Banking in the Cloud: Between Rogues and Regulators

Part 1: Regulations and Compliance
by James O'Neill, November 30, 2015
Industry Trends
Global, North America


Although a few large banks are actively experimenting with cloud-based services, relatively few have taken the plunge in publicly and visibly transitioning a mission-critical banking service to the cloud. The reasons most often cited for slow adoption of cloud services in banking are data security and the fear of regulatory scrutiny. Contrary to popular belief, banking regulators are non-discriminatory when it comes to how a bank provisions its IT environment. The catch is that regulators maintain a consistently high level of expectation for the standards a bank sets for IT security.


In the report Banking in the Cloud: Between Rogues and Regulators, Celent studies the regulatory environment for IT security in the United States, seeking to determine what specific provisions govern banking applications in the cloud. The first in a two-part series regarding cloud-based banking services, this report examines the regulatory backdrop and reviews the development of new cross-industry standards for IT security. Celent demystifies the security and compliance issues, giving the reader a nuanced understanding of the IT security model for banking as it extends to the cloud.

“Capital One’s recent announcement that it is moving most of its IT infrastructure to Amazon Web Services points to the schism between banks that are embracing cloud services and those that are not,” says James O’Neill, senior analyst with Celent’s Banking practice and author of the report.  “While many banks and most banking IT services vendors have eschewed the cloud over concerns regarding security and regulatory scrutiny, it has become clear that yesterday’s questions and concerns are becoming tomorrow’s thin excuses.”


Report Highlights:

  • An overview of the regulatory origins of IT security and the regulatory protection of nonpublic personal information.
  • Examination of the many detailed regulatory guidelines covering IT security.
  • A review of the specific guidance of the regulators regarding cloud-based banking services.
  • An examination of several cross-industry standards for IT security that are increasingly attracting the attention of banks that are planning on implementing new services in the cloud.

The second installment in this series will look at recent developments in the introduction of banking-specific security tools to manage IT security in the cloud, examine what the major cloud providers are doing to build confidence among FIs in the security of the public cloud, and provide key takeaways for banks that are considering a movement toward cloud services.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned operating unit of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
Tel: +1 212 345 1366

Europe (London)
Chris Williams
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary



Key Research Questions




Regulatory Origins of IT Security



Nonpublic Personal Information



Regulatory Oversight



Compliance Inhibiting Cloud Adoption?


Bank IT Security Compliance 101



The Information Security Process



Security Controls



Security Monitoring


Compliance in the Cloud



TSP Compliance



FFIEC Statement on Cloud Computing



A Case of Regulatory Ambiguity?


Cross-Industry Standards for IT Security













Leveraging Celent’s Expertise



Support for Financial Institutions



Support for Vendors


Related Celent Research


Sign in to download reports and access personalized information