Public cloud service providers are increasingly wooing banks. But traditional and regulated financial institutions have been slow to adopt these services, which can accelerate innovation and reduce operational expenses.
Earlier this year, media outlets reported that the dominant player in public cloud services — Amazon Web Services — was actively courting big banks. Already, Capital One has been using AWS to run various systems, including its mobile banking application, for instance.
More big banks will follow Capital One's lead and adopt public cloud services. In fact, Deutsche Bank analysts predicted earlier this year that big banks will put 30% of their IT infrastructures in public cloud environments over the next three years.
However, public cloud adoption in banking is rare right now for a reason: The industry's regulations around data privacy and security dramatically complicate the use of publicly hosted environments. For more banks to embrace the technology without taking on too much risk, guidance from regulators is necessary.
Sure, the Federal Financial Institutions Examination Council has told financial institutions that it essentially views the use of public cloud services as the same as using other forms of technology outsourcing. But U.S. financial regulators need to develop guidelines that allow banks and fintech companies to use technology that helps accelerate innovation and reduces operational costs - benefits that regulatory agencies themselves are already accumulating. The Financial Industry Regulatory Authority, for instance, estimates that by putting 75% of its computing and storage infrastructure in AWS' data centers, it will save $20 million annually.
The European Union's cybersecurity agency has specifically advised EU regulators to differentiate between public cloud services and other forms of outsourcing in their regulations because public cloud services have distinct security risks and advantages. This is the exact opposite of the FFIEC's approach. Cloud services also have their own unique certification schemes for security and reliability.
Furthermore, there's precedent for more tailored guidance in other countries. The U.K.'s Financial Conduct Authority, for instance, released guidelines this year for banks' use of public cloud services.
In order to ensure that U.S. banks can leverage public cloud services without incurring too much risk, U.S. regulators should enact guidelines that take the following into account:
Banks' contracts withpublic cloud providers need to include details around handling breaches or service disruptions as well as data recoverability in case of some emergency. The contacts must also include exit plans that allow banks to bring assets and data back in-house or switch cloud providers if necessary.
Public cloud providers often include language in their service contracts that gives them the right to unilaterally turn off services they provide clients. Since banks can't incur such risk, banks must ensure they have the proper control over their assets and data.
Data privacy and security
Contracts need to specify where data can be stored and under what regulatory jurisdiction. They also need to ensure compliance with the sector's data privacy rules, such as the Gramm-Leach-Bliley Act. This will require specific security controls around the partitioning and safeguarding of identifiable customer data. Furthermore, restricting physical access to the banks' assets will be imperative. Digital security measures like firewalls, regular patching of system vulnerabilities, appropriate levels of encryption and intrusion monitoring will need to be implemented.
As with any outsourcing arrangement, banks must conduct a thorough risk assessment examining the implications of adopting public cloud services for their operations and security risks. Regulators need to provide specific guidance around what they expect in these risk assessments.
European regulators have emphasized that banks must ensure that their cloud provider contracts do not hinder regulatory audits of their IT assets and practices. If those IT assets are outsourced to a cloud provider, the vendor needs to be made aware of its requirements in facilitating compliance audits.