Data placement in the cloud and regulations for US financial services
As momentum builds behind public cloud infrastructure solutions, even highly regulated industries like financial services are exploring their options. While regulations and security are often seen as stumbling blocks for public cloud acceptance in financial services, reviewing available information on U.S. regulatory guidance and privacy law suggests there may be ways to move into the cloud in compliance-friendly ways. This article, of course, should not replace input from appropriate legal advisors. The research behind this article focused on privacy law and requirements around U.S. banks rather than international issues that might arise from data placement in the cloud.
The U.S. banking industry has several regulatory bodies, including the Federal Reserve Board, the Federal Deposit Insurance Corporation, The National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. A consortium group called the Federal Financial Institutions Examination Council maintains a clearing house for guidance and regulatory information from the various regulators. On July 10, 2012, the Council issued a press release with guidance on public cloud utilization in banking.
The core of the guidance is public cloud risk management should follow the same risk management principles as any outsourcing contract. “The Federal Financial Institution Examination Council Agencies consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”
The Council calls out some specific areas for attention by regulated entities.
Due diligence: Outsourcing to cloud doesn’t excuse entities from due diligence around data management. Good data practices like data classification, segregation, and ensuring recoverability should be followed.
Vendor management: Cloud services unfamiliar with finance may require additional controls to provide appropriate checks and oversight.
Audit: Cloud services must preserve transparency and regulators’ ability to audit.
Information security: Information security analogous or consistent with internal practice must be maintained
Legal, regulatory, and reputational considerations: Applicable law must be observed
Business continuity planning: Appropriate plans around disaster recovery and data recoverability must be in place.
The Council makes special reference to legal considerations, and it is worth a deeper exploration of what those are. The primary privacy regulations affecting U.S. financial services are contained in the Gramm-Leach-Bliley Act (GLB). GLB originated as a response to concerns about banks sharing detailed account-holder information with third parties for marketing or cross-selling purposes.
The act basically specifies handling requirements around data deemed personally identifiable and non-public. It bars sharing such data with third parties without explicit agreement from customers. GLB applies to a broad range of U.S. financial services including banks, mortgage originators and servicers, consumer credit agencies, et al.
Because outsourcing infrastructure provisioning to a public cloud is, almost by definition, allowing 3rd party access to data, some specifics about GLB merit a closer look. Fundamentally, the law requires financial services firms to preserve the privacy of “non-public personal information” by enacting a variety of personnel and computer systems security policies. In the event a firm wants or needs to share information with a third party, the customer must be notified and given the opportunity to opt out.
Privacy obligations only apply to non-public personal information. This might include account numbers, or information from an application for an account–even information in an internet cookie is considered protected. What is not protected is non-identifiable aggregate data or information that can be gleaned from other public records (mortgage holders are often recorded in deed documents, for instance).
As to how to protect that information, firms (and by extension, their 3rd party outsource partners) must implement a comprehensive security program to ensure security and confidentiality of protected data, protecting against anticipated threats or unauthorized access. Such a program might be composed of employee training and management as well as information systems management.
Background checks and restriction of data access to those employees with a need to know are a cornerstone of secure data management. Other employee-focused policies are strong, frequently changed passwords, remote access restrictions, and prompt deactivation of departing personnel’s passwords and user names.
A security policy might also include procedures around information systems. Appropriate encryption, security patching, firewalls, intrusion detection systems, anti-virus, and other prophylactic security measures must be used.
When dealing with service providers, it is important to have agreements about these policies in writing to safeguard non-public Information appropriately. Additionally, you should review policies and procedures with audits, testing, or other controls to monitor the provider’s compliance.
While these steps are unmistakably a burden, they are challenges most firms have shouldered in other outsourcing arrangements.
In summary, while there remains a lot of fear, uncertainty, and doubt around regulatory discussions with financial services in the public cloud, a review of the available information is not as forbidding as one might suppose. The guidance points to outsourcing as the model, and there is ample precedent and experience with outsourcing systems. U.S. financial firms hoping to take advantage of the speed, flexibility, and cost efficiencies of the public cloud should proceed, with caution, of course, but optimistically.
What advice would you share on the matter? Let us know in the comments.