The Federal Financial Institution Examination Council (FFIEC) said financial institutions must institute the proper controls if they are to outsource cloud computing services.
The FFIEC this week released new recommendations for financial institutions to follow if they consider using third-party cloud services.
"Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed," read part of the FFIEC's statement. "Before approving any outsourcing of significant functions, it is important to ensure such actions are consistent with the institution’s strategic plans and corporate objectives approved by the board of directors and senior management."
According to the regulator, managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution’s legal and regulatory requirements for safeguarding customer information and other sensitive data. Additionally, the use of such a servicer may present risks, such as if the servicer is not implementing changes to meet regulatory requirements.
"Cloud computing may require more robust controls due to the nature of the service." said the FFIEC. "When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service. Vendor management, information security, audits, legal and regulatory compliance, and business continuity planning are key elements of sound risk management and risk mitigation controls for cloud computing. As with other service provider offerings, cloud computing may not be appropriate for all financial institutions."