Tom Curry

Banks considering migrating core functions to the cloud should exercise some caution, especially in the area of data security. Federal and state bank regulatory agencies are likely to closely monitor bank efforts to guard against data breaches affecting the personal information of the bank’s customers and applicants for bank products. 

While bank regulators encourage responsible innovation in all banks they supervise, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers. 

Banks should establish effective risk assessment and appropriate risk management processes prior to migrating information technology operations to the cloud operating environment, including appropriate design and implementation of network security controls, adequate data loss prevention controls and effective dispositioning of alerts.  

Cloud data services also demand a strong internal audit function and board oversight. Specifically, internal audit teams need to identify, effectively report on and highlight any control weaknesses and gaps in the cloud operating environment to their respective audit committees and boards so they may take effective actions to hold management accountable. 

What’s Required of Banks 

All banks need to comply with the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards in order to engage in safe and sound practices and avoid misconduct. These interagency guidelines are enforceable by law and are not voluntary recommendations that banks can disregard. 

Blake C. Tyler

An effective cloud operations risk management plan requires banks to develop comprehensive security controls protecting the bank’s network perimeter; effective controls to identify and protect sensitive customer information contained within the bank’s technology systems and applications; comprehensive processes to prevent and detect unauthorized disclosure of sensitive information sent outside the bank’s technology environment; and effective vulnerability and configuration management controls related to the containerization of objects within the bank’s cloud environment. 

Failure to meet bank regulators’ expectations could result in supervisory criticism and remedial measures if deficiencies exist. Banks considering the use of the cloud for core banking operations would be wise to rigorously test their risk management, internal audit and governance processes.  

Although the federal banking agencies generally are agnostic about new technologies and the technology providers banks choose to use, they expect banks to conduct appropriate and thorough due diligence, and once engaged, to actively monitor their third party providers and maintain data security. Use of new technologies for core banking functions that are supplied by a limited number of providers can generate increased regulatory scrutiny. Regulatory concerns are magnified if substitutability and resilience issues are present. Banks should be aware of these regulatory considerations when using a public cloud storage provider. 

What Regulators Expect 

Banks should look to the April 30 joint statement by the Federal Financial Institutions Examination Council (FFIEC) to understand regulatory expectations on the use of cloud computing services in the financial services sector.  

Although the joint statement is a restatement of existing information technology risk management expectations, it addresses security breaches involving cloud computing services and highlights the importance of bank management’s understanding of the shared responsibilities between cloud service providers and bank clients. The joint statement goes on to give examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive information from risks that pose potential consumer harm. It also provides a list of government and industry resources and references to assist financial institutions using cloud computing services. 

The joint statement urges banks to carefully review their contracts with cloud service providers and fully understand the potential risks involved and how to implement appropriate controls. The FFIEC notes that management’s failure to understand the division of responsibilities for assessing and implementing appropriate controls over operations may result in increased risk of operational failures or security breaches.  

The FFIEC further emphasizes the importance of having processes in place to identify, measure, monitor, and control the risks associated with cloud computing. Failure to implement an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment carries significant regulatory and reputational risks. It may give rise to an unsafe or unsound practice and result in potential consumer harm by placing customer-sensitive information at risk and also subject a bank to civil money penalties.  

Thomas J. Curry is a partner in Nutter’s corporate and transactions department. Kate Henry and Blake C. Tyler are associates in Nutter’s corporate and transactions department. Curry is former U.S. comptroller of the currency and all are members of the firm’s banking and financial services group.