Regulators Dial Up Scrutiny on Cloud Computing in Banking

Is your institution moving data to the cloud? You’re not alone. The recent pandemic increased incentives for banks to accelerate their “digital transformations,” as customers became more comfortable with digital engagement—and began to demand faster, more robust, and more personalized digital experiences. 

Moving to the cloud can help make those experiences possible—but there are distinct risks associated, including cybersecurity risk and concentration risk (stemming from the small number of service providers).   

Regulators are concerned. In a report last month, the Treasury Department acknowledged the benefits of cloud services, but called for “more visibility, staff support, and cybersecurity incident response engagement” from providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.  

The report said issues with cloud computing in banking include: insufficient transparency, gaps in human capital and tools, a cyber incident at one CSP could have a cascading impact across the broader financial sector, and a lack of competition given the relatively small number of providers.  

A proposed steering committee, expected to include officials from Treasury, the OCC, and the CFPB, will seek to address the issues identified in the report through: 

• Closer domestic cooperation among U.S. regulators on cloud services;
• Additional tabletop exercises with the private sector; and
• Development of best practices for cloud adoption frameworks and cloud contracts.  

The report was developed with extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks. It does not impose any requirements and does not endorse or discourage the use of any specific provider or cloud services.