On-Premise
Regulatory News

Data sovereignty & infrastructure : the situation in Asia-Pacific

Jade Ferreol
Marketing Lead
0 minutes reading
November 11, 2025
Summary
Example H2

Introduction

As financial authorities across the Asia-Pacific (APAC) region build regulations, the core trend is clear: regulators demand control, operational resilience, and accountability over systems essential to market stability.

The question facing every financial institution is how to structure its infrastructure when a complex patchwork of data sovereignty laws and rising resilience standards create significant compliance risks.

This article explores the regulatory landscape in the Asia-Pacific region, where rapid digitalization, acute national security concerns and a new wave of data laws are compelling financial institutions to re-evaluate the infrastructure choices for their most sensitive and critical systems.

The regulatory spectrum: three competing models in APAC

Markets in the region can be categorize into three distinct models :

  • Model 1: The "Sovereign-First" Fortress (Strict Localization)
    This model treats data as a strategic national asset that must, by law, reside and be processed within the country's borders. These rules are often prescriptive, non-negotiable, and driven by national security concerns.
  • Model 2: The "Control & Accountability" Framework (Risk-Based)
    This model is "cloud-friendly" but places the entire burden of risk and accountability on the financial institution. Regulators here don't ban cloud, but they demand that banks prove they can maintain absolute control, auditability, and resilience, even when using a third-party vendor.
  • Model 3: The "Hybrid & Evolving" Model (Prescriptive Privacy)
    These countries blend elements from both models. They may have strong, GDPR-like national privacy laws that govern cross-border transfers for all sectors, while financial regulators add specific, stringent rules for critical systems and consumer data.

Key markets analysis : a tour of the regulatory landscape

Here is how key APAC nations fit into this spectrum, defining the operational reality for financial services.

🇮🇳 India

Model: Strict Localization

India represents one of the world's most definitive data localization mandates. The Reserve Bank of India (RBI), through its 2018 "Storage of Payment System Data" directive, is unambiguous:

  • Mandate: All data relating to payment systems (end-to-end transaction details, customer information, etc.) must be stored only on systems located within India.
  • Foreign Processing: In cases where foreign processing is necessary (e.g., for a cross-border transaction), the data must be brought back to India and deleted from the foreign servers within 24 hours.
  • Implication: This rule effectively makes standard public cloud architectures non-compliant for India's payment ecosystem. It mandates a fully localized, on-premise or sovereign private cloud infrastructure.

🇨🇳 China

Model: Strict Localization (Archetype)

China's "three-legged stool" of the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) creates the world's most formidable data governance regime.

  • Mandate: Financial institutions are classified as "Critical Information Infrastructure Operators" (CIIOs). This triggers mandatory local data storage and processing.
  • Cross-Border Transfer: Moving any data offshore is a complex, high-stakes process requiring a mandatory security assessment and explicit approval from the Cyberspace Administration of China (CAC).
  • Implication: The default for all sensitive financial and personal data is 100% localization.

🇮🇩 Indonesia

Model: Strict Localization

Indonesia's regulations, driven by Bank Indonesia (BI) and the Financial Services Authority (OJK), are clear on localization for the financial sector.

  • Mandate: OJK regulations and Government Regulation 71 (GR71) require public-sector and "strategic" data, which includes most core financial and customer data, to be hosted and processed onshore.
  • DR Sites: The rules explicitly require banks to maintain both their primary data center and their disaster recovery (DR) site within Indonesia.
  • Implication: A non-localized model for core banking, payments, or sensitive data is not a viable option.

🇻🇳 Vietnam

Model: Strict Localization

Vietnam's Law on Cybersecurity and its guiding Decree 53 create a sweeping localization mandate.

  • Mandate: The law requires both local and foreign companies providing a range of services (including online payments and e-commerce) to store user data and other "important data" locally for a minimum of 24 months.
  • Implication: While the trigger for foreign firms involves a formal request from the Ministry of Public Security, the legal framework mandates a "local-first" posture for all critical data.

🇸🇬 Singapore

Model: Control & Accountability (Risk-Based)

Singapore is the archetype of the "cloud-first" but "accountability-heavy" model. The Monetary Authority of Singapore (MAS) does not mandate localization.

  • Mandate: MAS's Technology Risk Management (TRM) Guidelines and Outsourcing framework treat cloud as a form of outsourcing. The financial institution remains fully and ultimately accountable for all risks.
  • Control: A bank using a public cloud must be able to prove to MAS that it has robust controls, audit rights, and the ability to ensure data confidentiality and resilience, even in a multi-tenant environment.
  • Implication: Public cloud is widely adopted, but it requires a massive investment in governance, vendor management, and complex audit frameworks to prove control.

🇯🇵 Japan

Model: Control & Accountability (Risk-Based)

Japan, a proponent of "Data Free Flow with Trust," follows a similar philosophy. Its Act on the Protection of Personal Information (APPI) governs transfers.

  • Mandate: The Financial Services Agency (FSA) does not require localization. However, when outsourcing or transferring data (including to a cloud provider), the FIs must ensure the vendor meets APPI-equivalent standards of protection.
  • Oversight: This places a heavy burden on vendor due diligence and contractual controls. FIs are directly responsible for any breach caused by their cloud vendor.
  • Implication: Like Singapore, this model favors mature governance and risk-management processes over prescriptive localization rules.

🇵🇭 Philippines

Model: Control & Accountability (Risk-Based)

The Bangko Sentral ng Pilipinas (BSP) has adopted a sophisticated, risk-based approach.

  • Mandate: The BSP's framework on cloud computing and outsourcing emphasizes that the bank's board and senior management are ultimately responsible for all outsourced activities.
  • Stance: The BSP has openly stated (in a joint declaration with MAS) that it views mandatory data localization as excessive constraint to risk management and security, preferring trusted cross-border data flows.
  • Implication: FIs are empowered to use cloud, but they must be prepared to demonstrate a rigorous, end-to-end risk management and audit process to BSP examiners.

🇰🇷 South Korea

Model: Hybrid & Evolving

South Korea's Personal Information Protection Act (PIPA) is one of the world's strictest privacy laws, with strong consent requirements for cross-border transfers.

  • Mandate: On top of PIPA, the Financial Services Commission (FSC) imposes sector-specific rules. While it has eased its historically restrictive stance on cloud, it still maintains strict controls, especially for "unique identifying information."
  • Implication: This hybrid model creates complexity. FIs must satisfy both a strict national privacy law and specific (and often changing) financial regulations, making infrastructure decisions a moving target.

🇲🇾 Malaysia

Model: Hybrid & Evolving

Malaysia follows a similar hybrid path. The Bank Negara Malaysia (BNM) sets the rules for FIs.

  • Mandate: BNM's Risk Management in Technology (RMiT) guidelines do not impose a blanket localization ban. However, they set a very high bar for any "critical system" or sensitive customer data being placed in a public cloud, especially one hosted offshore.
  • Implication: While not a hard "no," the regulatory friction and risk-assessment burden are so high that most FIs opt to keep their core systems and critical data localized to simplify compliance.

🇵🇰 Pakistan

Model: Hybrid & Evolving

The State Bank of Pakistan (SBP) has a clear and prescriptive framework for outsourcing that significantly impacts cloud adoption.

  • Mandate: The SBP holds the financial institution fully accountable. Crucially, outsourcing any material workload to an offshore cloud provider requires explicit, case-by-case approval from the SBP.
  • Implication: This approval requirement acts as a major deterrent to using global public cloud for core functions. It pushes FIs toward on-premise or locally hosted clouds to avoid the complex and uncertain regulatory approval process.

The real trend : universal reclaim of control

A common trend links these disparate policies: regulators are universally reclaiming control.

In the "Sovereign-First" countries like India and Indonesia, this control is physical and explicit. They want the data and the systems physically within their borders.

In the "Control & Accountability" markets like Singapore and the Philippines, the control is logical and evidence-based. The regulator is effectively saying, "You can use the public cloud, but you are 100% accountable. You must be able to prove to us, at any time, that you have absolute control over your data, your encryption, and your operational resilience, even if the vendor is a U.S. hyperscaler."

This single trend, the non-negotiable demand for demonstrable control and accountability, is what is reshaping the industry.

What this means for the financial industry

This shift towards control and accountability has profound strategic implications :

Architecture must follow compliance

The deployment model can no longer be an IT decision only. It is a critical, frontline compliance and risk decision too.The same solution might have to be deployed in a sovereign private cloud in Malaysia and on-premise in India. This forces a more sophisticated, market-by-market analysis before a vendor is even selected, making deployment-agnostic vendors the safest and future proof choice.

The vendor is now a compliance partner

This new reality fundamentally changes vendor due diligence. The key question is no longer just "What features does your product have?" but "Can your architecture and your company support our fragmented regulatory map?" A vendor that can only offer a multi-tenant public cloud solution in one region is now a source of significant regulatory risk and a blocker to market entry. Financial institutions must favor partners who demonstrate architectural flexibility and a deep understanding of local compliance.

"Proving control" is the new baseline

In risk-based markets, the focus shifts to evidence. How do you prove that you, and not your cloud provider, control your encryption keys? How do you provide a complete, immutable audit log of all access (including the provider's) to sensitive data? Technology that cannot offer this level of granular control and transparency is unsuitable for high-risk workloads, regardless of its location. This makes sovereign key management, granular access controls, and comprehensive auditability the most critical features in a compliance stack.

Famous last words

Self hosting your key solution providers allows you to navigate the burdens of data residency with ease, setting the right controls in place without delegation.

If this topic resonates with your current challenges,

👉 Grab a 30-min slot and we can review your current process together.

Learn more about Marble

Watch a demo