ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Technology

Cloud services: Outsourcing the service, but not risk

Banks must have strong risk-management practices in place when using third-party cloud service providers, starting with contract language.

January 29, 2025
Reading Time: 4 mins read
Private-public partnership releases new bank resources for cloud computing adoption

By Walt Williams

There is a saying among risk management professionals that you can outsource the task, but you can’t outsource the risk, according to Jaime Manriquez, CIO and CISO at Santa Cruz County Bank. “At the end of the day, the bank itself or the institution is still going to be responsible and accountable for whatever security breach they may have,” he explains.

That philosophy is pertinent when it comes to cloud adoption, as federal regulators have repeatedly stated that they expect banks to have third-party risk management frameworks in place when outsourcing technology services. Cloud providers may do the tasks, but it is banks that assume much of the risk.
“A lot of these tech companies don’t fully understand that,” Manriquez says. “So it is kind of ironic that, in some cases, we’re trying to hire bankers or regulators so they can teach them about the frameworks that we operate under.”

There are different strategies for approaching cloud services risk management. Santa Cruz County Bank uses a hybrid strategy in which it maintains responsibility for security. Other banks may outsource most of their functions to the cloud. There are few wrong or right answers when it comes to deciding which approach works best for an institution, and there are resources available to help banks make that choice.
“It pretty much goes back to what the business strategy is,” Manriquez says.

Federal focus

In 2022, U.S. Treasury Department officials started reaching out to bank executives from institutions of all sizes about how their institutions were using cloud computing and the challenges they faced, says John Carlson, SVP for cybersecurity regulation and resilience at ABA. Prior to Treasury focusing on cloud computing, the federal banking agencies had issued several advisories on cloud computing and conducted audits of major cloud service providers as part of a program to assess significant service providers that banks rely upon. Treasury officials wanted to know the benefits for banks in using cloud technology as well as some of its challenges. Their findings were outlined in a paper published the following year.

“When Treasury published their paper in February 2023, they laid out all these benefits, but also flagged a number of pretty significant challenges that financial institutions were encountering,” Carlson says. “Among those were insufficient transparency to support due diligence and monitoring by financial institutions, as well as exposure to potential operational incidents, including those originating at a cloud service provider, and also some concerns about the potential impact of market concentration.”

The Treasury Department created a steering committee with representatives from both the government and private sectors. The agency also partnered with the Financial Services Sector Coordinating Council, an industry-led organization of which ABA is a member. Those efforts led to the release last year of a suite of resources to enhance the relationship between cloud service providers and financial institutions. The resources were also meant to give regulators more confidence that those institutions were using cloud services safely and soundly.

Fine print

One of those resources was a 21-page document, titled “Financial Sector Cloud Outsourcing Issues and Considerations,” providing a non-exhaustive list of key considerations for developing contractual language with cloud service providers, specifically to address risk and supervisory and compliance expectations when using the services. For example: In those contracts, what rights and availability does a financial institution have to get information from the cloud provider?

“Even if you use a third party, whether it is an on-premise provider or a cloud provider, you as the institution still own the responsibility for compliance,” says Allen Brandt, chief privacy officer at Depository Trust and Clearing Corporation, who spoke about the paper during Cloud Security Alliance webinar in August.

“You cannot outsource your regulatory compliance. … What ability does the financial institution have to get information from the third party?”

Another consideration in contract language should be notification and reporting, he says. “We all have incident notification requirements. We potentially have things when you make material changes. And what type of reporting can the provider give to you, as the financial institution, [and] in what timely manner? Does it meet your regulatory requirements?”

Then there are roles and responsibilities. “What’s the responsibility of the cloud provider to maintain their piece? What’s yours?” Brandt says. “How do they interface together? How do you notify each other when there are incidents? How do you notify each other when there are changes?”

Testing for when things go wrong

Another area banks should consider when drafting contracts is what processes cloud service providers have in place for testing and resilience, says John McDonald, global head of cloud governance at Bank of America, who also participated in the CSA webinar. As an example, he points to the CrowdStrike outage in July, which caused widespread service disruptions at banks and many other sectors of the economy.

“When [a cloud service provider] has an outage, understanding the downstream impact on that is important, and that information is not consistently provided to financial service institutions who need to incorporate it into their business continuity testing and resilience programs,” McCloud says.

Banks need to understand how cloud service providers are testing for resiliency and what plans they have for bringing those services back online, he says. “And then you have to link that to what you can do as a customer, because there is a significant responsibility from a customer standpoint.”

Human resources

Manriquez — who is also a member of ABA’s Core Platforms Committee — stresses the need to establish clear contractual terms and responsibilities regarding security, incident response and data location. But after those contracts are signed, banks must continue to have regular meetings and open communication with cloud providers to stay up to date on product changes and strategic plans, he says.

“What we do in our case, with our Microsoft relationship, is we meet once a month,” he says. “We touch base on what’s working, what’s not working, what products do you guys have.”

Still, at the end of the day, the best advice Manriquez has for banks trying to manage their cloud risks is to invest in their workforce. “And what I mean by investing in their human capital is sending them to training, keeping their certificates current and also retaining and developing staff,” he says.

Tags: Cloud computingCloud migrationRisk managementThird-party risk
ShareTweetPin

Author

Walt Williams

Walt Williams

Walt Williams is senior editor of ABA Banking Journal.

Related Posts

FDIC withdraws proposed rules on brokered deposits, corporate governance, executive pay

Small Business Bank in Kansas closed by regulators

Community Banking
July 17, 2026

Kansas regulators closed Small Business Bank in Lenexa, Kansas, and appointed the FDIC as receiver. The Farmers State Bank of Oakley, Kansas, agreed to assume substantially all deposits and purchase certain assets.

FDIC issues relief guidance for Mississippi, Tennessee banks affected by storms

FDIC issues relief guidance for banks serving tribes in Arizona, Montana affected by severe weather

Compliance and Risk
July 17, 2026

The FDIC has released guidance with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of the San Carlos Apache Indian Reservation in Arizona, and the Fort Peck Indian Reservation and the Crow...

ABA, 52 state bankers associations urge Congress to close stablecoin interest loophole

ABA, associations seek agency alignment on Genius Act implementation

Compliance and Risk
July 17, 2026

The National Credit Union Administration should coordinate with the banking agencies to ensure that Genius Act implementation is substantially similar among all federal payment stablecoin regulators, the American Bankers Association and three other banking sector associations said.

ABA: OCC should revise proposed changes to bank merger application process

ABA: OCC policy changes create uncertainty about minority deposit institution status

Community Banking
July 17, 2026

In a new letter, ABA cited several concerns about the OCC’s recent revisions to its standards for designating minority deposit institutions, saying the changes create uncertainty for institutions seeking to qualify or maintain MDI designation.

ABA, associations propose improvements to federal data privacy law

Banking agencies promise new approach for handling sensitive information

Compliance and Risk
July 16, 2026

The Federal Reserve, FDIC and OCC announced a “coordinated approach” for handling sensitive information used in bank examinations, including a new pledge to notify banks about data breaches that threaten to expose that information.

AI’s rapid rise compels smart risk management for banks

Risk and compliance as strategic growth partners

Compliance and Risk
July 16, 2026

Risk leaders must build relationships, credibility and trust at the bank so their input is valued.

NEWSBYTES

Small Business Bank in Kansas closed by regulators

July 17, 2026

Texas Bankers Foundation reopens flood relief fund following severe storms

July 17, 2026

FDIC issues relief guidance for banks serving tribes in Arizona, Montana affected by severe weather

July 17, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.