Federal Financial Agencies Issue Cautionary Statement On Financial Institution Cloud Computing Services

On July 11, 2012, the federal financial regulatory agencies ("Agencies"),1 through the Federal Financial Institutions Examination Council ("FFIEC"), issued a joint interagency statement ("Statement") on the use by financial institutions of outsourced cloud computing services, and the key risks associated with such services.2 The Statement, the substance of which is also being incorporated into the FFIEC's Information Technology Examination Handbook ("IT Handbook"),3 is the first formal federal financial agency statement on the matter of cloud computing, a subject that has garnered substantial attention in the financial services industry but that, to date, has not been formally addressed by the federal financial regulators. In general, the Statement reaffirms that the fundamentals of existing risk and risk management requirements that currently are applicable to financial institution outsourcing of IT services apply equally to outsourced cloud-based services, while identifying certain risks that, in the Agencies' view, are of particular concern with respect to such services.

Cloud Computing – An Overview

Cloud computing is an IT delivery model where IT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. The cloud technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications, and data; better backup services; and faster and more responsive upgrade functionalities. Through cloud computing services, users have the ability to outsource all or part of their IT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. "Clouds" can be private, where the services are operated solely for one organization (or a small group of organizations, which some refer to as "community" clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services.

Potential hosts such as major IT service providers see very significant business opportunities in cloud computing, and as a result, the interest in, and demand for, cloud computing services has increased dramatically over the past several years.4 At the same time, financial institutions have increasingly recognized the potential technological, legal and regulatory challenges, including information security, data integrity and privacy, and business continuity issues, associated with their use of remote IT services for core operations and storage of critical and sensitive data. In turn, these challenges have caused financial institutions, especially those in the United States, to move cautiously toward cloud-based solutions.

The Statement

Up until now, specific financial regulatory guidance on financial institutions' use of cloud-based IT services has been almost...