A Cloudy Forecast Clears


Regulators aren’t opposed to cloud computing, but banks do need to address compliance concerns

By John Meyer

When meeting with regulators during examinations or when reviewing regulatory guidance, it can seem that regulators oppose cloud implementations. In truth, regulators don’t prohibit a bank’s pursuit of a cloud computing initiative, but they are absolutely concerned about the data security and vendor management challenges inherent in cloud computing.

The federal government itself recognizes the economies of scale cloud computing can provide and supports cloud computing through the Federal Risk and Authorization Management Program. The program, called FedRAMP, streamlines the process for federal agencies to satisfy security requirements in the cloud environment. IDC Inc., a technology consulting firm in Houston, estimates that federal spending on cloud computing will increase from $1.7 billion in 2014 to $7.7 billion in 2017.

So if regulators are on board with cloud in theory, what do community banks need to do in practice to address regulatory concerns? The following five recommendations will help community banks meet regulator expectations and better evaluate the promise and limitations of cloud computing.

1. Understand what cloud computing means. Cloud computing is defined as the sharing of IT resources among many users. While banks have been sharing computing resources for decades, resource sharing has largely been with other banks and financial institutions. What makes cloud computing different is that a cloud vendor may “rent” resources to a wide variety of businesses. These businesses, or indeed the vendors themselves, may not share the same regulatory concern and strict controls.

A second dimension that makes cloud computing both a powerful tool and a security challenge is that the data can be accessible from anywhere in the world using a wide variety of devices such as tablets and mobile phones. In many cases, the only available data protection for these devices is a password. Banks need to ensure that employees understand the risk of these devices and build responsibility and accountability into the bank’s security procedures.

2. Review updated regulatory guidance. One reason that community banks have been hesitant to deploy applications in the cloud is that regulatory guidance seemed too generic, leaving banks unsure how to comply with regulatory mandates. The regulatory agencies are making strides in defining more specific guidance for cloud computing.

In October 2012, the Federal Financial Institutions Examination Council updated the IT Examination Handbook: Outsourcing Technology Services to address more specific cloud computing vendor management processes. In 2013, the Office of the Comptroller of the Currency updated their guidelines on vendor risk management. Other agencies have also made progress in this area.

For example, the OCC updates specify that banks should negotiate written vendor contracts that clearly define the roles and responsibilities of the vendor and the bank, have a written plan to terminate a vendor relationship and transition or discontinue outsourced activities, and conduct independent reviews of third-party relationships.

Finally, banks should review the Interagency Guidelines Establishing Standards For Safeguarding Customer Information when developing a cloud strategy.

3. Redefine vendor management. In many banks, technology vendor management has largely been the purview of the chief information officer and managed within the IT silo. An IT-centric model worked when the bank dealt with only a few large vendors such as their core provider. Today, community banks work with an increasing number of third-party providers so it may make more sense to centralize vendor management as part of the risk management function under a chief risk officer or similar role.

While IT still has a tremendous role to play in recommending vendors and monitoring performance, actual vendor risk management should include active senior officer and board involvement.

4. Take control of data. Virtualization allows third-party providers to store data on servers located outside their data center and even share servers with multiple organizations. Regulators are justifiably concerned that stored data could be located in areas of the globe not subject to strict data security and privacy laws. They are also concerned that third-party cloud providers will host bank data on the same hardware as a business from another industry in which the regulatory bar is not raised so high.

Working with vendors that only service the financial services industry or those vendors willing to contract for dedicated servers can decrease risk. However, it’s much less likely that community banks would have the bargaining power to modify agreements with the cloud provisioning behemoths that dominate the market. Smaller cloud providers wanting to maximize economies of scale may also be unwilling to modify their standard contract terms.

Even if the bank is unsuccessful in modifying contracts, understand the vendor’s monitoring and reporting frequency. If a breach occurs, know what vendor recourse is available. There’s a lot a stake: regulatory fines, loss of customers, and reputational damage, to name a few. In a typical contract, the bank’s stated financial recourse doesn’t even come close to covering all costs and, in most cases, the bank can expect to be on their own when dealing with compromised data.

5. Look for a proven track record. Banks would be well advised to work with vendors that have a solid track record of working with financial services institutions. Many vendors with financial services expertise are aware of compliance concerns and have addressed data security issues such as storing data outside the United States. However, for community banks looking to move to cloud computing for office productivity tools such as hosted electronic mail or a cloud-based customer relationship management system, it can be challenging to find references from other banks.

It’s a double-edged sword: Banks have been slow to adopt cloud-based applications due to regulatory concerns and lack of other bank references; without references, banks will be wary of cloud computing.

Cloud computing provides tremendous economies of scale and cost savings for banks. The majority of cloud computing vendors have taken enormous pains to protect bank data and, in some instances, are able to better protect bank data than a community bank. Although the regulators have concerns, they have not asked banks to refrain from cloud computing. Instead, they have been adamant that banks develop and maintain a well-documented and clearly defined risk management process.

John Meyer (consultant@ccg-catalyst.com) is a practice director at CCG Catalyst, a bank consulting firm in Phoenix.