Treasury report: ‘Significant’ challenges remain to banks’ optimal cloud services use

The Treasury Department released a report today on the benefits and challenges associated with the financial sector’s use of cloud services. The report was developed with input from U.S. regulators, the private sector, trade associations—including the American Bankers Association—and think tanks. In conjunction with the report’s release, Treasury said it plans to convene an interagency cloud services steering committee within the next year to develop closer cooperation among U.S. regulators and develop best practices for cloud adoption frameworks and contracts. ABA is currently reviewing the report’s findings and plans to convene a call for ABA members on March 1 to hear from Treasury officials.

According to the report, though cloud services can increase access and reliability, and empower community banks to compete with fintech firms, banks’ increased reliance on cloud-based technologies needs more visibility, staff support and cybersecurity incident response engagement from cloud service providers. The report recommends further evaluation from Treasury and the broader financial regulatory community to continue to evaluate the risks associated with a limited number of cloud services providers.

Treasury found that cloud services can help financial institutions become more resilient and secure, but the report outlined “significant challenges” that could detract from such benefits. According to the report, there is insufficient transparency to support due diligence and monitoring by financial institutions, and community banks expressed concern that they do not often receive details of incidents or outages affecting their systems. In addition, according to Treasury, the current talent pool is “well below” what’s needed to help financial firms tailor cloud services to better serve their customers and protect their information.

The report claims that the current market is concentrated around a small number of cloud service providers, which means that if an incident occurs at one CSP, it could affect many financial sector clients concurrently. The limited number of service providers also may give them outsized bargaining power when contracting with banks. While the report’s focus was mostly domestic, it did note that a “patchwork” of global regulatory and supervisory approaches to cloud technology can make it difficult for U.S. financial firms to adopt cloud tech consistently at a global scale, raising costs for adoption strategies, which ultimately hurts consumers.