Table of Contents
Click to navigate to section
(2) Financial institutions and cloud computing
b. Benefits of cloud computing
c. Risks of cloud computing
(3) Existing regulatory frameworks
a. Outsourcing prerequisites
b. Ongoing obligations
c. Security of data and systems
d. Data residency requirements
e. Business continuity and contingency planning
(4) Facilitating cloud adoption in the financial sector
Cloud computing refers to the use of computing resources over a network (such as the internet) in a manner that scales automatically with demand and allows customers to pay based on their usage. Unlike traditional “on-premises” computing, which typically features the use of proprietary data centers owned or controlled by the organization that they serve, cloud computing involves the provision of relatively standardized services by one service provider to many different customers on a large scale. The cloud model enables customers to outsource the administration of technology infrastructure to cloud service providers and to access computing resources without the up-front capital expenditures necessary for traditional data centers.
Financial institutions, ranging from banks, asset managers and insurers to payments systems providers and securities depositories, currently use cloud services for everything from non-critical services such as email management and app development to core functions such as payment processing and data storage. This report seeks to inform, in three primary ways, the effective regulation and supervision of cloud use by financial institutions:
- Providing background on the use of cloud computing by financial institutions and the associated benefits and risks. We find that the potential benefits of cloud computing are significant: a move to the cloud can enable financial institutions to innovate and deliver new products and services to market more quickly, while also increasing their security and operational resiliency. In addition, the use of cloud computing can facilitate data analytics at massive scale, improving risk management and opening new regulatory frontiers. Though cloud computing may also present some genuine (and in some cases, novel) risks to financial institutions, cloud service providers and financial institutions have taken an active role in addressing those risks.
- Reviewing the existing regulatory and supervisory frameworks for the use of cloud computing by financial institutions. Our comprehensive review of the regulatory and supervisory frameworks currently in place focuses on the United States and the European Union. It is organized around common themes addressed in regulation and supervisory guidance, and highlights points of difference between various jurisdictions. The review should be informative both for international standard setting organizations as well as regulatory agencies that are developing new frameworks for technology outsourcing by financial institutions or are revisiting their existing frameworks.
- Recommending three courses of action in order to reduce obstacles to more widespread cloud adoption by financial institutions. Our recommendations focus on reducing regulatory barriers to cloud adoption by streamlining the due diligence and monitoring process, improving coordination between regulators in different jurisdictions, and continuing to monitor and assess potential industry-level risks of cloud use by financial institutions. We recommend that financial regulators: (i) recognize the utility of having financial institutions jointly audit their shared cloud service providers; (ii) work together to resolve cross-border issues presented by cloud computing on the basis of shared principles; and (iii) continue to engage in a risk-based dialogue on potential industry-level risks posed by widespread cloud adoption by financial institutions.
(2) Financial Institutions & Cloud Computing
From data centers to the cloud
Until the middle of the twentieth century, banking technology was mostly manual. Banks started using computers in the 1950s, with the introduction of the first large commercial computers. In the 1960s, computer technology began to catch on rapidly throughout the financial industry: between 1963 and 1968, the proportion of commercial banks using on-premises or off-premises computers rose from less than one-in-ten to almost half. Initially, computers were used for check processing; later they were used for electronic funds transfer, which enabled the establishment of automated clearinghouses for interbank settlements and ATMs to process financial transactions.
Since banks first began to use computers, they have relied on information technology infrastructure—whether in-house mainframes or external data centers—owned or controlled by non-bank technology companies (in some cases, data centers were maintained in shared facilities by service companies that were co-owned by banks). In the 1980s and 1990s, banks started to use personal computers to interact with that technology infrastructure, replacing older terminal technology; by the mid-1990s, a greater proportion of workers in finance used computers than in any other industry. The use of personal computers enabled access to external networks using internet and email. And the internet had another effect: increasing the number and quality of remote services that banks could offer customers, which in turn placed additional burdens on their IT infrastructure.
To cope with increasing IT demands and in order to offer better and more innovative remote and mobile services to clients, financial institutions have begun to turn from proprietary IT infrastructure to the cloud, using cloud services to support a variety of functions ranging from mobile banking applications to processing credit card transactions and other payments, loan applications, and insurance claims. According to analysis from the U.S. Treasury Department and industry research, migration of core financial services activities to the cloud is expected to increase materially over the next decade, driven by the need to process mas-sive amounts of data and to offer mobile-first digital banking services.
Cloud service models
As noted earlier, cloud computing involves the use of computing resources over a network—usually the internet, but in some cases a private network—in a manner that is scalable with demand. This general description, however, can obscure the fact that cloud computing encompasses a variety of service models. The nature and degree of control and risk that a financial institution assumes when it uses cloud services varies depends on the service model that is adopts.
Cloud services can be divided into three basic models: infrastructure, platform, and software. Infrastructure-as-a-service (IaaS) involves the use of computational infrastructure, such as servers, storage capacity or networking. In the IaaS model, cloud providers control the underlying cloud infrastructure while the customer controls everything from the operating systems to the applications that run on that infrastructure. At the other end of the spectrum, the software-as-a-service (SaaS) model allows customers to run software developed by a third-party service provider on remote cloud servers. The platform-as-a-service (PaaS) model offers more structure than the IaaS model but more flexibility than the SaaS model; it enables the development and use of software by the customer on app hosting and development infrastructure offered by a cloud service provider. Different types of cloud services can be layered on top of each other. For example, fintech startups that offer SaaS services often build their services on a major cloud provider’s IaaS or PaaS service, using basic computing, networking and storage services offered by the cloud provider to provide software services to their clients.
A financial institution’s choice of service model will be shaped by both its needs and tech-nical capabilities. Financial institutions with more in-house technical expertise, whether large banks or small fintech startups, may use infrastructure resources to build entirely new applications. Those with less technical expertise are more likely to use the cloud to run software developed by third parties, which is easier to deploy. In fact, some financial institutions that already run sophisticated risk- and asset-management software on cloud infrastructure have begun to offer that software directly to their own clients as a layered cloud service.
Private and public cloud
In addition to offering different service models, cloud providers also offer different deploy-ment models. “Private cloud” refers to cloud resources that are dedicated to a single customer. A private cloud can be hosted on-premises, where it can be managed by the customer directly, or off-premises at the data center of a cloud provider that creates and manages the cloud exclusively for the customer. “Public cloud”, unlike private cloud, involves the use of standardized, commoditized cloud infrastructure by multiple different customers.
This report focuses primarily on the use of public cloud: the use of computing resources on infrastructure that is owned and managed by a third party and shared with other customers. The reason for this focus is twofold: (1) public cloud offers unique benefits of standardization and commoditization and the associated economies of scale; and (2) the relationship between financial institutions and public cloud providers is fundamentally different from a traditional outsourcing relationship—financial institutions that use the public cloud share computing resources with thousands, if not millions, of other customers located across many different jurisdictions.
b. Benefits of cloud computing
The transition from traditional data centers to the cloud is driven by the significant benefits offered by cloud services. These benefits stem from the availability, on the cloud, of computing resources with improved functionality and reliability and without significant up-front capital expenditures.
Lower costs, increased efficiency
As banking operations have increased in complexity, proprietary data centers have become more expensive. In order to ensure their smooth operation, financial institutions must continually invest in refreshing hardware infrastructure, including infrastructure that exceeds their everyday computing needs. This excess capacity, and the human and organizational resources necessary to manage and maintain it, is necessary to support their highest projected volume requirements—even if that capacity is rarely used.
Cloud technology, by contrast, allows financial institutions to benefit from economies of scale inherent in sharing a cloud provider’s vast resources across its many customers. In addition, cloud providers offer their customers the ability to automatically scale up when additional resources are needed and scale down when demand subsides. By offering a utility-like model that makes computing resources available on demand—where customers pay only for resources that they actually use—cloud computing can eliminate the need for costly over-provisioning.
Automation and metering of cloud resources also contribute to lower technology infrastructure costs by transforming large, up-front capital expenditures into smaller, ongoing operational costs. This translates not just to lower costs for purchasing, support and maintenance of technology infrastructure, but also to increasing agility when financial institutions develop new products and services; the cloud’s scalability allows financial institutions to test new scenarios, software tools and alternative configurations without a lengthy purchasing and provisioning process. Anecdotal evidence suggests that deploying a server on the cloud can take as little as a few minutes, as opposed to the up to nine weeks it can take to deploy a server in a traditional, proprietary data center. Lower technology infrastructure costs can mean lower costs overall, as well as better products and services for end-customers.
Additionally, cloud computing creates a more level playing field between financial institutions of different sizes, by giving small- and medium-sized institutions access to computing resources that were previously only available to larger institutions with the ability to devote significant resources to technology infrastructure. The lower up-front cost of cloud computing also makes it easier for fintech startups to compete with well-established financial institutions, with the potential both for improving services and expanding financial access—particularly to consumers in developing or underserved markets.
Increased security and resiliency
Cloud computing can also be more secure and resilient than traditional platforms. Financial institutions have historically used a mix of technology infrastructures, each typically designed to support a particular set of applications at a given point in time. As banks provided increased internet and mobile access to clients, as well as more flexibility for their internal workforce, those legacy infrastructures became more exposed to cyber threats. That exposure can be severe because many financial institutions are unable to detect penetration of unprotected systems—and even when they are detected, financial institutions are unable to adequately address them due to reliance on manual procedures.
Given the scale at which global cloud providers operate—from hundreds of data centers to transit centers to dispersed development teams—they employ automated mechanisms to detect and remediate issues quickly. Cloud providers can substantially restrict human access to data, thereby mitigating the risks, such as human error, associated with manual processes.
Although some financial institutions, especially larger ones, devote extensive investment and personnel resources to security, small and medium-sized financial institutions cannot. Major cloud providers, by contrast, are at the forefront of security implementation and research. Cloud platforms are built to support the most stringent security requirements: customers can establish and enforce security models in the cloud using best practices, standards, data encryption and activity logging.
Due to the distributed nature of storage and processing in the cloud, as well as the greater computing resources available to cloud providers compared to individual financial institu-tions, the cloud can also provide financial institutions with greater operational resiliency. For example, cloud providers can handle attempts to disrupt a financial institution’s operations (such as a distributed denial-of-service, or “DDoS”, attack) in ways that would be difficult for individual financial institutions to deal with on their own. A DDoS attack attempts to overwhelm a financial institution’s computing resources with increased message traffic; cloud providers make it possible for the financial institution to automatically scale up capacity and redirect incoming traffic to maintain availability.
Similarly, by enabling financial institutions to distribute processes and data across different data centers, cloud platforms allow them to build applications that must be online constantly, even if a particular data center—or an entire region—experiences a disruption. Cloud providers also offer the functionality necessary to quickly move processes and data from one cloud provider to another, increasing the resiliency of financial institutions in the event of a disruption.
Data analysis and regulatory technology
As noted above, the cloud allows financial institutions to access computing resources on demand. Automatic scalability makes cloud computing uniquely suited to analysis of large data sets in real time, allowing users to log and analyze huge volumes of data on a contin-uous basis, rather than in discrete batches. Financial institutions can use cloud-based tools to provide richer data insights on an ongoing basis as part of their everyday operations. Cloud-based data analysis tools can also be leveraged by financial institutions and regula-tors both for better compliance monitoring and for a deeper understanding of risks in the financial system.
As sophisticated data analysis becomes more important for gaining competitive advantages, cloud computing is an increasingly attractive option. Major cloud providers as well as third-party intermediaries offer sophisticated data analysis software that runs on the cloud. Financial institutions, as well as major cloud providers and third-party intermediaries, have developed proprietary analysis tools that run on the cloud; in fact, some financial institutions have begun to make those tools available to other, smaller institutions. By giving financial institutions a real-time picture of their portfolios, these tools allow financial institutions to improve their risk management. The increasing availability of sophisticated data analysis, made possible by the use of cloud computing, not only improves the risk management of individual financial institutions—it can strengthen the health of the financial system as a whole.
Cloud computing also raises new compliance possibilities for financial institutions and regulators alike. By putting better tools in the hands of financial institutions and their supervisors, cloud providers can make it easier, and more efficient, for financial institutions to comply, and for supervisors to monitor compliance, with regulatory requirements. For example, data analysis software running on the cloud can be used by financial institutions and regulators to better detect potential fraud or money laundering. The use of cloud computing can make it feasible for regulators to increase their expectations of financial institutions: facilitating stress testing, for instance, in areas where such tests could not previously have been conducted due to data computation constraints.
Andrew Haldane, chief economist of the Bank of England, famously envisioned a “global financial surveillance system” that “track[s] the global flow of funds in close to real time (from a Star Trek chair using a bank of monitors)” with “a global map of financial flows, charting spill-overs and correlations” as its centerpiece. Haldane’s dream may yet be a ways off, but if it or something like it comes to pass, it will likely be in part due to the widespread adoption of cloud computing by financial institutions and regulators.
c. Risk of cloud computing
While the benefits of cloud computing are significant, the use of cloud services by financial institutions also poses risks. Many of these risks are similar to the risks associated with traditional technology infrastructure, though some are unique. They range from risks associated with the technology underlying cloud computing to operational risks arising out of the relationship between financial institutions and their cloud service providers. Effective risk management requires that financial institutions understand these risks and implement a variety of technical or operational mitigations.
Technical risks associated with cloud computing include capacity planning failures, insecure or incomplete data deletion, and multitenancy and hypervisor vulnerabilities. Capacity planning – dealing with the potential for resource exhaustion – is necessary whether a financial institution uses a traditional data center arrangement or cloud services. As noted earlier, financial institutions that use proprietary data centers typically address the risk of resource exhaustion by overprovisioning, which can be very costly. Even then, they can err in estimating their needs. Financial institutions that move to the cloud effectively delegate many of their capacity planning decisions to cloud providers. Cloud providers, for their part, must predict aggregated demand for computing resources across all their customers in order to meet the needs of their customer base. The nature of their customer base, however, gives them an advantage over managers of traditional data center environments: the demand curve of a very large, heterogeneous customer base is smoother and more predictable than the requirements for any one customer, or even several customers in one industry, because the peaks and valleys of demand of customers or market segments tend to cancel each other out.
Another technical risk is insecure or incomplete data deletion. Deleting data, whether it is stored in the cloud or using traditional technology infrastructure, does not necessarily remove it entirely. In some cases, when a customer stores data in the cloud—even a single dataset—it is not stored in a single facility; to improve durability and redundancy, cloud providers may store that single object across multiple facilities. Once a financial institution deletes its data, the information is not entirely removed from the storage infrastructure. Rather the cloud provider renders the data inaccessible by anyone, and eventually reuses the underlying storage capacity. If a financial institution’s data is not encrypted, that confidential data could be exposed. Financial institutions can mitigate this risk by encrypting their data and subsequently deleting their encryption keys.
While capacity planning failures and insecure data deletion are common to traditional platforms, cloud computing does present novel technical risks. Multi-tenancy—the ability of multiple clients to share the same physical infrastructure—is a unique feature of the cloud model. Multi-tenancy gives rise to the risk that a customer using shared infrastructure will expose their data or other resources to unauthorized parties. Strong cloud architecture ensures that clients do not have access to data and resources that are stored on the same physical infrastructure: cloud providers strengthen the security of individual clients by virtually segregating operations using techniques for network segmentation (such as firewalls) or even micro-segmentation (which allows individual workloads to be isolated).
Cloud services also depend on virtualization—the ability of multiple users to share the same physical infrastructure as if they were running their own separate machines—which relies on a software program called a “hypervisor.” The hypervisor manages the multiple virtual machines that make up the cloud, allocating cloud resources to customers as needed. Hypervisor vulnerabilities, which can subject it to failure or cyber-attacks, present a technical risk that may not exist in traditional technology infrastructure. Cloud providers, however, have developed propriety software and hardware that reduce the vulnerability of their hypervisors to a cyber-attack. In addition, cloud providers engage in ongoing monitoring for anomalous behavior and conduct frequent penetration tests.
Adoption of cloud computing also exposes financial institutions to operational risks, such as “lock-in” risk: the risk that a financial institution will become excessively dependent on a particular service provider. Lock-in risk is not unique to the cloud: financial institutions that contract with third parties to build and maintain traditional data centers tend to enter into long-term contracts that make switching providers during the duration of the contract legally and economically costly. However, financial institutions can address lock-in risk by operating across multiple cloud providers and by using open-source technologies, allowing them to move data and utilize services across different environments (from one cloud provider to another or from the cloud to an on-premises data center). Using these strategies, financial institutions can make it easier to migrate on and off cloud providers than between bespoke managed service providers.
Since cloud services are more standardized than traditional technology platforms, they can be provided to a larger number of different clients in a more automated manner and on a larger scale, potentially increasing the concentration of financial institutions at particular cloud providers. Reliance by financial institutions on a small number of dominant cloud providers may give rise to risk, not only at the level of individual institutions, but also at the level of the financial industry as a whole. To the extent that cloud computing becomes a part of the financial system’s critical infrastructure, the industry-level risk posed by concentration of cloud providers will be of greater concern. However, it is worth noting that concentration risk of this sort is not unique to cloud computing: even when using traditional, tailor-made technology infrastructures, financial institutions have historically become reliant on specific products and services, ranging from semiconductors to managed databases, many of which were produced or provided by a small number of highly dominant providers.
(3) Existing Regulatory Framework
Financial regulators across jurisdictions have promulgated regulations and issued non-binding guidance addressing the use of cloud computing by financial institutions. These guidelines are typically based on their preexisting framework for outsourcing by financial institutions to third-party service providers. This section provides a comprehensive review of regulatory requirements and guidelines for cloud use by financial institutions in different jurisdictions, with a focus on the United States and the European Union.
Although they vary in their stringency and thoroughness, they share several common features. Typically, regulators identify specific risks that must be considered prior to the selection of a service provider and impose ongoing risk assessment and management obligations, including monitoring procedures and recurring audits. Financial institutions are also expected to ensure the security of data and systems in the cloud, especially sensitive customer data. Several regulators impose specific limitations on data use and processing, such as restrictions on the control, and in some cases, location, of data. Financial institutions are also generally expected to plan for contingencies, especially in the event of a service disruption or the termination of a service arrangement with a cloud provider.
Regulatory expectations typically vary based on the relative importance or materiality of functions that are moved to the cloud. The European Banking Authority (EBA), for example, applies stricter criteria where financial institutions outsource critical or important functions that have a strong impact on their risk profile or internal control framework. Supervisory agencies in the United States also impose more stringent obligations when banks outsource critical activities to third-party service providers, including cloud providers. Whether particular functions are important or material is not always well-specified in regulations or other guidance; in general, regulators look to whether the activity relates to a financial institution’s core business operations and whether its failure would materially impair its regulatory obligations, financial performance, or its ability to continue its business activities.
a. Outsourcing prerequisites
Though the prerequisites for adopting cloud services differ across jurisdictions, common themes include a requirement or recommendation that financial institutions undertake a preliminary risk assessment of the cloud service provider and the particular services to be adopted. In addition, regulators often require that financial institutions notify, or obtain ap-proval from, regulators before outsourcing to a cloud service provider—especially when the outsourcing relates to material or important functions.
Outsourcing guidelines published by the Federal Financial Institutions Examination Council (FFIEC), an interagency body comprising the various U.S. bank regulators, provide that a banking institution should perform due diligence on a service provider in order to ensure that the service provider meets the institution’s needs. In its separate informational notice on cloud computing, the FFIEC recommends that, prior to choosing a cloud service provider, a banking institution perform due diligence to ensure that potential cloud service providers will meet the institution’s requirements for cost, quality of service, compliance with regula-tory requirements and risk management. Similarly, the EBA outsourcing guidelines direct a financial institution to conduct a thorough risk assessment with respect to the outsourced activities and undertake due diligence to ensure that the service provider is suitable. This risk assessment process should include deciding on an appropriate level of data confidentiality, service continuity and data and system integrity (as well as consideration of specific measures necessary for data security, such as the use of encryption).
Guidance published by some regulators includes diligence items that are specific to cloud outsourcing. The Monetary Authority of Singapore’s outsourcing guidelines, for example, provide that financial institutions should ensure that cloud service providers possess the ability to identify and segregate user data using strong physical or logical controls and have robust access controls in place to protect customer information. The IT capabilities of cloud providers are also a focus of some outsourcing guidelines: guidance published by the Financial Conduct Authority (FCA), the United Kingdom’s financial regulator, advises financial institutions to take into account a cloud service provider’s adherence to international IT standards.
Regulatory notice and approval
The FFIEC outsourcing guidelines do not specifically require any regulatory involvement before a banking institution moves its activities to the cloud. The EBA guidelines, on the other hand, provide that financial institutions should inform their respective regulatory authorities in a timely manner or engage in supervisory dialogue with competent authorities regarding planned outsourcing of critical or important functions (or where a previously outsourced function becomes critical or important).
Other jurisdictions require regulatory approval for certain kinds of cloud outsourcing. South Korea requires financial institutions to provide the Financial Supervisory Service with a detailed report prior to using the cloud for significant activities, including those that involve unique identifiable information or personal credit information or that otherwise significantly affect the safety and reliability of electronic financial transactions. If regulators deem the due diligence, business continuity plan or security measures undertaken by the financial institution to be inadequate, they can require improvement or supplementation of the report prior to approval. The central bank of the Philippines requires banking institutions that it considers riskier to get approval before outsourcing systems or processes to the cloud. Approval is granted based on an assessment of the bank’s ability to manage the risks associated with cloud outsourcing. Banks that the central bank deems to be safer can outsource to the cloud without prior approval.
b. Ongoing obligations
Mandatory risk assessment and management continues after a financial institution enters into a cloud services agreement. Regulators mandate that the financial institution monitor the cloud service provider, including by engaging in regular audits and obtaining reporting from the provider, as long as the financial institution uses its services. Many regulators also demand that the financial institution obtain certain information and access rights from its cloud service provider, either for the financial institution, its supervisory regulator, or both.
Monitoring and control
Regulators typically require that individual financial institutions monitor their cloud service providers on an ongoing basis. For example, the FFIEC’s outsourcing guidelines provide that banking institutions should monitor their service providers performance on an ongoing basis, with an emphasis on the service provider’s security controls, financial strength, and the effects of any external events. The FFIEC’s notice on cloud computing focuses on monitoring security-related threats, incidents and events affecting both a banking institution’s own and its cloud provider’s networks. The statement also emphasizes that, for high-risk activities, “continuous monitoring may be necessary for [banking] institutions to have a sufficient level of assurance that the servicer is maintaining effective controls.” The EBA guidelines likewise provide that financial institutions should review and monitor the performance of service providers on an ongoing basis using a risk-based approach, with a focus on critical or important functions and ensuring the availability, integrity and security of data and information.
Other regulators require that financial institutions take specific organizational measures as part of their ongoing oversight of service providers, including cloud providers. The Swiss Financial Market Supervisory Authority (FINMA), for example, mandates that, as part of its ongoing monitoring of a service provider, a financial institution designate a unit that is responsible for monitoring and controlling the provider and ensure that its service agreement with the provider gives it the necessary rights for instruction and control. Similarly, guide-lines published by the Monetary Authority of Singapore provide that financial institutions should establish a structure to manage and control their outsourcing arrangements with services providers and lists several baseline measures (including creating reporting policies and procedures, and conducting annual reviews) that financial institutions should follow to ensure that service providers uphold performance, operational, internal control and risk management standards on an ongoing basis.
As part of its ongoing risk assessment and management responsibilities, financial institutions generally are required to audit their cloud service providers. Regulators differ with respect to the extent to which institutions can rely on audits and certifications performed by or for the cloud service provider. While some jurisdictions require that audits of cloud service providers be performed by a financial institution’s internal or external auditors, others allow financial institutions to rely solely on a cloud service provider’s external auditor or internal audit department—as long as the auditor complies with certain regulatory standards.
The FFIEC’s notice on cloud computing recommends that banking institutions make use of auditors to evaluate the adequacy of cloud service providers’ internal controls, and in particular, notes that the assistance of third-party auditors with expertise in evaluating cloud environments may be necessary. Several regulators, including the EBA, authorize community audits organized by a group of financial institutions that appoint a lead auditor from one of the institutions or an independent third-party auditor on their behalf. Community audits are recognized as a means of using audit resources more efficiently and reducing the organizational burden on both participating financial institutions and the service provider.
In these cases, regulators typically specify that audit reports should be based on generally recognized auditing standards and be performed by auditors with adequate expertise.
Information and access rights
An important factor in facilitating effective monitoring is securing the right to certain information and access; regulators generally expect that certain basic information and access rights will be included in a financial institution’s cloud services contract, but differ as to the required scope of those rights—what must be accessed by financial institutions and their regulatory supervisors. The FFIEC’s outsourcing guidelines provide that a banking institution’s outsourcing contract should, among other things, specify the rights of the institution and its regulatory agencies to obtain the results of audits in a timely manner. In the case of Internet-related services, the FFIEC guidelines recommend sufficiently detailed reports on the findings of ongoing audits to adequately assess security without compromising the service provider’s security.
The EBA outsourcing guidelines go further, requiring that financial institutions secure from service providers (including cloud providers) both a right to audit as well as a right of physical access to the service providers’ relevant business premises. Such access and audit rights are required for both the institutions themselves as well as their regulatory supervisors with respect to any outsourcing of critical or important functions. Several other regulators—like the EBA—require that financial institutions secure audit rights for themselves and their supervisors that include access to the premises of cloud service providers. For example, the Australian Prudential Regulation Authority (APRA) mandates that a financial institution that outsources a material business activity to a cloud service provider must ensure that the provider makes available to APRA information and documents upon request and allows APRA to conduct onsite visits at the provider.
Regulators do recognize practical limits on their information and audit rights: APRA, for example, will in the normal course seek to obtain information that it needs from financial institutions first before requesting information directly from cloud service providers. In a similar vein, cloud guidance published by the U.K. FCA clarifies that, although access to a cloud provider’s “business premises” may be required, access to some sites—including data centers—may be limited for legitimate security reasons.
Hong Kong’s outsourcing guidelines focus on ensuring that access to data by regulators and the bank’s internal and external auditors is not impeded by the use of outsourced services. To that end, financial institutions are required to ensure that their outsourcing agreements allow for supervisory inspections or review of operations of service providers as they relate to outsourced activities. In addition, financial institutions should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by regulators and that any data retrieved from third-party service providers are accurate and available in Hong Kong on a timely basis. Japan’s computer security guidelines for financial institutions, published by the Center for Financial Industry Information Systems (FISC), mandate the inclusion of several contract provisions relating to ongoing oversight, such as provisions requiring cloud providers to disclose information to a financial institution in the event of increased risk of information leakage or in the event the cloud provider’s internal controls have weakened.
c. Security of data & systems
Beyond the procedural requirements associated with performing adequate due diligence and ongoing monitoring of financial institutions’ cloud service providers, regulators also set substantive requirements regarding the security of financial institutions’ data in the cloud.
Security and confidentiality
Regulators place significant emphasis on the security of financial institutions’ cloud activities, typically requiring that they ensure that their cloud service providers maintain robust security measures and comprehensive security policies. The FFIEC outsourcing guidelines require that banking institutions ensure that their service providers’ physical and data security standards are sufficient to meet their legal and commercial requirements and that out-sourcing agreements specifically address a service provider’s responsibility for security and confidentiality of a banking institution’s data and other resources. In addition, the FFIEC’s notice on cloud computing recommends that banking institutions verify their cloud service providers data handling procedures, what controls the cloud service provider has to ensure the integrity and confidentiality of the banking institution’s data, and the adequacy and availability of backup data. The statement also provides specific recommendations with respect to monitoring of security-related threats to the institution’s and its servicers’ networks as well as data deletion and removal. The EBA outsourcing guidelines, like the FFIEC’s, require that financial institutions ensure that service providers comply with appropriate IT security standards, and that data and system security requirements are defined within the outsourcing agreement and monitored for compliance.
Other jurisdictions impose more specific requirements with respect to the security of a financial institution’s data when using outsourced services of any kind, especially with respect to confidential personal information. The Hong Kong Monetary Authority, for example, has published technology guidelines that include detailed principles for security management designed to ensure the integrity and confidentiality of customer data. The Monetary Authority of Singapore’s outsourcing guidelines require that a financial institution and service provider explicitly allocate, in their contract, the responsibilities of parties with respect to security and liability for losses in the event of a breach of security or confidentiality that results in the disclosure of customer information.
Regulators also expect financial institutions to take their privacy obligations into account, and in some cases require that they maintain higher levels of security with respect to personal data in order to safeguard the privacy and confidentiality their customers. The FFIEC outsourcing guidelines require banking institutions to ensure that service providers have appropriate measures in place to comply with applicable laws and supervisory expectations governing the confidentiality of customer information. In the European context, both financial institutions and cloud service providers are subject to the General Data Protection Regulation (GDPR). The EBA outsourcing guidelines mandate a risk-based approach to ensuring that sensitive data is adequately protected and kept confidential. In particular, financial institutions are required to take into account differences between privacy regimes in different jurisdictions, especially in connection with the requirements imposed by the GDPR.
The GDPR, which imposes restrictions on the storage and use of personal data, is one of several non-financial sector specific data protection frameworks imposed on financial institutions and cloud service providers. India, for instance, has a comprehensive framework for regulating information technology that imposes data protection requirements (and potential liability) on the handling of personal information, including by financial institutions and cloud service providers. These comprehensive data protection regimes, which are not specific to the financial sector, are beyond the scope of this report.
Limits on data use and storage
Several jurisdictions also impose specific limits on how a financial institution’s data can be used by a cloud service provider and how it must be stored. The FFIEC outsourcing guidelines mandate that agreements with service providers forbid the service provider from using or disclosing a banking institution’s information, except as necessary to or consistent with provision of the relevant services, and to protect against unauthorized use. Although it does not include any specific restrictions on data storage or use, the FFIEC’s notice on cloud computing recommends that, before transferring data to a cloud service provider, banking institutions understand how its data will be stored and used—in particular, whether its data will share resources with data from other cloud clients, (such as whether it will be transmitted over the same networks, and stored or processed on servers that are also used by other clients).
The EBA outsourcing guidelines do not impose any specific measures regarding the storage and usage of data, but they do require financial institutions to consider whether such measures are required for the protection of data. The guidelines also mandate that financial institutions include in outsourcing contracts for critical or important functions provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data.
Similar to the FFIEC outsourcing guidelines, regulators typically require that financial institutions ensure that a service provider, such as a cloud provider, is not able to use the financial institution’s data for any purpose other than that which is necessary to provide services. Other regulators impose additional requirements regarding data processing and storage, such as a requirement that a financial institution’s data is segregated from all other data held by the cloud service provider: the Monetary Authority of Singapore, for example, mandates that financial institutions ensure that cloud providers clearly identify and segregate customer data using “strong physical or logical controls” in order to protect customer information.
d. Data residency requirements
Several jurisdictions impose restrictions on cross-border cloud outsourcing—limiting where data transferred to a cloud service provider can be stored and processed. Regulators identify several concerns that motivate data residency requirements, including: (1) whether standards for security and resiliency in the cloud provider’s home jurisdiction are satisfactory; (3) whether data located outside the financial institution’s home jurisdiction will continue to be accessible to regulators in that jurisdiction; and (3) whether privacy rules in the cloud provider’s home jurisdiction adequately protect customers. This section reviews existing data residency requirements and other limitations on cross-border outsourcing, but does not take a position as to whether they are necessary or sufficient to address these concerns. More broadly, this section does not include an evaluation of the potential costs and consequences of these limitations.
The FFIEC’s notice on cloud computing does not restrict the transfer of data on the cloud to other jurisdictions, but notes that a banking institution should understand the applicability of laws within a host country and the banking institution’s ability to control access to its data. The EBA outsourcing guidelines likewise allow for data to be transferred to different jurisdictions. However, they require financial institutions to adopt a risk-based approach to data storage and processing locations and to take into account differences between jurisdictions regarding the protection of data. The outsourcing guidelines also require regulatory authorities to ensure that they are able to perform effective supervision, in particular when institutions outsource critical or important functions outside the E.U./European Economic Area.
Guidelines published by the U.K. FCA similarly recommend that financial institutions ensure that data is not stored in jurisdictions that may inhibit effective access to such data for U.K. regulators. Considerations identified by the FCA as important include the wider political and security stability of the jurisdiction; the law in force in the jurisdiction in question (including data protection); and the international obligations of the jurisdiction.
Other jurisdictions require that financial institutions notify their customers and/or consult with regulators before transferring data to another jurisdiction. Hong Kong’s outsourcing guidelines require that financial institutions give notice to customers of significant outsourcing activities, particularly where such outsourcing is outside of Hong Kong. Australia mandates that financial institutions consult with its prudential regulator before using cloud services in another jurisdiction, to ensure that the financial institution’s due diligence process adequately addresses the effect of the cross-border arrangement on the institution’s risk management framework.
Some jurisdictions prohibit the transfer of certain data outside the financial institution’s home jurisdiction outright. In China, financial institutions are prohibited from transferring personal financial data outside China; storage, processing and analysis of personal financial information must be conducted within China. Other regulators allow the cross-border transfer of data, but only subject to specific requirements. Switzerland’s FINMA, for example, not only stipulates that data can only be transferred outside Switzerland if FINMA retains its right to audit the cloud service provider, but also requires that all information that could be needed for restructuring or resolution of the financial institution be accessible from Switzerland. Chile’s supervisory authority does not require that all of a financial institution’s data be stored within Chile; however, it mandates that financial institutions that outsource strategic or material activities abroad maintain a local data center in Chile for contingency purposes.
e. Business continuity & contingency planning
In order to ensure the reliability of the cloud services used by financial institutions, regulators require that financial institutions put in place business continuity plans dealing with service disruptions and other contingencies. An important aspect of contingency planning by financial institutions involves the ability of those financial institutions to terminate their service relationship with a cloud provider without disrupting any material functions.
Recognizing that service disruptions can have significant impacts on a financial institution’s operations, as well as on the broader financial system, regulators require that financial institutions monitor their cloud service providers’ resilience and plan for potential service disruptions. The cloud computing notice published by the FFIEC indicates that a banking institution’s disaster recovery and business continuity plans should include appropriate consideration of the nature of cloud computing, the cloud provider’s disaster recovery and business continuity plans, as well as the availability of essential communications links. The EBA outsourcing guidelines require financial institutions to plan and implement arrangements to maintain their ongoing functions in the event that services provided by a cloud provider fail or deteriorate to an unacceptable degree. They also entitle a financial institution’s supervising regulator to ask for additional information on the financial institution’s risk analysis for critical or important outsourced activities, such as whether the provider has a service continuity plan that is suitable for the service provided to the financial institution.
Several other regulators often require financial institutions to set specific resiliency targets in their outsourcing agreements. Guidance published by Switzerland’s FINMA, for example, requires that a financial institution and cloud service provider draw up a security framework to ensure the continuity of the functions that are outsourced to the cloud in case of an emergency, but does not provide specific service availability, recovery and resumption objectives. Likewise, the Monetary Authority of Singapore’s outsourcing guidelines requires financial institutions to include in their outsourcing agreements specific recovery objectives and to periodically test its disruption preparedness with its service providers. Notably, standards for business continuity depend on the importance of the financial institution – when interdependency on an institution in the financial system is high, the Monetary Authority of Singapore imposes higher preparedness standards. However, regulators generally do not impose definite availability and recovery requirements—for example, that in the event of a disruption, that service must be restored within a particular amount of time—on most financial institutions.
Another aspect of contingency planning involves the ability of financial institutions to terminate their service relationship with a cloud provider. Developing an exit strategy is particularly important in addressing lock-in risk, to ensure that financial institutions can transition from an outsourced service provider as needed for commercial or technical reasons. Regulators typically require that financial institutions have exit provisions in outsourcing contracts that, among other things, require service providers to work with financial institutions to return their data. These mandatory exit provisions generally also require that service providers delete all of a financial institution’s data from their systems.
The FFIEC’s notice on cloud computing, for example, recommends that cloud service contracts provide clarity with respect to disengagement of a cloud provider and specify that data can be removed from all locations where it is stored on the cloud provider’s network. The EBA outsourcing guidelines provide that a financial institution should make sure that it can exit a service arrangement, if needed, without disrupting provision of services and without being detrimental to the continuity of its services. To that end, the guidelines require that outsourcing financial institutions develop and test comprehensive exit plans and identify alternative solutions to enable them to remove outsourced functions and data from a service provider and transfer them to alternative providers or back to the institution. They also mandate that outsourcing agreements include an obligation for service providers to support, in the event of termination, a financial institution in the transfer of activity, data or services to another service provider or back to the institution.
Guidelines published by Japan’s FISC provide detailed, specific requirements regarding ter-mination of cloud services. They provide that outsourcing contracts must address exit procedures and responsibilities, by including provisions requiring the cloud provider to facilitate the extraction of data that will be transferred to a new cloud provider or an existing in-house system and allocating the burden of transfer expenses in different scenarios. The guidelines also include instructions for protecting data upon termination, mandating that: data provided by financial institutions be erased in an appropriate manner and time frame; information linking the data management area and data storage area be severed; and that the data storage area be wiped.
(4) Facilitating Cloud Adoption in the Financial Sector
The benefits of cloud computing are largely a result of its singular technological and business model: a utility-like model in which computing resources are shared by a cloud provider’s many users, who can automatically scale up their usage when additional resources are needed and reduce it when those needs subside. Regulatory frameworks developed in the context of traditional third-party outsourcing, however, contemplate a one-to-one provider-to-customer relationship typical of legacy technology infrastructure like on-premises data centers.
This traditional framework is ill-suited to the cloud model, which makes the adoption of cloud by financial institutions more difficult. For one, the traditional model places the onus of assessing and managing risk on individual financial institutions. In the context of cloud computing, however, that model is inefficient: it requires financial institutions to monitor the same infrastructure that is used by multiple clients, and monitoring by the marginal financial institution does little to increase overall cloud security. Moreover, requiring financial institutions to individually monitor a cloud provider can actually increase security risks to the cloud provider and potentially to other customers’ cloud environments; auditing by an individual financial institution can require access to the cloud provider in a manner that exposes the information of one financial institution to another. Finally, individual financial institutions are not well-suited to identifying risks to multiple financial institutions from utilizing the same cloud provider.
Also, unlike traditional technology infrastructure, which can be built and operated to the regulatory specifications of an individual financial institution, cloud infrastructure can be used by thousands, if not millions, of customers located across multiple jurisdictions—each subject to its own regulatory requirements. The cross-border nature of cloud services, which involve the provision of computing resources to millions of clients located in many different jurisdictions and subject to an array of disparate regulatory regimes, raises a set of issues that might not apply in the traditional outsourcing context.
The U.S. Treasury Department has recommended that federal regulators ease the adoption of new technologies such as cloud computing, with the aim of reducing barriers to the mi-gration of activities to the cloud. Specific regulatory actions recommended by Treasury include clarifying how audit requirements may be met in the cloud. Treasury has also recommended the formation of a cloud and financial services working group among financial regulators that would engage industry stakeholders, including cloud service providers, financial institutions, and others in order to develop more informed policies regarding the use of cloud computing by financial institutions. Clarifying expectations for audits of cloud services and enhancing collaboration between regulators are important steps that can be taken to ensure the safety of cloud services and facilitate the migration of activities to the cloud by financial institutions. In addition, regulators should continue to engage in a risk-based dialogue on potential industry-level issues posed by cloud adoption, which should increase understanding of and comfort with more widespread cloud use by financial institutions.
Independent audits of cloud providers are fundamental to ensuring that cloud services are secure and resilient. The existing requirements imposed on financial institutions that adopt cloud services – ranging from the security of data and systems to operational resiliency – depend in part on protections in place at the cloud provider. Audits are therefore a critical part of both due diligence and monitoring. Presently, with limited exceptions, regulatory guidance generally expects that each financial institution conduct its own audit of the cloud provider—even when the same cloud provider offers services to other financial institutions.
Community audits, where financial institutions conduct audits with other financial institu-tions that share the same cloud provider, would eliminate the redundancies and vulnerabilities created by duplicative monitoring. The requirements for a community audit would be the same as the individual audits that are presently conducted—focused on a cloud provider’s controls for security and resiliency. Also, as is presently the case for audits conducted by individual institutions, these audits could be supported by an independent third-party audit firm with expertise in cloud technology. In addition to being more efficient, community audits would provide a forum for financial institutions to identify areas of common concern, and the results of an audit could be confidentially shared with regulators to increase overall assurance regarding cloud providers’ security and control environments.
Of course, financial institutions will face practical challenges as to how such community audits would be conducted. Financial institutions would have to reach private agreements as to how the audit is funded and governed. They would also have to determine which other financial institutions would be included in a community audit, as financial institutions of varying size and sophistication will likely utilize the cloud differently and therefore have different security and resilience concerns. However, spreading costs of such an audit could establish a more level playing field between financial institutions by lowering the audit costs of individual financial institutions.
Collaborative bodies for addressing other kinds of technology-related risk could serve as a model for coordination between financial institutions. The Financial Services Information Sharing and Analysis Center (FS-ISAC), for example, is a nonprofit entity whose members include banks, credit unions, insurance companies, investment companies and financial services regulators. It was established in the late 1990s to collect and provide financial institu-tions with information on potential vulnerabilities as well as timely, accurate and actionable warning of physical, operational and cyber-threats to the national financial services infrastructure. The FS-ISAC is run by its members, so its activities are tailored to the specific needs of the financial industry.
Several financial supervisors, including the EBA and Australia’s prudential regulator, have already acknowledged the value of the community audit approach. Other regulators can facilitate cloud adoption by encouraging financial institutions to overcome collective action costs by issuing regulatory guidance that recognizes the ability—and utility—of financial institutions discharging their obligations to audit their cloud providers through controls audits performed as part of a community audit with other financial institutions.
Cross-border regulatory coordination
As noted earlier, another barrier to widespread cloud adoption by financial institutions is the cross-border nature of cloud services—specifically, the array of regulatory regimes to which cloud service providers and financial institutions are subject. Individual financial institutions and cloud providers are not well-positioned to manage issues arising from being subject to multiple, potentially disparate regimes governing data security and privacy. In addition, those overlapping regimes create a complex web of oversight that might fail to meet intended policy or supervisory goals. Accordingly, issues associated with the unique multi-jurisdictional nature of cloud services ought to be resolved in the first instance by direct cooperation between regulators.
To ensure consistency and predictability for market participants, regulators should seek consensus around shared substantive principles for regulating cloud use by financial institutions. However, it is also important for those substantive principles to be flexible enough that they are adaptable for use for a wide variety of cloud users and in different markets. In particular, they should be adaptable for jurisdictions with different levels of technological and financial maturity. To that end, instead of consensus on specific technical requirements or technological standards for security and resiliency, regulators should focus on developing risk-based principles for the use of cloud services by financial institutions.
Additionally, to the extent possible, these principles should encourage parity between foreign and local cloud service providers by facilitating the market access of foreign providers. Out-of-jurisdiction infrastructure is critical to the resiliency advantage offered by the cloud: the use of out-of-jurisdiction infrastructure makes it possible for financial institutions to distribute copies of applications or data to multiple locations (making them more difficult to target) and route incoming application traffic across geographic regions (making cloud services more resilient to local failure).
Risk-based dialogue on industry-level risks
As financial institutions begin to migrate some of their core functions to the cloud, several regulators have identified cloud providers as potential sources of industry-level risk—for example, if a dominant provider relied upon by many financial institutions were to fail. There is currently minimal evidence of industry-level risk, as financial institutions still mostly rely on in-house technology infrastructure, especially for their core operations. However, as the Financial Stability Board (FSB) explained in its recent report on market structure in financial services, “[i]f high reliance were to emerge, along with a high degree of concentration among service providers, then an operational failure, cyber incident, or insolvency could disrupt the activities of multiple financial institutions.”
Regulators should continue to assess and monitor potential industry-level risks arising from widespread cloud use, focusing on identifiable risk channels—specifically, those, if any, that are unique to the cloud in comparison to traditional technology infrastructure. In addition, they should take account of measures that cloud providers already take to mitigate the possibility of any single point of failure in their own infrastructure. These measures include compartmentalizing their infrastructure and services, including by isolating data centers from each other using redundant networking, connectivity and power. Major cloud providers also build in geographic diversity by providing even greater isolation from one region to another, such that even major physical catastrophes can be weathered. Ongoing assessment of industry-level risks must also weigh potential industry-wide risks against the benefits of cloud adoption, especially those related to increased security and resiliency.
A risk-based dialogue on industry-level risks should lead to greater understanding of the implications of more widespread cloud use by financial institutions. Given that cloud providers serve customers in a variety of different sectors, regulators also can benefit from enhanced collaboration with others outside the financial services sector, such as national security authorities and standards organizations, that interact with cloud providers on an on-going basis and face many of the same concerns. Financial regulators may well conclude that the use of cloud computing by financial institutions does not pose novel risks to the financial sector—with the result that regulators and financial institutions alike should be more comfortable with migration to the cloud.