Many banking regulators consider cloud computing to be a form of outsourcing. For supervised financial institutions, use of external cloud computing for material business functions is a regulated activity. Previously issued guidance by financial regulators on outsourcing and offshoring is likely to apply to cloud services, in addition to specific cloud related statements.
Board Level Attention Required
The FFIEC in the US, the FCA in the UK, and APRA in Australia have each taken the position that using third party cloud services in connection with material business functions requires board level attention. This remit includes initial assessments of the appropriateness of the cloud for the service under consideration as well as due diligence of the cloud provider, not only for competency, but also for service integrity and financial strength. The board and senior management of the financial institution have a non-delegable duty to ensure that outsourced cloud services are conducted in a safe and sound manner in compliance with all applicable laws and regulations.
Evaluation Of Service Provider’s Internal Controls
In order to manage the risks associated with outsourcing to the cloud, bank regulators encourage the financial institution to evaluate the cloud provider's internal controls in light of the sensitivity of the data stored, transmitted or processed in the cloud. A number of supervisory authorities have issued detailed guidance on information security in the context of IT outsourcing, and this guidance carries over to cloud-based services. Testing and auditing of security and other internal controls also is required where breaches of security or disruptions in the service can materially impact the financial institution.
Some financial regulators have published requirements for outsourcing and cloud service contracts. Many of these terms focus on the integrity of the bank's data - from information security standards to ownership and privacy terms to data breach requirements. Adequate disaster recovery procedures to mitigate service disruption and termination assistance to retrieve its data upon exit are specifically mentioned. These obligations are imposed equally on sub-suppliers who may provide subcontracted services to the cloud provider.
Banks Increasingly Embrace The Cloud
Regulators' initial failure to grasp the difference in the degree of customer control over the services between outsourced managed services and externally provided "as-a-Service" cloud offerings made some financial institutions slow to embrace the cloud. As cloud offerings have matured to meet higher institutional control standards and regulators have begun to issue cloud specific guidance, more institutions have moved services to the cloud. With some cloud providers, banks have been able to direct that certain data be stored and processed in identified jurisdictions, thereby removing an obstacle to adoption of cloud services. Cloud providers are also becoming more comfortable with regular third party auditing, so as to enable financial institutions to meet their compliance obligations.
Challenges remain for financial institutions in contracting for cloud services in a fully compliant manner. Many regulators require auditing rights for the supervisory authority that extend beyond mere provision of documentation to on-site inspection rights of data centers from which the cloud services are provided, regardless of the jurisdiction in which they are located. Regulators often refuse to execute non-disclosure agreements and can demand access to common infrastructure, such as multi-tenant servers and collocated network equipment. Cloud solution providers focused on the financial services sector understand their financial institution customers require greater transparency, access and control over their data in the cloud, but this can be off-putting and delay concluding cloud agreements for providers who are not as familiar with these regulatory demands.