Technology
08/03/2015

Banking Compliance and the Cloud: Can They Coexist?


cloud-computing-8-3-15.pngBusinesses large and small are enamored with cloud computing. After all, it promises less information technology expense, delivering cheap, on-demand, and elastic processing power, disk storage and memory, while cutting down on energy use. By meshing their services with the cloud, companies gain social and mobile capabilities that can connect them more closely with their customers. But is it right for financial institutions?

In short, it depends—both on what systems your financial institution is considering and what types of data will be processed, stored or transmitted by the cloud service provider. With careful monitoring and attention to key risk areas, cloud computing can work, and it can be a solid, budget-friendly choice for financial institutions seeking computing power and the ability to scale quickly as business grows.

Cloud Deployment
When considering a cloud solution, you’ll first need to choose a deployment model. Your bank may select from private clouds, which belong to a single organization; public clouds, offered by companies including Amazon and Microsoft; and hybrid clouds, which use a mix of public and private clouds.

Second, consider your service model:

  • Software as a service (SaaS): Your bank uses the provider’s applications and operates them on the provider’s infrastructure.
  • Platform as a service (PaaS): Your bank deploys its own applications onto a cloud infrastructure using the provider’s programming tools—a good choice for banks that develop their own applications.
  • Infrastructure as a service (IaaS): Your bank runs operating systems and applications on the cloud provider’s infrastructure.

Are Cloud Solutions Secure?
For banks, data security is paramount, and you must comply with the Federal Financial Institutions Examination Council (FFIEC)’s Outsourcing Technology Services Booklet, federal and industry protection regulations, and payment card data requirements under the Gramm-Leach-Bliley Act, among others.

Though FFIEC and other guidelines give some clarity on how banks should approach data security, they miss some key nuances of cloud computing. Specifically, banking institutions will also need to consider:

Provider and Data Location
Where your institution’s provider is located and where your data is stored, processed or transmitted can trigger a variety of state, federal or international privacy compliance concerns and issues.

Multiple Levels and Layers of Risk
Cloud providers commonly resell other providers’ services or rely on other subservice providers, which makes risk assessment extremely difficult. Furthermore, data could be backed up and stored by multiple service providers and facilities.

Vendor Risk
Your vendors may use cloud services to store your customers’ information. As a result, you may need to spell out in your contracts what your cloud computing policies are, or at least incorporate questions about cloud computing practices into your vendor risk management program.

Institutions that implement cloud technology will need to address these risks specifically, requiring all parties involved to conform to the security and privacy mandates outlined in their contracts. You’ll also need to develop plans to continually monitor the activities and performance of both service providers and third parties.

Moving to the Cloud
Cloud computing is likely here to stay. And while the shift may be too large for some banks’ tastes, it does come with certain benefits. Keeping compliance and regulations in mind, embracing the cloud may mean increased agility, speed and competitiveness for financial institutions of all sizes.

Francis Tam