FFIEC Statement on Cloud Computing; FinCEN Hearing on Customer Due Diligence
Written by Bernadette Clair, Regulatory Compliance Counsel
Earlier this week, the Federal Financial Institutions Examination Council (FFIEC) issued a statement addressing risk management of outsourced cloud computing activities.
Current guidance contained in the FFIEC Information Technology Examination Handbook, and in particular the Outsourcing Technology Services Booklet (âÂÂOutsourcing BookletâÂÂ), already addresses cloud computing. This statement is intended to provide an expanded discussion of the risks, as well as key elements of outsourced cloud computing implementation and risk management as they relate to the existing guidance.
Covered topics include:
- Due Diligence
- Vendor Management
- Audit
- Information Security
- Legal, Regulatory, and Reputational Considerations
- Business Continuity Planning
In particular, the section on due diligence caught my eye, noting the responsibility of the board and management âÂÂto ensure that the third-party activity is conducted in a safe and a sound manner and in compliance with applicable laws and regulations.â Potential cloud computing issues noted under the due diligence section include:
 âÂÂData classification: How sensitive is the data that will be placed in the cloud (e.g., confidential, critical, public) and what controls should be in place to ensure it is properly protected? Does the cloud service provider appropriately encrypt or otherwise protect non-public personal information (NPPI) and other data whose disclosure could harm the institution or its customers?
 Data segregation: Will the financial institutionâÂÂs data share resources with data from other cloud clients? For example, will the data be transmitted over the same networks, and stored or processed on servers that are also used by other clients? If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institutionâÂÂs data?
 Recoverability: How will the service provider respond to disasters and ensure continued service? Do the financial institutionâÂÂs disaster recovery and business continuity plans include appropriate consideration of this form of outsourcing, the service providerâÂÂs disaster recovery and business continuity plans, and the availability of essential communications links?âÂÂ
 See the statement for the complete discussion.
 ****
FinCEN Hearing. FinCEN intends to hold a series of hearings on issues raised by commenters regarding the Advance Notice of Proposed Rulemaking (ANPR) on Customer Due Diligence (CDD) Requirements for Financial Institutions. The first hearing is scheduled for July 31st.
FinCEN seeks clarification primarily on issues dealing with beneficial ownership, risk mitigation, due diligence on trust accounts, and shell companies. See the notice for the complete list of issues, and information on providing comments or attending the hearing.
For more information on the ANPR itself, see our previous blogs on March 5th and March 6th.