Banking in the Cloud: Between Rogues and Regulators

Part 1: Regulations and Compliance
by James O'Neill, November 30, 2015
Industry Trends
Global, North America

Abstract

Although a few large banks are actively experimenting with cloud-based services, relatively few have taken the plunge in publicly and visibly transitioning a mission-critical banking service to the cloud. The reasons most often cited for slow adoption of cloud services in banking are data security and the fear of regulatory scrutiny. Contrary to popular belief, banking regulators are non-discriminatory when it comes to how a bank provisions its IT environment. The catch is that regulators maintain a consistently high level of expectation for the standards a bank sets for IT security.

 

In the report Banking in the Cloud: Between Rogues and Regulators, Celent studies the regulatory environment for IT security in the United States, seeking to determine what specific provisions govern banking applications in the cloud. The first in a two-part series regarding cloud-based banking services, this report examines the regulatory backdrop and reviews the development of new cross-industry standards for IT security. Celent demystifies the security and compliance issues, giving the reader a nuanced understanding of the IT security model for banking as it extends to the cloud.

“Capital One’s recent announcement that it is moving most of its IT infrastructure to Amazon Web Services points to the schism between banks that are embracing cloud services and those that are not,” says James O’Neill, senior analyst with Celent’s Banking practice and author of the report.  “While many banks and most banking IT services vendors have eschewed the cloud over concerns regarding security and regulatory scrutiny, it has become clear that yesterday’s questions and concerns are becoming tomorrow’s thin excuses.”

 

Report Highlights:

  • An overview of the regulatory origins of IT security and the regulatory protection of nonpublic personal information.
  • Examination of the many detailed regulatory guidelines covering IT security.
  • A review of the specific guidance of the regulators regarding cloud-based banking services.
  • An examination of several cross-industry standards for IT security that are increasingly attracting the attention of banks that are planning on implementing new services in the cloud.

The second installment in this series will look at recent developments in the introduction of banking-specific security tools to manage IT security in the cloud, examine what the major cloud providers are doing to build confidence among FIs in the security of the public cloud, and provide key takeaways for banks that are considering a movement toward cloud services.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned subsidiary of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
mpace@celent.com
Tel: +1 212 345 1366

Europe (London)
Chris Williams
cwilliams@celent.com
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
ynagaoka@celent.com
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary

1

 

Key Research Questions

1

Introduction

2

Regulatory Origins of IT Security

3

 

Nonpublic Personal Information

3

 

Regulatory Oversight

4

 

Compliance Inhibiting Cloud Adoption?

4

Bank IT Security Compliance 101

8

 

The Information Security Process

8

 

Security Controls

10

 

Security Monitoring

15

Compliance in the Cloud

18

 

TSP Compliance

18

 

FFIEC Statement on Cloud Computing

19

 

A Case of Regulatory Ambiguity?

20

Cross-Industry Standards for IT Security

23

 

AICPA

23

 

CSA

25

 

NIST

27

Conclusion

29

Leveraging Celent’s Expertise

30

 

Support for Financial Institutions

30

 

Support for Vendors

30

Related Celent Research

31

Sign in to download reports and access personalized information