Financial Services

Where can information about how Salesforce’s Online Services map to EU Outsourcing Guidelines be found?
Please see Salesforce’s informational paper on Financial Services EU Outsourcing Guidelines Mapping for Online Services here.

Where can I learn more about the EU's Digital Operational Resilience Act and Salesforce's approach to compliance?
Please see Salesforce's FAQ on DORA here.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Denmark, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Danish Financial Supervisory Authority (in Danish: Finanstilsynet) is responsible for conduct regulation of financial institutions subject to the Danish Financial Business Act (i.e., banks, mortgage credit institutions, investment firms, investment management companies, or insurance companies) and is also the prudential regulator.

What rules and regulations could apply to financial institutions using Salesforce?
Financial institutions may be subject to specific rules under Danish law insofar as the use of Salesforce cloud services constitutes an outsourcing. In that context, the specific rules will depend on the type of financial institution.

The rules are supplemented by nonbinding guidance from EU and Danish authorities. For example, the EBA Guidelines have been published, which apply to credit institutions, investment firms, and payment institutions. Furthermore, the EU Insurance and Occupational Pensions Authority (EIOPA) has published guidelines on system of governance, which includes guidelines on outsourcing by insurance companies. The Danish FSA has also published guidance in the form of, among others, guidelines on the Danish Executive Order on Outsourcing (May 2010) and guidance for the use of cloud services as part of IT-outsourcing (March 2017). The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II Delegated Regulation
· UCITS
· The Danish Financial Business Act
· The Danish Executive Order on Outsourcing

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in France, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
France has two main financial supervisory authorities, the French Autorité de Contrôle Prudentiel et de Résolution (the Prudential Supervision and Resolution Authority or ACPR) and the French Autorité des Marchés Financiers (the Financial Markets Authority or AMF). The ACPR is responsible for supervising French credit institutions, financing companies, investment firms (such as broker-dealers and investment advisers), payment institutions, e-money institutions, and insurance companies. The AMF is responsible for supervising French asset managers and, insofar as business conduct rules are concerned, French investment services providers (i.e., credit institutions authorized to provide investment services and investment firms).

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. In that context, the specific rules will depend on the type of financial institution.

For example, MiFID investment firms and credit institutions which are authorized to provide investment services may be required to comply with applicable rules arising from MiFID II as implemented in France. Insurance firms are subject to different rules and requirements. However, these requirements are supplemented by nonbinding guidance by EU and French regulatory authorities. For example, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms, and payment and e-money institutions (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority in their guidelines on system of governance document (“EIOPA guidelines”). In February 2020, EIOPA issued guidelines on outsourcing to cloud service providers, which provide guidance to market participants on how the outsourcing provisions set forth in Solvency II, in the Solvency II Delegated Regulation and in EIOPA guidelines need to be applied in the case of outsourcing to cloud service providers. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II, Delegated Regulation
· UCITS

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Germany, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The German Financial Supervisory Authority (BaFin) and the German Central Bank (Bundesbank). The main regulator in Germany is BaFin. BaFin is responsible for supervising all credit institutions, investment firms, capital management companies, and insurance undertakings. BaFin is supported in its supervisory activities by Bundesbank who assist in particular with the allocation of data collected from regulatory reporting and with onsite inspections.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. In that context, the specific rules will depend on the type of financial institution.

For example, credit institutions and investment firms may be required to comply with the requirements imposed by the KWG, WpHG, and the MaRisk. Insurance firms may be subject to rules and requirements imposed by the VAG and the MaGo. Capital investment management companies may need to observe the rules of the KAGB and KAMaRisk. In addition, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (“EIOPA guidance”) in their guidelines on system of governance document. BaFin has also published guidance on outsourcing to cloud service providers which apply to all financial institutions (“BaFin guidance”). The key rules and regulations that may apply to financial institutions in the context of outsourcing can be found below.

Mandatory law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II, Delegated Regulation
· UCITS
· KWG
· WpHG
· VAG
· KAGB

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document
· MaRisk
· MaGo
· KAMaRisk
· BaFin’s guidance on outsourcing to cloud service providers

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Italy, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
Banca d'Italia, Commissione Nazionale per le Società e la Borsa and/or Istituto per la Vigilanza sulle Assicurazioni.

Italy has three main regulators, Banca d’Italia (BoI), Commissione Nazionale per le Società e la Borsa (Consob) and/or Istituto per la Vigilanza sulle Assicurazioni (IVASS). BoI is the prudential regulator for the main credit and financial institutions such as banks, investment firms, asset managers. BoI is also responsible for conduct regulation of authorized credit and financial institutions engaging in banking business. Consob is responsible for conduct regulation of authorized investment firms and asset managers. IVASS is the prudential regulator for the insurance and reinsurance undertakings. IVASS is also responsible for conduct regulation of authorized insurance and reinsurance undertakings.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. In that context, the specific rules will depend on the type of financial institution.

For example, MiFID investment firms may be required to comply with applicable rules arising from MiFID2 as implemented in Italy. Banks and insurance undertakings may respectively be subject to different rules and requirements. In addition, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (“EIOPA guidance”) in their guidelines on system of governance document. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II, Delegated Regulation
· UCITS
· BoI Circular 285/2013
· BoI Circular 288/2015
· BoI Resolution 23 July 2019
· BoI Regulation 5 December 2019
· IVASS Regulation 38 2018

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document
· BoI Guidance on Circular 285
· BoI Guidance on Circular 288
· BoI Consob Guidance

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Luxembourg, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Commission de Surveillance du Secteur Financier or the Commissariat aux Assurances. The Commission de Surveillance du Secteur Financier (CSSF) regulates and supervises, among others, banks, professionals of the financial sector, including investment firms and investment fund managers, including UCITS management companies and alternative investment fund managers. The Commissariat aux Assurances (CAA) regulates and supervises insurance and reinsurance undertakings.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services could trigger regulatory requirements applicable to outsourcing for Luxembourg financial institutions insofar as Salesforce cloud services constitute an outsourcing/delegation for the institutions. In that context, the specific rules will depend on the type of financial institution.

Financial institutions and insurance companies are subject to different rules and requirements. In addition, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (the “EIOPA guidance”) in their guidelines on system of governance document. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory Law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation, Articles 30-32
· Solvency II, Article 38, 49
· Solvency II, Delegated Regulation, Article 274
· UCITS
· FSL
· Insurance Sector Law
· Luxembourg Data Protection Law
· Luxembourg Cyber-Security Law
· Cloud Circular
· Central Administration Circular
· CSSF Circular Letter 18/698
· IML Circular 96/126
· CSSF Circular 17/656

Guidance:
· FAQ on cloud computing
· FAQ on the assessment of IT outsourcing materiality
· EIOPA Guideline on System Governance
· EIOPA Guidelines on Cloud Outsourcing

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in the Netherlands, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Netherlands has two main financial regulators: the Dutch Central Bank (De Nederlandsche Bank, DNB) and the Authority for the Financial Markets (Autoriteit Financiële Markten, AFM). DNB is responsible for prudential regulation and supervises, among others, credit institutions (banks) and insurers. The AFM is responsible for conducting supervision and the main supervisor for, among others, investment firms, managers of alternative investment funds (AIFMs), and managers of undertakings for collective investment in transferable securities (“UCITS managers”), the latter two referred to as “asset managers.”

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services may generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. In that context, the specific rules will depend on the type of financial institution.

Requirements set out in the FSA and EU regulations are binding. However, these requirements are supplemented by nonbinding guidance by EU and Dutch regulators. For example, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to banks and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (the “EIOPA guidance”) in their guidelines on system of governance document (“EIOPA guidelines”). In February 2020, EIOPA issued guidelines on outsourcing to cloud service providers, which provide guidance to market participants on how the outsourcing provisions set forth in Solvency II, in the Solvency II Delegated Regulation, and in EIOPA guidelines may need to be applied in the case of outsourcing to cloud service providers. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFMD
· AIFMD Delegated Regulation
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II, Delegated Regulation
· UCITS
· Dutch Financial Supervision Act, Article 3:18 and Article 4:16
· Decree Prudential Rules, Part 5
· Decree Conduct Supervision, Part 6

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document
· DNB Explanatory Notes
· DNB Risk analysis outsourcing
· DNB Good practice Outsourcing Insurers
· DNB Good practices for managing outsourcing risks
· DNB Good practice information security
· AFM Outsourcing Guidance

What are the key data privacy considerations for considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Poland, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Polish Financial Supervision Authority (KNF). KNF is responsible for supervising all credit institutions, investment firms, investment funds management companies, pension funds companies, payment institutions, e-money institutions and insurance undertakings. 

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger statutory law requirements insofar as Salesforce cloud services constitute an outsourcing. In that context, the specific rules will depend on the type of financial institution.

For example, credit institutions and investment firms may be required to comply respectively with the requirements imposed by the Polish Banking Law and the Polish Act on Trading in Financial Instruments. Investment funds management companies may need to observe the rules of the Polish Act on Investment Funds, whereas pension funds companies may be subject to requirements stipulated in the Polish Act on Pension Funds. Outsourcing requirements for payment and e-money institutions are stipulated in the Polish Act on Payment Services. Insurance undertakings may be subject to rules and requirements imposed by the Polish Act on Insurance and Reinsurance Activity. In addition, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (“EIOPA guidance”) in their guidelines on system of governance document. KNF has also published guidance on outsourcing to cloud service providers which apply to all financial institutions (“KNF guidance on outsourcing to cloud service providers”) along with the respective follow-up in the form of Q&A. On a more general level, KNF also issued recommendations and guidelines on the management of information technology and ICT environment security addressed to specific types of financial institutions. The key rules and regulations that may apply to financial institutions in the context of outsourcing can be found below.

Mandatory law:

· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II, Delegated Regulation
· UCITS
· Polish Banking Law
· Polish Act on Trading in Financial Instruments
· Polish Act on Investment Funds
· Polish Act on Pension Funds
· Polish Act on Payment Services
· Polish Act on Insurance and Reinsurance Activity

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document
· KNF’s guidance on outsourcing to cloud service providers
· KNF’s Q&A to guidance on outsourcing to cloud service providers
· KNF’s Recommendation D On the Management of Information Technology and ICT Environment Security at Banks
· KNF’s Guidelines on the Management of Information Technology and ICT Environment Security at Investment Firms
· KNF’s Guidelines on the Management of Information Technology and ICT Environment Security at Investment Funds Management Companies
· KNF’s Guidelines on the Management of Information Technology and ICT Environment Security at Pension Funds Companies
· KNF’s Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

This information is provided to assist in answering questions raised by customers when evaluating Salesforce’s online services. This information is not legal advice. Salesforce urges its customers to consult with their own counsel to familiarize themselves with the supervisory and data protection requirements that govern their specific situations. While we aim to keep this information updated, it may not account for changes after publication.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Spain, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
Spain has three (3) main financial regulators:

· Bank of Spain (BoS) is the national central bank and supervises public debt markets, certain financial institutions (establecimientos financieros de crédito), payment services entities, and electronic money entities, among others. In addition, within the framework of the Single Supervisory Mechanism (SSM), BoS is the direct supervisor of the Spanish less significant credit entities along with the European Central Bank that supervises directly any significant credit entities of the eurozone.
· Spanish Securities Market Commission (CNMV) is the regulator responsible for the supervision and inspection of Spanish securities markets and the activity of all those involved in them, such as investment firms, collective investment undertakings, asset managers, securitization vehicles, etc.
· Spanish Insurance and Pension Funds General Directorate (Dirección General de Seguros y Fondos de Pensiones) is the main regulator in charge of supervising the activities of Spanish insurance companies and pension funds.


What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· MiFID II
· MiFID II Organisation Regulation, Articles 30-32
· UCITS
· AIFMD
· Solvency II, Article 38, 49
· Solvency II, Delegated Regulation, Article 274
· CNMV Circular 1/2006
· CNMV Circular 6/2009

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Sweden, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Swedish Financial Supervisory Authority (the SFSA) (Finansinspektionen in Swedish).

What rules and regulations could apply to financial institutions using Salesforce?
Financial institutions are subject to varying sector-specific rules insofar as any services they obtain from Salesforce amount to an outsourcing. Guidelines issued by the European Banking Authority are viewed by the SFSA as a common frame of reference for interpretation and application of the varying sector-specific legally mandatory rules. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFMD
· MiFID II
· MiFID II Organisation Regulation
· Solvency II
· Solvency II Delegated Regulation
· UCITS
· FFFS 2010:3
· FFFS 2013:9
· FFFS 2013:10
· FFFS 2014:1

Guidance:
· EBA guidelines on outsourcing arrangements
· EIOPA cloud outsourcing guidelines
· EIOPA guidelines on system of governance document

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Switzerland, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Swiss financial regulator is the Financial Markets Supervisory Authority (FINMA). FINMA’s role covers licensing duties, prudential supervisory activities, and enforcement tasks. In addition, systemically important financial market infrastructures (stock exchanges, multilateral trading facilities, trade repositories, etc.) are subject to the oversight of the Swiss National Bank (central bank, SNB). Health insurers are regulated by the Swiss Federal Office of Public Health, not FINMA.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:
· FINMA Circular 2018/3, Outsourcing Circular
· Federal Act on Banks and Savings Banks (Bundesgesetz über Banken und Sparkassen, BankG)
· Federal Act on the Swiss Financial Market Supervisory Authority (Bundesgesetz über die Eidgenössische Finanzmarktaufsicht, FINMAG)
· Federal Act on Financial Institutions (Bundesgesetz über die Finanzinstitute, FINIG)
· Swiss Federal Data Protection Act
· FINMA Circular 2008/21, Operational Risks
· Federal Health Insurance Surveillance Act
· Federal Act on the Supervision of Insurance Companies (Bundesgesetz betreffend die Aufsicht über Versicherungsunternehmen, VAG)

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in the U.K., provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The U.K. has two main financial regulators, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA). The FCA is responsible for conduct regulation of all authorized financial institutions and is also the prudential regulator for financial institutions who are not otherwise regulated by the PRA, such as asset managers and investment firms. The PRA is the prudential regulator for systemically important organizations such as banks, insurers, building societies, and major investment firms.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce would only trigger financial services regulatory requirements insofar as Salesforce cloud services constitute an outsourcing. The use of Salesforce by a financial institution would amount to an outsourcing insofar as any Salesforce cloud services are a process, service, or activity that would otherwise be undertaken by the financial institution itself. In that context, the specific rules will depend on the type of financial institution. For example, MiFID Investment firms and banks may be required to comply with applicable rules arising from MiFID2 as implemented in the U.K. Insurance firms may be subject to different rules and regulations. The key U.K. rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:
· AIFM Law
· MiFID II
· MiFID II Organisation Regulation, Articles 30–32
· Solvency II, Article 38, 49
· Solvency II, Delegated Regulation, Article 274
· SYSC 8
· SYSC 13.9
· SYSC 14.1
· SUP 2.3
· PRA Handbook: Outsourcing Part
· PRA Handbook: Outsourcing Part (for insurers)

Guidance: In addition, the European Banking Authority has published general guidelines on outsourcing arrangements (February 2019) which apply to credit institutions and investment firms (the “EBA guidelines”). There is also guidance for insurance undertakings from the EU Insurance and Occupational Pensions Authority (the “EIOPA guidance”) in their guidelines on system of governance document. The guidelines can be found below:
· EBA guidelines on outsourcing arrangements
· EIOPA guidelines on system of governance document

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Australia, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
There are three regulators of Australian financial institutions.
· The Australian Prudential Regulatory Authority (APRA), which regulates institutions across banking, general insurance, life insurance, and superannuation. APRA is the chief prudential regulator.
· The Australian Securities and Investments Commissions (ASIC), which regulates companies, financial markets, and the financial services sector. ASIC is the chief conduct regulator. ASIC regulates companies and financial services more broadly.
· The Australian Securities Exchange (ASX), which regulates market participants (including broker-dealers).

What rules and regulations could apply to financial institutions using Salesforce?
The specific rules depend on the type of financial institution. For example, banks, insurance companies, and superannuation funds are required to comply with the APRA Prudential Standards. Market participants (e.g., broker-dealers) are required to comply with ASX Clear Operating Rules. If a market participant is a bank, or is owned by a bank, it may have to comply with the APRA Prudential Standards and the ASX Clear Operating rules. The ASIC regulatory guides generally apply to all financial services businesses, though some apply only to specific sectors.

APRA’s prudential framework applies to outsourcing arrangements involving material business activities. Some of APRA’s Prudential Standards apply to all APRA regulated bodies, while others apply to specific financial institutions, e.g., banking/insurance/life insurance, health insurance, or superannuation.

Relevant Standards and guidance for banking, insurance, and life insurance institutions are:
· Prudential Standard CPS 231 Outsourcing
· Prudential Practice Guide PPG 231 – Outsourcing
· Prudential Standard CPS 232 Business Continuity Management

Relevant Standards and guidance for RSE licensees (i.e., superannuation trustees) are:
· Prudential Practice Guide: SPG 231 – Outsourcing
· Prudential Standard SPS 232 Business Continuity Management

Relevant Standards and guidance for health insurance institutions are:
· Prudential Standard HPS 231 Outsourcing

Other relevant standards include;
· APRA Prudential Standard: Information Security (CPS 234)
· APRA Prudential Standard: Business Continuity Management (CPS 232)
· APRA Prudential Standard: Risk Management (CPS 220)

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in India, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDA)

India has three key financial regulators that regulate financial institutions:
· RBI is responsible for management of currency and supervising/regulating financial institutions such as commercial banks and nonbanking financial institutions (NBFCs).
· SEBI has been constituted to protect the interests of investors in securities and to promote the development of, and to regulate the securities markets. Accordingly, SEBI is empowered to regulate inter alia stock-brokers, mutual funds, alternative investment funds, real estate investment trusts, infrastructure investment trusts, investment advisors (collectively, “SEBI regulated entities”).
· IRDA has been empowered to regulate companies in the insurance business.

What rules and regulations could apply to financial institutions using Salesforce?
Insofar as Salesforce cloud services constitute an outsourcing, the requirements under the outsourcing guidelines may be triggered.

Additionally, the RBI Guidelines on Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds dated April 29, 2011, read with RBI Cyber Security Framework in Banks circular dated June 02, 2016 (“RBI IT Guidelines”), may be applicable to banks; RBI Master Direction — Information Technology Framework for the NBFC Sector dated June 08, 2017, may be applicable to NBFCs (“NBFC IT Guidelines”).

Similarly, SEBI Cyber Security & Cyber Resilience framework dated December 03, 2018, and January 10, 2019, may be applicable to stock brokers and mutual funds (“SEBI Cyber Security Framework”), and insurers may be required to comply with Guidelines on Information and Cyber Security for insurers dated April 07, 2017 (“IRDA Cyber Security Guidelines”).

Some of the key rules and regulations that may apply to financial institutions in the context of outsourcing can be found below:

RBI:
· Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2011
· RBI Cyber Security Framework, 2016
· Information Technology Framework for the NBFC Sector 2017
SEBI
· Cyber Security & Cyber Resilience framework for Stock Brokers 2018
· Cyber Security and Cyber Resilience framework for Mutual Funds 2019
IRDA
· Guidelines on Information and Cyber Security for Insurers 2017
· IRDAI (Outsourcing of activities by Indian Insurers) Regulations, 2017

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Japan, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Financial Services Agency of Japan (the “JFSA”) is the major regulator.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services by a financial institution would amount to outsourcing insofar as any Salesforce cloud services are a service that would otherwise be undertaken by the financial institution itself.
There is no unified single outsourcing rule which applies to all financial institutions. The specific rules applicable to outsourcing vary depending on the type of regulated business/financial institution.

Mandatory law:

Banks
· Article 12-2, Paragraph 2 of the Banking Act
· Article 13-6-5 and Article 13-6-8, Paragraph 1 of the Ordinance for Enforcement of the Banking Act

Insurance Companies
· Article 100-2 of the Insurance Business Act
· Article 53-8 and Article 53-11 of the Ordinance for Enforcement of the Insurance Business Act

Trust Business Operators
· Article 22 of the Trust Business Act
· Article 40, Paragraph 6 of the Regulation for Enforcement of the Trust Business Act

Fund Transfer Service Providers (FTSPs)
· Article 50 of the Payment Services Act
· Article 27 of the Cabinet Office Order on FTSPs

Crypto-assets Exchange Service Providers (CESPs)
· Article 63-9 of the Payment Services Act
· Article 13 of the Cabinet Office Order on VCESPs

Money Lending Business Operators (MLBOs)
· Article 10-2 and 10-5 of the Ordinance for Enforcement of the Money Lending Business Act


JFSA Guidance:

· III-3-3-4 of the Comprehensive Guidelines for Supervision of Major Banks, etc. (the "Banking Guidelines")
· II-4-5-2 and II-5-1-2 of the Comprehensive Guidelines for Supervision of Insurance Companies, etc. (the "Insurance Business Guidelines")
· III-4-5, III-5-4 and III-5-5(4) of the Comprehensive Guidelines for Supervision of TBOs, etc. (the "Trust Business Guidelines")
· I-2-3-3-1 of the Administrative Guidelines No.3 (for FTSPs) (the "FTSP Guidelines")
· II-2-3-3-2 of the Administrative Guidelines No.3 (for CESPs) (the "CESP Guidelines")
· II-2-3 of the Comprehensive Guidelines for Supervision of MLBOs (the "MLBO Guidelines")
· III-2-4 and III-2-7 (2) of the Comprehensive Guidelines for FIBOs, etc. (the "FIBO Guidelines")
· Policy towards strengthening Cybersecurity in the Financial field

FISC Guidance:

The guidelines/standards published by Financial Industry Information System (FISC) can be voluntarily observed, including among others:

"Safety Measures Standards/commentary for Computer Systems of Financial Institutions"

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Singapore, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The Monetary Authority of Singapore (“MAS”) is the regulator in Singapore.

What rules and regulations could apply to financial institutions using Salesforce?
Should the use of Salesforce cloud services constitute an outsourcing the Guidelines on Outsourcing may apply to financial institutions. In addition, financial institutions which are banks and merchant banks may be subject to bank secrecy obligations.

The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:
· Guidelines on Outsourcing
· Notice 634 Banking Secrecy – Conditions for Outsourcing
· Appendix 1 to Notice 634
· Notice 1108 Banking Secrecy – Conditions for Outsourcing
· Appendix 1 to Notice 1108

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Canada, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
Canada has two main financial regulators for federal financial institutions, the Office of the Superintendent of Financial Services (“OSFI”) and the Financial Consumer Agency of Canada (“FCAC”). For securities registrants, there are 13 securities regulatory authorities.

OSFI is an independent agency of the Government of Canada and is responsible for the supervision and regulation of banks, insurance companies, and trust and loan companies. The FCAC ensures that federally regulated financial entities comply with consumer protection measures (at the federal level).

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger the following requirements insofar as Salesforce cloud services constitute a material outsourcing.

Financial Institutions:
Certain obligations of more general application would apply to an arrangement for Salesforce cloud services under the Bank Act, OSFI B-10 Guidelines, privacy laws, and potentially anti-money laundering, and consumer protection.

Securities Registrants:
Securities registrants may be subject to some of the above-noted requirements.

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in the United States, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The U.S. has several federal regulators responsible for regulating financial institutions. The Federal Reserve Board of Governors (the Federal Reserve) is the central banking system of the United States and is responsible for the supervision of bank holding companies, state-chartered banks that are members of the Federal Reserve System, and the U.S. activities of foreign banking organizations. The Office of the Comptroller of the Currency (OCC) supervises all national banks and federal savings associations, as well as federal practices and agencies of foreign banks. The Federal Deposit Insurance Corporation (FDIC) is the primary federal regulator of state-chartered banks that are not members of the Federal Reserve System, along with state-chartered thrifts. The National Credit Union Administration (NCUA) is the primary regulator of federal credit unions. The Consumer Financial Protection Bureau (CFPB) is responsible for the development of consumer protection regulations applicable to certain financial institutions (banks and non-banks). The Securities and Exchange Commission (SEC) is the primary federal regulator of the securities industry, including investment advisers, broker-dealers, and investment companies. The Commodity Futures Trading Commission (CFTC) is the primary federal regulator of the derivatives industry. The Financial Industry Regulatory Authority Inc. (FINRA) is a self-regulatory organization that regulates member broker-dealers.

In New York State, the New York State Department of Financial Services (NYDFS) regulates state-chartered banks, and licensed financial services companies, insurance companies doing business in the state, among other entities. The New York State Attorney General regulates investment advisers and broker-dealers.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services would generally only trigger regulatory requirements insofar as Salesforce cloud services constitute an outsourcing of regulated functions and activities. In that context, the specific rules will depend on the type of financial institution.

The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Mandatory law:

General
· Dodd-Frank Wall Street Reform and Consumer Protection Act
· Economic Growth, Regulatory Relief, and Consumer Protection Act
· Gramm-Leach-Bliley Act
· New York State Financial Services Laq
· NYS Cybersecurity Regulation

Banks
· Federal Reserve Act
· Federal Deposit Insurance Act
· Federal Credit Union Act
· Bank Holding Company Act of 1956
· Bank Secrecy Act
· Bank Service Company Act
· International Banking Act of 1978
· New York State Banking Law

Broker-Dealers, Investment Advisers, and Investment Companies
· Securities Exchange Act of 1934
· Commodity Exchange Act
· Securities Act of 1933
· Investment Advisers Act of 1940
· Investment Company Act of 1940
· FINRA Rules
· New York State General Business Law, Article 23-A

Insurers
· New York State Insurance Law

Guidance:

General
· Bureau of Consumer Financial Protection, Compliance Bulletin and Policy Guidance; 2016-02, Service Providers

Banks
· Office of the Comptroller of the Currency, OCC Bulletin 2020-46, Joint Statement on Security in a Cloud Computing Environment
· Office of the Comptroller of the Currency, OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance
· Federal Reserve, Supervisory Letter 13-19, Guidance on Managing Outsourcing Risk
· Federal Financial Institutions Examination Council, Outsourcing Technology Services
· Federal Financial Institutions Examination Council, Outsourced Cloud Computing
· Federal Deposit Insurance Corporation, Financial Institution Letter 19-2019: Technology Service Provider Contracts
· Federal Deposit Insurance Corporation, Guidance for Managing Third-Party Risk

Broker dealers, investment advisers and investment companies
· Securities and Exchange Commission, Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features
· Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Cybersecurity and Resiliency Observations
· NASD (now FINRA), Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers, NTM 05-48 (specifying certain mandatory requirements as well as guidance

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Brazil, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
The National Monetary Council (CMN) and the Central Bank of Brazil (BACEN)

What rules and regulations could apply to financial institutions using Salesforce?
The following rules may apply to financial institutions using Salesforce cloud services in Brazil:
· Resolution No. 4,658 of April 26, 2018 (“Resolution 4,658/2018”)
· Circular No.3,909, of August 16, 2018 (“Circular 3,909/2018”)

These regulations establish several requirements for the outsourcing of data processing and storage and cloud-computing services:
Resolution No. 4,658 of April 26, 2018 (“Resolution 4,658/2018”) is generally applicable to financial institutions and other institutions authorized to operate by the Central Bank. On the other hand, Circular No.3,909, of August 16, 2018 (“Circular 3,909/2018”) is applicable to regulated payment institutions.

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

Can financial institutions use Salesforce?
Yes. Financial institutions are permitted to use cloud services in Mexico, provided they comply with applicable rules and regulations, such as those described below.

Who is the financial regulator?
Mexico has four principal financial regulators:
· the Ministry of Finance and Public Credit (Secretaría de Hacienda y Crédito Público), which regulates financial groups and is in charge of policy and regulation of the financial system in general;
· the Central Bank (Banco de México), which regulates monetary policy, interest rates and foreign exchange transactions;
· the Mexican National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores; the “CNBV”), which regulates banks, broker-dealers, and investment funds; and
· the Mexican National Insurance and Bonding Commission (Comisión Nacional de Seguros y Finazas; the “CNSF”), which regulates insurance companies.

What rules and regulations could apply to financial institutions using Salesforce?
The use of Salesforce cloud services may trigger regulatory requirements applicable to outsourcing for Mexican financial institutions. The specific rules will depend on the type of financial institution.
The key rules and regulations that may apply to financial institutions in the context of outsourcing are contained in:

Banking institutions: Article 317 et seq. of the Banking Circular

Broker-dealers: Article 205 et seq. of the Broker-Dealer Circular

Investment funds: Article 64 Bis 10 et seq. of the Investment Funds Circular

Insurance companies: Rule 12.1.1 et seq. of the Insurance Circular

What are the key data privacy considerations for financial institutions using Salesforce?
See the Regional Privacy Laws section of our privacy website, which includes information and tools to help enable our customer’s success.

How does Salesforce secure Customer Data?

We strongly encourage customers to follow security best practices and use available tools to strengthen the security of their Salesforce instance. Security does not start and end with Salesforce — it is a trusted partnership with our customers.

As set forth in more detail in our SPARC Documentation (available here by selecting the relevant service), Salesforce has implemented technical and administrative security measures designed to protect our services and Customer Data. Salesforce’s technical security measures include protections against system vulnerabilities, logical separation of Customer Data, robust network security, encryption of data in transmission, and options for encryption of data at rest. Salesforce’s administrative security measures include limiting access to Customer Data to those personnel who require such access to perform their current job functions, comprehensive security policies regarding the handling of Customer Data, and robust security training and awareness programs.

Salesforce offers its customers controllable features that permit them to configure the security settings of their respective instances of the Salesforce services as individual customers deem appropriate for the sensitivity of their Customer Data.

For more information on the application security features Salesforce provides, please refer to this help article on Protecting Your Salesforce Organization.

Where can a customer get details of Salesforce’s security and compliance controls?

· Salesforce’s compliance website details our audit/compliance certifications and attestations, e.g., ISO and SOC. This compliance website can be filtered by country and industry.
· Salesforce offers its customers a comprehensive security and privacy framework which is contractually underpinned by the Salesforce DPA. In our DPA, Salesforce contractually commits to maintain appropriate technical and organizational measures designed to protect Customer Data, as set forth in the applicable SPARC Documentation, available here by selecting the relevant service.
· The Salesforce Security Guide, details customer-controllable security features of Salesforce services (including encryption)
· Our trust.salesforce.com website shows real-time information on system performance and security.
· The Salesforce Shield for Financial Services white paper contains further information on additional security measures such as encryption of data, monitoring, and access controls.
· The External Security Assessments in the Trust and Compliance Documentation contain attestations of penetration tests and security assessments performed by third parties for certain Salesforce services.
· Security Health Check: This standard Salesforce feature analyzes your Salesforce org’s security settings against a default or custom baseline. It provides a score and specific recommendations. Refer to the Help and Training article titled “Security Health Check” for additional information.
· Additional resources can be found on the Help and Training Portal and Security page.

Under what circumstances does Salesforce access or use Customer Data?

Salesforce provides contractual assurance to its customers that Salesforce has measures in place designed to maintain the confidentiality of Customer Data and to prevent access to that data by Salesforce, except under specified circumstances. As set out in the DPA, Salesforce processes Customer Data on behalf of customers and only in accordance with their documented instructions for limited purposes: (i) processing under the customer’s agreement with Salesforce for the purchase of online services; (ii) processing initiated by customers’ users in using Salesforce’s services; and (iii) processing to comply with other customer instructions.

How does Salesforce segregate one customer’s data from the data of other customers in its environment?

Salesforce serves its customers through what is known as “multi-tenant” application architecture, designed for security, efficiency, availability, and rapid innovation. A multi-tenant application is one that can be accessed and used by many users simultaneously, with logical separation of data in hardware and software. The logical separation of data is designed to allow each Salesforce customer to view only their “instance” of Salesforce’s services and their associated data. Salesforce’s multi-tenant architecture is analogous to that used to provide online banking and brokerage services (which can also be accessed and used by thousands of users simultaneously through the logical – not physical – separation of data).

How does Salesforce handle Customer Data incidents?

Customer Data incident, management and notification is addressed at Section 7 of the DPA.

How does Salesforce support customer due diligence, ongoing review, and audit?

Salesforce is committed to offering customers a strong compliance framework and advanced tools and security measures. When conducting due diligence and ongoing review customers should gain a clear understanding of Salesforce’s technology and its underlying architecture, and then evaluate how, using Salesforce’s framework, tools and measures, customers may meet and demonstrate compliance with applicable rules and regulations. The following resources can support customers in this regard:

· Salesforce offers its customers audit rights in the DPA and SPARC Documentation, available here by selecting the relevant service.
· Salesforce’s Compliance website details our compliance certifications and attestations. Also, our trust.salesforce.com website shows real-time information on system availability and performance.
· Additional resources and consultation may be available upon discussion with your Account Executive. Please note, Salesforce cannot provide legal advice and will not interpret regulations for customer’s own particular circumstances.
· Further corporate information about Salesforce can be found in the company overview, as well as the "About Us" section on the Salesforce website.

Where can information about Salesforce’s compliance programs be found?

Please see Salesforce’s Compliance Center website detailing our audit/compliance certifications and attestations, e.g., ISO and SOC. This compliance website can be filtered on a country and industry basis.

Where does Salesforce store Customer Data?

Salesforce operates its services and stores Customer Data in a number of locations. Up-to-date information about the storage locations for each service that Salesforce offers can be found in the applicable Infrastructure and Sub-processor Documentation available here by selecting the relevant service.

Does Salesforce use third-party service providers to provide services to customers?

An effective and efficient performance of Salesforce’s services requires the use of Sub-processors. These Sub-processors can include affiliates of Salesforce as well as third party organizations. Salesforce’s use of Sub-processors may require the transfer of Customer Data to Sub-processors for the hosting of Customer Data and related infrastructure support, or for reasons like providing customer support and ensuring the services are working properly. As described in our DPA, Salesforce is liable for the acts and omissions of its Sub-processors and has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the DPA with respect to the protection of Customer Data.

Up-to-date information about the identity and the location of Sub-processors can be found in the applicable Infrastructure and Sub-processor Documentation available here by selecting the relevant service. Customers may subscribe to notifications of new Sub-processors for each service (see here). Salesforce will notify all subscribed customers of a new Sub-processor before authorizing the new Sub-processor to process Customer Data in connection with the provision of the applicable services. Customers may object to the intended use of a new Sub-processor using the procedure set out in the DPA.

Does Salesforce have business continuity and disaster recovery plans?

Salesforce has a formally documented global business continuity and disaster recovery program. As part of this, Salesforce has staff who are certified business continuity planners and Salesforce employs leading consultants to assist in the ongoing development of business continuity and disaster recovery plans and procedures. This program is overseen by senior management for each of the key functional areas within Salesforce, and is supported by executive leadership at the highest level.

A summary of the Salesforce Business Continuity Plan (as well as information about data replication, reliability, and disaster recovery) can be found in the applicable SPARC Documentation available here by selecting the relevant service.

Salesforce maintains a disaster recovery plan that supports a robust business continuity strategy for the production services and platforms as described on the Disaster Recovery and BCP website.

How and when will Salesforce return Customer Data upon termination of the service agreement?

Salesforce’s customers own their Customer Data and the services are designed to always give customers access to it. In addition, at the end of the agreement, Salesforce returns Customer Data to its customers as per the contractual commitments set forth in the applicable agreement and SPARC Documentation. Information about the return and deletion of Customer Data can be found in the SPARC Documentation available here by selecting the relevant service.

Where can information about Salesforce’s privacy program be found?

The protection of our customer’s data is paramount, and Salesforce is committed to helping our customers on their global compliance journeys in our role as trusted advisor. Our customers trust us to help them build meaningful relationships with their own customers, and Salesforce’s top priority is the security and privacy of the data that we are entrusted to protect.

We have five privacy principles that highlight our commitment and focus on trust: customer control, security, transparency, compliance, and partnership. Our privacy website includes global privacy information, resources and tools (such as Salesforce’s DPA, International Data Transfers FAQ, and documentation to support data protection impact assessments) to help enable our customers’ success.

How does Salesforce handle government requests for access to Customer Data, also known as compelled disclosure requests?

Please see Salesforce’s Principles for Government Requests for Customer Data.