Banking in the Cloud: Between Rogues and Regulators, Part 2

The Emergence of the Compliant Public Cloud
by James O'Neill, April 1, 2016
North America


Although a few large banks are experimenting with cloud-based services, few have taken the plunge in publicly and visibly transitioning a mission-critical banking service to the cloud. The reasons most often cited for slow adoption of cloud services in banking are data security and the fear of regulatory scrutiny. Contrary to popular belief, banking regulators are non-discriminatory when it comes to how a bank provisions its IT environment.  The catch is that regulators maintain a consistently high level of expectation for the standards a bank sets for IT security.

In the second installment of Banking in the Cloud: Between Rogues and Regulators, Celent examines the evolving relationship between banking regulation and the cross-industry standards for IT security in the cloud, and goes on to identify the key takeaways for financial institutions formulating their cloud strategy. 

Part one of this series provided an in-depth review of the pertinent guidelines of the FFIEC regarding IT security and concluded that increased regulatory scrutiny from cloud services was more myth than reality. The first report also went on to demystify the security and compliance issues facing banks.

Cyberattacks against banks accounted for 6% of all attacks worldwide in 2014, but loss of personal information by banks was more than 20% of the total, second only to retail. In that context, the FFIEC’s recent guidance that IT outsourcing, including cloud-based services, can actually decrease cybersecurity risk is a watershed event.

“These developments mean that yesterday’s reasoned principles for abstaining from cloud services are becoming tomorrow’s thin excuses. Slow-moving banks will once again find themselves at a disadvantage competitively and financially,” says James O’Neill, a senior analyst with Celent’s Banking practice and author of the report.

Report highlights include:

  • A discussion of dynamics in the struggle between cyberattackers and banks.
  • Examination of the rapidly evolving compliance tools and governance mechanisms for cloud services, such as the CSA’s Cloud Control Matrix.
  • A look at the movement of the FFIEC toward cross-industry standards for building a secure cloud-based processing environment.
  • Key takeaways for banks considering the opportunities presented by cloud-based services.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned operating unit of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
Tel: +1 212 345 1366

Europe (London)
Chris Williams
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary



Key Research Questions




Dynamics of Cybersecurity



The Rogues



The Regulators



The Banks


The Compliant Cloud



AICPA Common Criteria



NIST Cybersecurity Framework



FFIEC Cybersecurity Assessment Tool


Takeaways for Financial Institutions



Regulators Support Cloud



Cloud Services Are Enterprise-Ready



Cloud Services Can Increase Data Security



Security Standards Are Converging



Traditional TSPs Are Late to the Party


The Path Forward


Leveraging Celent’s Expertise



Support for Financial Institutions



Support for Vendors


Related Celent Research


Sign in to download reports and access personalized information