ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Banks enhance assessment of cloud services providers as federal agencies increase focus

October 5, 2023
Reading Time: 6 mins read

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues a recent Treasury report identifies.

By John Hintze

Cloud computing has been a major plus to organizations including financial institutions, cutting costs and quickly providing new and improved services to customers and the ability to scale them up rapidly. However, it is a still new and rapidly growing service offered by relatively few cloud service providers in which there remains significant risks, especially for highly regulated institutions such as banks.

This year has seen federal agencies actively address the risks and rewards of cloud computing, starting with the Treasury Department publishing a detailed report in February that updates how the financial industry is using the cloud, the challenges it presents, and the current regulatory framework. In March, the Biden Administration published its “National Cybersecurity Strategy,” in which improving cloud security is a priority. The same month, the Federal Trade Commission issued a request for information in search of market-participants’ input about the competitive dynamics of cloud computing, their reliance on it, and the related security risks.

“Large parts of the economy now rely on cloud computing services for a range of services,” said Stephanie T. Nguyen, the FTC’s CTO, in a statement. “The RFI is aimed at better understanding the impact of this reliance, the broader competitive dynamics in cloud computing and potential security risks in the use of cloud.”

In a June response to the FTC’s RFI, the American Bankers Association discussed the cloud-related issues banks face, and it made several recommendations, including that the FTC leverage the work of the Treasury Department and federal banking agencies. At ABA’s recent Risk and Compliance Conference, bankers discussed in detail the practical challenges they face in adopting and maintaining cloud services.

Where Treasury sees cloud risks

The Treasury Department’s report, “The Financial Services Sector’s Adoption of Cloud Services,” which includes input from numerous ABA members, outlines six key challenges:

  • Insufficient transparency from CSPs to support financial institutions’ due diligence and monitoring
  • Gaps in hiring and tools to securely offer cloud services
  • Potential operational incidents, including CSPs
  • Concentration in cloud service offerings affecting financial sector resilience
  • Negotiating contracts
  • Regulatory fragmentation globally

“We think it’s a very solid document and agree with its conclusions,” said John Carlson, VP, cybersecurity regulation and resilience, at ABA. “Importantly, it provides a path forward in terms of the work plan and the opportunity to be involved in dialogue with the CSPs, other financial institutions and regulators to address the identified issues.”

The Treasury report’s “action plan” to address the issues includes a public-private steering group launched May 25. The several workstreams it will focus on include documenting effective practices for cloud third-party risk; outsourcing and due diligence processes to increase transparency; hybrid cloud adoption strategies; improving transparency; and establishing a common set of terms and definitions to be used by financial institutions and regulators.

ABA highlights specific cloud risks

ABA’s FTC comment letter zeroes in on concentration risk and vendor “lock-in” risk, in which CSPs make it difficult and costly for banks and their third-party providers to move to another CSP, as complex issues that should be addressed in coordination with the Treasury Department and other financial regulators.

“The ABA reminds the FTC that banks are required to develop exit strategies for critical service providers,” ABA notes, and while ABA members acknowledge that is their responsibility, “there is growing concern that the market control exercised by CSPs poses a challenge for banks to comply with this requirement.”

Federal banking agencies have made it clear, the letter continues, that banks outsourcing an activity to a third party, such as a CSP, are still responsible for performing that activity in a safe and sound manner and in compliance with applicable laws and regulations. They must also perform ongoing monitoring of the third party’s financial condition, senior management qualifications, and risk-management program.

“The ABA encourages CSPs to design and deliver services that meet regulatory requirements for cybersecurity and third-party risk management,” the letter says, adding that ABA members complain about CSPs providing insufficient compliance with banks’ requirements.

Banks face more specific challenges

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues the Treasury report identifies. The Cloud Security Alliance June 5 report, “State of Financial Services in Cloud,” noted that just 28 percent of respondents use public cloud services for most of their regulated workloads, mostly due to CSP’s lack of transparency and respondents’ inability to demonstrate compliance to auditors and their insufficient cyber security resources.

Those hurdles, and often limited power in negotiating contracts with CSPs, are especially challenging for small and medium-size banks. David Ackley, SVP, director of information security and enterprise risk management, at $6 billion-asset Camden National Bank, said his bank is picking and choosing its battles. Discussing the issue at the conference, Ackley pointed to retention of the bank’s data and vague data-anonymization clauses as key issues.

“The bank has to be very specific about how it will allow [the CSP] to use the data and for how long it can keep it,” Ackley said, as well as understanding the CSP’s controls over who can access the data, whether internally or a fourth-party vendor that the CSP uses. “Understanding the quality of the CSP’s own vendor program and how it vets its fourth parties is crucially important.”

Ensuring the CSP is following through on contractual language requires auditing rights, but that language can be overly restrictive, Ackley said. So banks must set out their audit expectations in the contractual language or risk poor CSP responses to audit requests.

“In the end, the bank needs to be able to access the data and the information about the controls at the data centers where the bank’s data is stored,” he said.

Ackley said another important resource when performing due diligence on vendors, whether in the cloud space or other areas, is the reports of examinations of CSPs by the three federal banking agencies. Carlson added that the federal banking agencies have authority under the Bank Service Company Act to examine significant service providers including CSPs that depository institutions rely upon and then share the reports of examination with banks that have active contracts with service providers. The federal banking agencies often state that these reports of examination are not a substitute for banks conducting their own due diligence of service providers.

“It’s been an eye opener in some cases on the vendor side for us,” Ackley said, adding that there’s a relatively painless process to retrieve those reports from a bank’s examiner that generally includes providing proof that the bank uses the vendor. “It provides a wealth of information you wouldn’t get otherwise.”

ADVERTISEMENT

Carlson, who moderated the conference session, said that federal banking regulators have examined for some time the non-depository institutions that are significant service providers to banks, and more recently they’ve expanded the program to include CSPs.

The session participants acknowledged that due diligence of CSPs differs from traditional vendors, in part because CSPs are relatively new to the financial-services arena and may not understand or have the capacity yet to provide their services in ways that facilitate bank regulatory compliance. However, if a CSP declines to explain where the bank’s data is being stored or provide other key information in the due diligence process, then the bank should probably look elsewhere.

“That’s a giant red flag. The bank needs to be prepared in those cases to say ‘no’ to a vendor who is not meeting the standards it has as a bank,” Ackley said.

Noting regulators raising the bar in terms of banks meeting regulatory compliance requirements when dealing with CSPs, Carlson asked the session participants what kind of framework they use when considering cloud products.

Mike Ambrosius, VP, chief technology risk officer at Cenlar FSB, said that when his institution began its cloud journey a few years back, it looked at a wide variety of information, including the National Institute of Standards and Technology framework, Microsoft’s cloud computing guides, the Office of the Comptroller of the Currency’s guidance on adopting new products and services, as well as OCC consent orders written against institutions that had run into trouble.

“We made sure we didn’t hit those stumbling blocks,” Ambrosius said. “We looked at a lot of the information out there to make sure what we did was at maximum safe speed as we went through our journey.”

For further insight, please see this article from earlier this year by ABA’s John Carlson.

John Hintze is a frequent contributor to ABA Banking Journal.

Tags: Cloud computingCybersecurityData security
ShareTweetPin

Related Posts

Using Artificial Intelligence to Make Sense of Mountains of Data

Three myths about AI in banking

Technology
July 3, 2025

Common myths and misperceptions might confuse about what to expect and misdirect investment and efforts.

Banking forward: What is top of mind for 2025? 

ABA survey: Most banks likely to stick with current core provider

Newsbytes
July 2, 2025

While 69% of bankers are "extremely" or "somewhat likely" to remain with their current core provider at the next renewal, when they do pursue core conversions, the primary reason is poor customer service, according to ABA's survey results.

OCC releases Q3 bank trading revenue report

OCC report: Banking system sound, key risks highlighted

Compliance and Risk
June 30, 2025

The strength of the federal banking system remains sound, the OCC reported in its most recent semiannual risk perspective report. The report covers risks facing national banks, federal savings associations, and federal branches and agencies based on data...

2025 bank marketing trends

ABA Viewpoint: Toward a smarter framework for bank asset thresholds

Compliance and Risk
June 30, 2025

Indexing regulatory thresholds for growth makes sense. Here’s how to do it most effectively.

Fighting fraud on the frontline

Fighting fraud on the frontline

Compliance and Risk
June 30, 2025

Customer inquiries and complaints are important tools for detecting scams, but structural barriers in the bank may prevent them from being fully utilized.

Treasury names FinCEN director

Banking agencies allow banks to collect CIP data from third parties

Compliance and Risk
June 27, 2025

The order permits banks to obtain TIN information from a third party rather than the customer as long as the bank otherwise complies with the customer identification program rule.

NEWSBYTES

Congress sends budget bill to president with numerous ABA-backed provisions

July 3, 2025

Factory orders increased in May

July 3, 2025

International trade deficit increased in May

July 3, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.