On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.

The key risk management controls for cloud computing identified in the guidance are:

  • Due Diligence – Institutions should conduct due diligence with respect to the cloud computing provider to assess the provider’s controls to protect the confidentiality and integrity of data stored in the cloud, to determine whether data will be stored on servers used by other clients of the provider and, if so, the provider’s access controls, and to evaluate the provider’s disaster recovery and business continuity plans.
  • Vendor Management – Institutions may require additional controls to manage cloud computing providers that have little experience with financial institution clients and may determine that retention of a particular provider is unacceptable due to the provider’s unwillingness or inability to satisfy bank regulators’ supervisory guidance.
  • Audit – Institutions’ audit coverage should include outsourced cloud computing. 
  • Information Security – Institutions should incorporate cloud computing services in existing information security policies, standards, and practices and ensure that data is protected and access to data is properly restricted.  An institution also should effectively monitor data security threats to the institution’s systems and to the provider’s systems and develop incident response methodologies. 
  • Legal, Regulatory, and Reputational Considerations – Institutions should assess the extent to which cloud computing services increase the complexity of complying with applicable legal and regulatory requirements.  In addition, contracts with cloud computing providers should specify the providers’ obligations with respect to institutions’ responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
  • Business Continuity – Institutions should determine whether the provider and the provider’s network carriers have adequate plans and resources to ensure institutions’ continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.