WASHINGTON — Federal bank regulators Tuesday recommended that financial institutions take special precaution when using third-party cloud computing services.
In a joint five-page statement, the agencies — including the Federal Reserve Board, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency — encouraged companies to institute robust controls to reduce risk and make sure that using such service providers is in line with policies set by an institution's management.
"A financial institution's use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations," the regulators said.
While there are potential benefits from outsourcing to a cloud service — such as cost reduction — firms should ensure those benefits do not sacrifice other objectives approved by the board and senior management, regulators said.
The statement said risks from using a third-party servicer could affect data classification, segregation and recoverability.
"Managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution's legal and regulatory requirements for safeguarding customer information and other sensitive data," regulators said.
If a servicer is not able to make changes to meet regulatory requirements, management should consider not using that provider, the regulators said. Firms should also determine the adequacy of a third-party servicer's internal controls to effectively monitor risk.
The statement said firms should evaluate servicers' data handling procedures, the adequacy and availability of backup data, and consider whether multiple service providers are sharing facilities.
"If financial institutions are not sure that their data are satisfactorily protected and access to their data is appropriately controlled, entering into a third-party relationship with such servicer may be ill advised," the agencies said.
