems, inspect them to ensure integrity, and store them in a secure and accessible location at all times.

---

SLA level of 99.95 % uptime/availability results in the following periods of allowed downtime/unavailability:

• Daily: 43s
• Weekly: 5m 2s
• Monthly: 21m 54s
• Quarterly: 1h 5m 44s
• Yearly: 4h 22m 58s Direct link to page with these results: uptime.is/99.95

3

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

6. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with the provisions of these Instructions and one of the information security standards for cloud services, specifically the Cloud Controls Matrix (CCM) standard or any similar standard approved by the Palestine Monetary Authority.

Article (4) Co-Location

1. A bank may rent a site to host the primary data center, disaster recovery site, or part of either, provided it complies with the following: a. Obtain prior written approval from the Palestine Monetary Authority. b. If a site is rented to host the core banking system outside Palestine, the bank must comply with the following: 1. Ensure permanent availability of the core banking system within Palestine. 2. Transfer data between sites in real-time and ensure achievement of Recovery Time Objective and Recovery Point Objective values in accordance with the provisions of paragraph (d) of this Article. 3. Continuously monitor the high-availability site and conduct periodic inspections. c. Take all measures when renting a site to ensure data and system confidentiality, privacy, accuracy, and availability, by providing all tools and implementing technical controls that guarantee data and information security, integrity, and encryption on communication lines and storage devices. Conduct due diligence when selecting a service provider, and ensure that legislation regarding data protection, confidentiality, anti-money laundering, and counter-terrorism financing exists in the service provider's country. d. Disaster recovery procedures must comply with the following regarding critical operational processes: 1. Take all measures to prevent the loss or destruction of any data pertaining to the bank's operations. 2. Take all measures to prevent the interruption of systems used in critical operations, provided that an availability rate of no less than 99.95% is maintained. 3. Procedures and measures must include verifying the readiness of the disaster recovery site and conducting specific inspections. e. Establish effective monitoring mechanisms for the bank's devices and systems at the rented site, provided they include the following: 1. Monitoring and access control policies and procedures. 2. Security and protection procedures for the bank's server vaults. 3. Monitoring procedures for servers, network devices, protection, and storage units regarding critical logs and warnings, to be retained for no less than one year in the live system copies. f. The rented site for the primary data center and the disaster recovery site must differ in their likelihood of exposure to the same threats.

4

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

2. Subject to the provisions of paragraphs (1/c, 1/e) of this Article, a bank may rent a site to host a high-availability data center and switch to it, provided it obtains prior written approval from the Palestine Monetary Authority and provides procedures that ensure no data loss during the automatic switch, and that data transfer between the primary data center site and the high-availability site is in real-time, ensuring achievement of Recovery Time Objective and Recovery Point Objective values in accordance with the provisions of paragraph (1/d) of this Article.
3. The service provider is prohibited from performing any work on behalf of the bank regarding the bank's devices and servers hosted with it, except in emergency cases.
4. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with one of the information security standards for hosted services, specifically the (PCI DSS, ISO 27001, CCM (Cloud Controls Matrix)) standards regarding physical security, or any similar standard approved by the Palestine Monetary Authority.
5. The bank must obtain prior written approval from the Palestine Monetary Authority before transferring the primary data center, disaster recovery site, high-availability data center, or any part of them to a service provider previously approved by the Palestine Monetary Authority.

Article (5) Primary Data Center and Disaster Recovery Site

When establishing its own primary data center or disaster recovery site, a bank must comply with the following:

1. Obtain prior written approval from the Palestine Monetary Authority for the site.
2. Provide the Palestine Monetary Authority with a compliance certificate from an independent body regarding the site's facilities according to one of the international standards approved by the Palestine Monetary Authority.
3. Equip the site with the necessary systems, applications, and technological solutions to protect information systems and infrastructure.
4. The primary data center site and the disaster recovery site must differ in their likelihood of exposure to the same threats.

Article (6) Core Banking System

A bank must provide a core banking system that meets the following conditions:

1. It must meet all banking business needs for recording basic financial and banking transactions for customers and the bank, and support process centralization across all bank activities.

5

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

2. It must be updated and developed with the latest versions from the vendor, and the bank must provide the Palestine Monetary Authority with a report every two years regarding the differences between its current version and the latest version available from the vendor.
3. It must maintain data confidentiality, accuracy, privacy, and availability of data and banking services, and enhance the principle of dual control and the ability to connect and integrate with other different systems.
4. All operating systems, databases, and applications used must be properly licensed.
5. It must be capable of providing information and reports to users and various regulatory authorities.

Article (7) Service Provider Conditions

When selecting a service provider, a bank must ensure it meets the following conditions:

1. It must be licensed by relevant authorities.
2. It must be capable of complying with the performance standards defined by the bank.
3. It must have internal controls and an approved cybersecurity policy.
4. It must have emergency and business continuity plans regarding the outsourced services, and these plans must comply with all effective instructions issued by the Palestine Monetary Authority.
5. It must be financially sound and capable of complying with all contract terms with the bank.
6. It must have sufficient and appropriate physical and human resources to manage and monitor the outsourced service, and its employees must hold specialized professional certifications.
7. There must be no political, economic, or social factors in the country where the service provider operates that could affect the provision of cloud computing or co-location services.

Article (8) Contracting with Service Provider

Before contracting with a service provider, a bank must comply with the following:

1. The contract concluded with the service provider must specify data storage locations and deletion procedures upon contract termination.
2. The service provider must commit to the following: a. Protecting the bank's data from unauthorized, accidental, or illegal access, disclosure, alteration, loss, or destruction. b. Not using the bank's data for any other purposes. c. Not transferring, storing, or processing the bank's data outside the agreed permanent or temporary location without obtaining the bank's prior consent. d. Ensuring free and easy access to systems at all times. e. Providing 24/7 technical support. f. Immediately notifying the bank of any operational events that may affect the bank's data or electronic services. g. Obtaining the bank's consent before the service provider contracts a subcontractor with a third party regarding cloud computing and co-location services.
3. Maintain an updated register containing documents and information related to cloud computing and co-location services.

Article (9) Application Requirements

Before contracting for cloud computing or co-location services to host a primary data center, disaster recovery site, high-availability data center, or part of any of them, a bank must submit an application for prior written approval from the Palestine Monetary Authority, accompanied by the following documents and records:

1. All documents and records in accordance with the provisions of the effective Outsourcing Instructions issued by the Palestine Monetary Authority.
2. A report regarding the service risk assessment and risk management procedures.
3. A compliance certificate from an independent body proving that the service provider complies with one of the standards stipulated in Article (3) paragraph (6) and Article (4) paragraph (4), as applicable.
4. A legal opinion from a legal advisor in the service provider's country regarding effective laws and legislation for data protection, confidentiality, and disclosure, if the service provider is outside Palestine.
5. The bank's procedures and technical controls regarding data and information protection, security, integrity, and privacy, as stipulated in Article (3) paragraph (3) and Article (4) paragraph (1/c), as applicable.
6. The bank's disaster recovery procedures, as stipulated in Article (3) paragraph (4) and Article (4) paragraph (1/d), as applicable.
7. Effective monitoring and auditing procedures for the outsourced service at the provider, as stipulated in Article (4) paragraph (1/e).
8. The nature and classification of data and information retained at the service provider and their storage locations.
9. A strategy and action plan for service termination procedures under the contract.
10. Provide the Palestine Monetary Authority with documents and records supporting the information in Article (7) of these Instructions.

Article (10) Governance

A bank must comply with the following:

1. Adopt and continuously update policies and procedures specific to cloud computing and co-location services, especially upon any material change, provided they include the following: a. Main objectives of usage. b. Systems and data to be outsourced to the service provider, classified by importance, risk level, and sensitivity, particularly regarding cloud computing and its types. c. Cloud model regarding infrastructure, software, and platform services. d. Security and technical controls and standards. e. Data retention mechanisms, storage locations, and disposal mechanisms. f. Monitoring and auditing mechanisms.
2. Assess and manage risks associated with cloud computing and co-location services, and review them continuously and upon any material change.
3. Monitor the service provider's compliance with contract terms.
4. Be capable of keeping pace with technological development and continuously updating the service.
5. Update business continuity, disaster recovery, and crisis management plans for cloud computing and co-location services in accordance with the Business Continuity Instructions issued by the Palestine Monetary Authority.

Article (11) Information Security

A bank must comply with the following:

1. Store encryption and authentication keys in a secure location under dual control controls that are inaccessible to the service provider.

2. Store the bank's data independently and isolated from other users' data in the cloud computing service.

3. Apply specific access control and user identity controls on systems and data at the service provider, and review them periodically.

4. Conduct penetration testing for outsourced service infrastructure at least once annually and upon any material change.

5. Conduct periodic vulnerability assessments for cloud computing and co-location service infrastructure.

6. Enable the audit trail feature and retain all changes and modifications to the bank's data and systems related to cloud computing and co-location services.

7. Review and audit login and security event logs, retain them, and ensure that only authorized users access data and servers, and periodically review user permissions on systems.

8. Provide primary and alternative communication lines from different internet service providers to ensure continuous service delivery.

9. Notify the Palestine Monetary Authority of operational events in accordance with effective instructions.

Article (12) Compliance

A bank must provide the Palestine Monetary Authority annually with the following:

1. A compliance certificate for the Payment Card Industry Data Security Standard (PCI-DSS) for any applications related to credit and debit card payments.
2. A compliance certificate for one of the international information security standards approved by the Palestine Monetary Authority.
3. A gap analysis report between the actual state and the bank's approved information security policy.
4. A report on penetration test results at least once annually or upon any material modifications.
5. Internal and external audit reports on the technological environment and management's response and remediation timeline, provided the audit scope includes general controls and IT application controls (ITGC & IT Application Control).

Article (13) Repeal

All provisions conflicting with these Instructions are repealed.

Article (14) Penalties

Anyone who violates the provisions of these Instructions shall be punished in accordance with the provisions of Law Decree No. (9) of 2010 regarding Banks.

Article (15) Implementation and Enforcement

All competent authorities shall implement the provisions of these Instructions according to their respective jurisdictions, and they shall apply from the date of their issuance. Issued in Ramallah, on 2022/06/13.

Dr. Firas Malham Governor [Signature]

9