ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Banks enhance assessment of cloud services providers as federal agencies increase focus

October 5, 2023
Reading Time: 6 mins read

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues a recent Treasury report identifies.

By John Hintze

Cloud computing has been a major plus to organizations including financial institutions, cutting costs and quickly providing new and improved services to customers and the ability to scale them up rapidly. However, it is a still new and rapidly growing service offered by relatively few cloud service providers in which there remains significant risks, especially for highly regulated institutions such as banks.

This year has seen federal agencies actively address the risks and rewards of cloud computing, starting with the Treasury Department publishing a detailed report in February that updates how the financial industry is using the cloud, the challenges it presents, and the current regulatory framework. In March, the Biden Administration published its “National Cybersecurity Strategy,” in which improving cloud security is a priority. The same month, the Federal Trade Commission issued a request for information in search of market-participants’ input about the competitive dynamics of cloud computing, their reliance on it, and the related security risks.

“Large parts of the economy now rely on cloud computing services for a range of services,” said Stephanie T. Nguyen, the FTC’s CTO, in a statement. “The RFI is aimed at better understanding the impact of this reliance, the broader competitive dynamics in cloud computing and potential security risks in the use of cloud.”

In a June response to the FTC’s RFI, the American Bankers Association discussed the cloud-related issues banks face, and it made several recommendations, including that the FTC leverage the work of the Treasury Department and federal banking agencies. At ABA’s recent Risk and Compliance Conference, bankers discussed in detail the practical challenges they face in adopting and maintaining cloud services.

Where Treasury sees cloud risks

The Treasury Department’s report, “The Financial Services Sector’s Adoption of Cloud Services,” which includes input from numerous ABA members, outlines six key challenges:

  • Insufficient transparency from CSPs to support financial institutions’ due diligence and monitoring
  • Gaps in hiring and tools to securely offer cloud services
  • Potential operational incidents, including CSPs
  • Concentration in cloud service offerings affecting financial sector resilience
  • Negotiating contracts
  • Regulatory fragmentation globally

“We think it’s a very solid document and agree with its conclusions,” said John Carlson, VP, cybersecurity regulation and resilience, at ABA. “Importantly, it provides a path forward in terms of the work plan and the opportunity to be involved in dialogue with the CSPs, other financial institutions and regulators to address the identified issues.”

The Treasury report’s “action plan” to address the issues includes a public-private steering group launched May 25. The several workstreams it will focus on include documenting effective practices for cloud third-party risk; outsourcing and due diligence processes to increase transparency; hybrid cloud adoption strategies; improving transparency; and establishing a common set of terms and definitions to be used by financial institutions and regulators.

ABA highlights specific cloud risks

ABA’s FTC comment letter zeroes in on concentration risk and vendor “lock-in” risk, in which CSPs make it difficult and costly for banks and their third-party providers to move to another CSP, as complex issues that should be addressed in coordination with the Treasury Department and other financial regulators.

“The ABA reminds the FTC that banks are required to develop exit strategies for critical service providers,” ABA notes, and while ABA members acknowledge that is their responsibility, “there is growing concern that the market control exercised by CSPs poses a challenge for banks to comply with this requirement.”

Federal banking agencies have made it clear, the letter continues, that banks outsourcing an activity to a third party, such as a CSP, are still responsible for performing that activity in a safe and sound manner and in compliance with applicable laws and regulations. They must also perform ongoing monitoring of the third party’s financial condition, senior management qualifications, and risk-management program.

“The ABA encourages CSPs to design and deliver services that meet regulatory requirements for cybersecurity and third-party risk management,” the letter says, adding that ABA members complain about CSPs providing insufficient compliance with banks’ requirements.

Banks face more specific challenges

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues the Treasury report identifies. The Cloud Security Alliance June 5 report, “State of Financial Services in Cloud,” noted that just 28 percent of respondents use public cloud services for most of their regulated workloads, mostly due to CSP’s lack of transparency and respondents’ inability to demonstrate compliance to auditors and their insufficient cyber security resources.

Those hurdles, and often limited power in negotiating contracts with CSPs, are especially challenging for small and medium-size banks. David Ackley, SVP, director of information security and enterprise risk management, at $6 billion-asset Camden National Bank, said his bank is picking and choosing its battles. Discussing the issue at the conference, Ackley pointed to retention of the bank’s data and vague data-anonymization clauses as key issues.

“The bank has to be very specific about how it will allow [the CSP] to use the data and for how long it can keep it,” Ackley said, as well as understanding the CSP’s controls over who can access the data, whether internally or a fourth-party vendor that the CSP uses. “Understanding the quality of the CSP’s own vendor program and how it vets its fourth parties is crucially important.”

Ensuring the CSP is following through on contractual language requires auditing rights, but that language can be overly restrictive, Ackley said. So banks must set out their audit expectations in the contractual language or risk poor CSP responses to audit requests.

“In the end, the bank needs to be able to access the data and the information about the controls at the data centers where the bank’s data is stored,” he said.

Ackley said another important resource when performing due diligence on vendors, whether in the cloud space or other areas, is the reports of examinations of CSPs by the three federal banking agencies. Carlson added that the federal banking agencies have authority under the Bank Service Company Act to examine significant service providers including CSPs that depository institutions rely upon and then share the reports of examination with banks that have active contracts with service providers. The federal banking agencies often state that these reports of examination are not a substitute for banks conducting their own due diligence of service providers.

“It’s been an eye opener in some cases on the vendor side for us,” Ackley said, adding that there’s a relatively painless process to retrieve those reports from a bank’s examiner that generally includes providing proof that the bank uses the vendor. “It provides a wealth of information you wouldn’t get otherwise.”

ADVERTISEMENT

Carlson, who moderated the conference session, said that federal banking regulators have examined for some time the non-depository institutions that are significant service providers to banks, and more recently they’ve expanded the program to include CSPs.

The session participants acknowledged that due diligence of CSPs differs from traditional vendors, in part because CSPs are relatively new to the financial-services arena and may not understand or have the capacity yet to provide their services in ways that facilitate bank regulatory compliance. However, if a CSP declines to explain where the bank’s data is being stored or provide other key information in the due diligence process, then the bank should probably look elsewhere.

“That’s a giant red flag. The bank needs to be prepared in those cases to say ‘no’ to a vendor who is not meeting the standards it has as a bank,” Ackley said.

Noting regulators raising the bar in terms of banks meeting regulatory compliance requirements when dealing with CSPs, Carlson asked the session participants what kind of framework they use when considering cloud products.

Mike Ambrosius, VP, chief technology risk officer at Cenlar FSB, said that when his institution began its cloud journey a few years back, it looked at a wide variety of information, including the National Institute of Standards and Technology framework, Microsoft’s cloud computing guides, the Office of the Comptroller of the Currency’s guidance on adopting new products and services, as well as OCC consent orders written against institutions that had run into trouble.

“We made sure we didn’t hit those stumbling blocks,” Ambrosius said. “We looked at a lot of the information out there to make sure what we did was at maximum safe speed as we went through our journey.”

For further insight, please see this article from earlier this year by ABA’s John Carlson.

John Hintze is a frequent contributor to ABA Banking Journal.

Tags: Cloud computingCybersecurityData security
ShareTweetPin

Related Posts

Survey: Banks boosting cybersecurity due to AI while also investing in technology

Survey: Banks boosting cybersecurity due to AI while also investing in technology

Cybersecurity
June 13, 2025

Most U.S. banks are increasing their cybersecurity efforts because of emerging technologies such as generative artificial intelligence, and many of those same banks also list AI as a top business investment, according to a recent survey by auditing...

Fifth Circuit grants ABA mandamus, vacates transfer order for second time

ABA, CBA support maintaining confidentiality of CFPB nonbank risk determinations

Compliance and Risk
June 12, 2025

The American Bankers Association, joined by the Consumer Bankers Association, expressed support for the Consumer Financial Protection Bureau’s proposal to maintain the confidentiality of decisions to exercise the agency’s supervisory authority over a nonbank entity that may pose...

Survey finds high customer satisfaction with banking apps

Survey finds high customer satisfaction with banking apps

Newsbytes
June 12, 2025

Overall satisfaction with U.S. national banking apps is 669 on a 1,000-point scale, up 18 points from 2024. At the same time, the gap in satisfaction between best-performing and lowest-performing apps and bank websites shrunk to its lowest...

ABA experts see reasons for optimism amid economic, regulatory uncertainty

ABA experts see reasons for optimism amid economic, regulatory uncertainty

Compliance and Risk
June 11, 2025

The Trump administration has rolled back a broad range of banking guidance and regulatory proposals made in the last few years, and while bankers are used to regulatory whiplash when administrations change, it is possible some of changes...

ABA’s Nichols: Banking sector seeing positive policy developments

ABA’s Nichols: Banking sector seeing positive policy developments

Compliance and Risk
June 11, 2025

The banking sector has seen many constructive, positive policy developments at the federal level so far this year, and top officials have expressed their willingness to work with and engage with bankers on those issues, ABA President and...

Report: Synthetic identity fraud on rise

ABA Fraudcast: Federal data points to need for united response to fraud

Compliance and Risk
June 11, 2025

Telecoms and Meta are avoiding addressing serious challenges. And it's time to set up a family password.

NEWSBYTES

ABA, associations urge CFPB to rescind changes to adjudication process

June 13, 2025

ABA DataBank: May inflation cooler than expected, but still above Fed’s 2% target

June 13, 2025

Consumer sentiment rebounds in June

June 13, 2025

SPONSORED CONTENT

AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025
Six Payments Trends Driving the Future of Transactions

Six Payments Trends Driving the Future of Transactions

March 15, 2025

PODCASTS

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025

Podcast: What bankers need to know about ‘First Amendment audits’

June 5, 2025

Podcast: Accelerating banking for quick-service restaurants

May 8, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.