Newsroom

July 11, 2012 – The Federal Financial Institution Examination Council said Tuesday it views cloud computing as having the same basic risk characteristics as traditional forms of outsourcing, so financial institutions may need to put in place more robust controls to use the service.

In an official statement, the FFIEC recommends that financial institutions consider the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet.

While the council recognizes the potential benefits of the service, such as cost reduction, flexibility, scalability and speed, it urges financial institutions to "ensure such actions are consistent with the institution's strategic plans and corporate objectives approved by the board of directors and senior management."

The group also cautioned that managing a cloud computing service provider may require "additional controls if the servicer is unfamiliar with the financial industry and the financial institution's legal and regulatory requirements for safeguarding customer information and other sensitive data."

Cloud computing may also present risks that the institution is unable or unwilling to mitigate, the FFIEC said. "One example of such risks would be if the servicer is not implementing changes to meet regulatory requirements. Under such circumstances, management may determine that the institution cannot employ the servicer."