Government Issues Guidance on Cloud Computing Risks for Financial Institutions

Earlier this month, the Federal Financial Institutions Examination Council (FFIEC) – an interagency body of the U.S. government charged with standardizing federal examination of financial institutions – issued a statement on the risks of outsourced cloud computing for banks and other entities.

It’s the first regulatory guidance for financial institutions on the specific risks associated with the use of cloud-based information technology services.

For your reference, three takeaways from the FFIEC statement:

1. Be aware of key risks:

“The Statement identifies six areas where financial institution risk management efforts relating to outsourced cloud IT services need to be particularly vigilant: (i) due diligence of cloud IT vendors; (ii) management of cloud IT vendors; (iii) vendor audit responsibilities; (iv) information security; (v) legal, regulatory, and reputational risks; and (vi) business continuity planning.” (Federal Financial Agencies Issue Cautionary Statement on Financial Institution Cloud Computing Services by Morrison & Foerster LLP)

2. Don’t sacrifice security for speed / convenience:

“Importantly, the FFIEC Statement sends a clear signal to the bargaining table that it expects arrangements between financial institutions and cloud computing vendors to adequately account for certain legal and regulatory requirements and that the ‘potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed’ do not obviate this need.” (FFIEC Statement on Outsourced Cloud Computing by White & Case LLP)

3. Don’t wait to address risk issues:

“Millions of consumers use mobile banking and online payment solutions dependent in whole or in part on cloud computing. Financial institutions that wish to benefit from the potential advantages of cloud computing should develop plans to mitigate inherent regulatory and operational risks before deploying such solutions.” (FFIEC Issues Statement on “Cloud Computing” Risk Management by Davis Wright Tremaine LLP)

Find additional banking and finance law news on JD Supra>>