Fed hiring more staff to examine cloud providers

The US Federal Reserve is hiring more staff to perform on-the-ground examinations of software giants that provide cloud services to the banking system.

Bank regulators visited the offices of Amazon Web Services in 2019 to conduct the first formal examination of a cloud service provider. Arthur Lindo, deputy director for policy at the Federal Reserve Board’s division of supervision and regulation, said more such examinations were on the way.

“We’re increasing our workforce just to do that,” Lindo said at the OpRisk North America conference on May 18, adding: “There needs to be a public-private approach. It can’t just be the firms applying pressure to the providers, and the official sector sitting back.”

Lindo noted that the Bank Service Company Act of 1962 grants federal regulators the authority to examine outsourcing providers. “And for at least one of the large providers, we do that,” he said. “But let’s look at the stature of that large provider versus the stature of our examinations team. If you do the ‘boots on the ground’ type analogy, and trying to go into [all] the major cloud providers, we don’t have enough in the way of resources to do that. So we have to be smarter, we have to be more effective in that space.”

He suggested that federal agencies could pool their resources to ensure proper oversight of software giants. “Even with that increase that we’ve put into place, we just don’t have the person power. So what else could we use? We have other tools we can leverage, working with the US Treasury as well as other members of the financial services sector. So we can use our collective convening power.”

Lindo stressed that his views were his own, rather than those of the Fed.

As more and more critical services are outsourced, regulators have become increasingly concerned that overreliance on the big three service providers – Amazon, Google and Microsoft – could place financial institutions and their customers at risk.

We do have concentration risk, even if we don’t call it that

Arthur Lindo, US Fed

“We do have concentration risk, even if we don’t call it that,” Lindo said. “But how do you mitigate that? You do it through resiliency testing and further disclosures, as well as capability management with the outsourcing provider.”

Banks that move their data to the cloud will typically conduct stress tests, known as failovers, to assess fallback options in the event of the non-availability of one or more major cloud vendors. “So, that’s been tested – we expect to see more of that. [But] in terms of substitutability, I think at this point we have to be honest: there is no substitutability option,” Lindo said. “The idea that a firm can move services wholesale to another outsourcing provider, in the short term, is unrealistic.”

Regulators are already co-operating on an international level to address concentration risk. An informal joint initiative involving the Fed, the US Treasury and their European counterparts is set to take place next week, said Lindo.

“It’s a combination of regulatory agencies and also the treasury functions in major jurisdictions,” Lindo said of the initiative. “If we can have a dialogue on what could go wrong, then we can mitigate the downside risk. We’re just one of the participants.” He declined to go into further detail.

Banks, for their part, have asked US regulators to provide more detailed guidance on the risks emanating from cloud service providers. They argue proposed guidance on third-party relationships does not distinguish between different types of outsourced services, and that cloud providers present unique risks that need to be spelled out more clearly.

Banks and cloud service providers have on occasion clashed over data-retention policies and access to data, with lines of responsibility often becoming blurred. Service providers say such problems usually arise because of misconfigurations by the customer. They have also become more sensitive to the fact that third-party outsourcing relationships are being subjected to increased scrutiny and have tried to help banks navigate the regulatory barriers that may be erected in the future.

Google Cloud, for example, maintains a large team practised in mapping cloud controls to financial services regulatory expectations. The team is made up of a number of ex-bank professionals, including the former head of op risk at Goldman Sachs, Phil Venables, as chief information security officer.