Outsourcing to a cloud provider takes some research.  Remember, the various financial regulatory agencies have largely indicated that the same regulatory requirements and standards that apply to IT outsourcing activities in general also apply to outsourcing cloud computing activities. That means due diligence is necessary on the part of every financial services firm looking to move to the cloud.

In planning your cloud strategy, you may also want to consult the Federal Financial Institutions Examination Council (FFIEC), which issued a joint interagency statement (Cloud Statement) in 2012 on the use of outsourced cloud computing services by financial institutions, and the key risks associated with such services.

This statement “discusses key risk considerations associated with outsourced cloud computing activities and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook.”

Other agencies such as the Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have also specified their expectations for regulated banking organizations that choose to outsource technology services to third-parties such as cloud providers. And, similarly, federal securities regulators and most self-regulatory agencies have also issued guidance for regulated securities firms.

During your planning process, let us assuage any concerns that you might have about:

  • Data and systems security
  • Data privacy
  • Business continuity planning
  • Liability and risk management
  • Ongoing monitoring
  • Risk assessment and requirements
  • Oversight and risk management
  • Effective contracts