Cloud technology will likely occupy an increasingly critical position in financial institutions’ operations. Accordingly, financial institutions should develop methods for navigating regulatory expectations and other potential risks associated with adopting cloud technology and working with vendors providing such services.
When providing services to financial institutions directly or indirectly, financial services regulators expect cloud vendors and their subcontractors to operate and maintain cloud services in accordance with the requirements of the laws, regulations, and regulatory guidance applicable to financial institutions. To reduce the risks inherent in outsourcing, including cloud services, regulators generally require financial institutions to enter into written agreements with their vendors and perform sufficient due diligence and ongoing monitoring.
Regulators also expect service agreements to require vendors to have comprehensive information security and business continuity and disaster recovery programs. Vendors must maintain adequate policies and procedures to ensure the confidentiality, security, integrity, and availability of the data of financial institutions and their clients, employees and others and the vendors’ and their subcontractors’ systems. Service agreements need to specifically address vendors’ administrative, technical, organizational, and physical controls to safeguard customer data and their systems against unauthorized access, use, disclosure, modification, unavailability, and deletion.
Regulators require the service agreements to obligate vendors to extend contractual obligations, including audit rights, down to their subcontractors and to remain fully liable for the acts and omissions of their subcontractors. Vendors are also expected to, among other things, have subcontractors provide compliance and performance information to financial institutions.
There are often gaps between financial institutions’ requirements and what vendors will agree to contractually. Cloud vendors may object to certain regulatory expectations or contractual language preferred by financial institutions, due to the limits of the functionality of a specific cloud service, or because operationalizing such requirements or imposing them upon existing subcontractors can be difficult. While certain regulatory requirements are unavoidable, in certain instances, financial institutions may take a risk-based approach to negotiation of terms, taking into consideration the use case to determine if and when certain requirements may be adjusted or alternative solutions may be employed.
As the financial services industry continues to expand its use of cloud technology, both the financial institutions procuring these services and the cloud vendors supplying them should monitor the regulations and guidance applicable to these relationships, as they continue to evolve, and develop service agreements that balance cloud vendors’ concerns with financial institutions’ needs to comply with increasingly broad and complex global regulations.