Banks are asking US regulators to provide more detailed guidance on the risks presented by cloud service providers, such as Amazon, Google and Microsoft.

The Federal Reserve, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation are preparing to issue new interagency guidance on managing the risks associated with entering into contracts with external suppliers. A draft version of the guidance, put out for consultation in July, does not distinguish between different types of third-party services, but cybersecurity experts say cloud providers present unique risks that need to be spelled out more clearly.   

“Getting more clarity on cloud would be helpful. I would like to see a little more detail on what’s expected,” says a chief information security officer at a North American bank.

The proposed guidance makes it clear that banks are ultimately responsible for the risks of operations that are outsourced to third-party providers. “You can outsource the administration of the operation, but you can’t outsource the risk. That still remains with the bank and the bank needs to have an effective risk management program,” says a senior regulator involved in drafting the proposal.

Regulators have previously voiced concern that overreliance on the big three service providers—Amazon, Google and Microsoft—could place the financial system at risk in the event of an outage or service disruption. However, they are understood to be reluctant to single out cloud providers for special attention or controls in official guidance, leaving it to banks to identify and manage the risks inherent in these relationships.

“Every cloud is different,” says the senior regulator. “It is the bank that needs to configure and manage the operation in the cloud. The bank needs to understand what parts of the cloud environment are configured and managed by the cloud provider and which still need to be managed by the bank itself.”

Whether using a cloud provider for applications, as a platform or for infrastructure, there will be split responsibility for different levels of security

Charles Forde, former op risk manager

Critics of the proposed interagency guidance—which is based on existing third-party risk guidance issued by the OCC in 2013—say it is outdated and ignores the realities of dealing with giant technology firms that wield enormous negotiating power. Some in the industry are calling for the contents of an FAQ published by the OCC in 2020 to supplement its 2013 guidance—which addresses risk management expectations with respect to cloud computing in more detail—to be incorporated into the interagency guidance.

While the OCC’s 2020 FAQ reiterates that “third-party risk management for cloud computing is fundamentally the same as for other third-party relationships”, it also concedes that “specific technical controls in cloud computing may operate differently than in more traditional network environments”. Banks are advised to clearly document the division of these control responsibilities between the cloud provider and the bank “in the contract”.

Charles Forde, a former operational risk manager at UBS, says that’s good advice and should be reflected in the final interagency guidance. “Whether using a cloud provider for applications, as a platform or for infrastructure, there will be split responsibility for different levels of security, from physical security, on up to the platform and to the application level. It needs to be clearly defined.”

Industry sources are also pushing for other elements of the OCC’s FAQ to be worked into the forthcoming guidance. For instance, the OCC concedes in its FAQ that banks may have to deal with vendors that “do not allow banks to negotiate changes to their standard contract, do not share their business resumption and disaster recovery plans, do not allow site visits, or do not respond to a bank’s due diligence questionnaire”.

The document goes on to detail a series of actions banks should take when faced with this situation, including considering alternate providers, being prepared for service interruptions, and “determining if the risk to the bank of having limited negotiating power is within the bank’s risk appetite”.

In a comment letter sent to US prudential regulators on October 4, the Securities Industry and Financial Markets Association called for much of this language to be included in the interagency guidance. It also called on regulators to confirm that banks may continue to enter into arrangements with cloud service providers despite the high degree of concentration among vendors, provided that appropriate steps are taken to address the other risks highlighted in the proposed guidance.