Cloud computing and financial institution responsibilities

Iowa Banking Law Dickinson Law Firm Des Moines, Iowa

Posted on 08/08/2012 at 08:01 AM by The Newsroom

The Federal Financial Institution Examination Council's (FFEIC) Information Technology Subcommittee issued a recent paper addressing key risks of outsourced cloud computing.  Cloud computing is a general term for anything that involves delivering hosted technology services over the Internet.  Cloud computing has become more popular as businesses look to outside sources to provide infrastructure, computing platforms, and software as a service.  Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed. The FFEIC's recent paper identifies cloud computing as just another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.  As detailed in the FFEIC's Outsourcing Booklet, a due diligence review should be performed to ensure that the provider will meet the institution's requirements.  Following are the potential issues identified by the FFEIC related to cloud computing: Data classification:  How sensitive is the data that will be place in the cloud and what controls should be in place to ensure it is properly protected?  Does the cloud service provider appropriately encrypt or otherwise protect non-public personal information (NPPI) and other data? Data segregation: Will the financial institution's data share resources with data from other cloud clients?  If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institution's data? Recoverability: How will the service provider respond to disasters and ensure continued service? Do the financial institution's disaster recovery and business continuity plans to include appropriate consideration of this form of outsourcing, the service provider's disaster recovery and business continuity plans, and the availability of essential communications links? Regulatory requirements: Is the service provider able to implement changes to meet regulatory requirements? Disengagement:  In the event of a contract termination, can the institution disengage without the loss and integrity of the data for a smooth transition to another provider? Although many of the risks identified above are applicable to any outsourced provider, cloud computing may require more robust controls due to the nature of the service.  Thorough due diligence and risk assessment specific to cloud computing services must be performed prior to entering into an agreement.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

Categories: Banking Law


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.