Compliance…Cloud…How Compliance Officers can feel comfortable with both topics

Compliance expert, Greg Sawyers, shares questions to ask your financial institution when considering cloud computing services.

Greg Sawyers
Greg Sawyers – Product Compliance Officer

One of the latest technological advances for financial institutions is cloud computing. Even though the cloud has been around for many years, financial institutions have not begun to utilize this service, until recently. I remember a day not too long ago when I was working at a financial institution and we were beginning the process of utilizing the cloud. Regulators and auditors were perplexed at what we were doing and how could we be taking on this risk. Fast forward to 2020 and cloud is all the craze.

As Compliance Professionals, we are typically risk adverse because that is the nature of what we do for our institutions…mitigate risk. In considering this technological advance, we must find a way to grow comfortable with the technology because it is not going away. I believe all of us can agree that the best way to become comfortable with this change is to understand what it is, how it can help, and how to mitigate the risk.

Let’s start with why technology is moving in this direction. The cloud computing service is provided to you as an institution, but is managed by another company and accessed over the Internet. The provider manages the service, so your institution doesn’t have to hire a large team of people to manage the environment. Furthermore, and showing the importance of this capability as we go through the current health pandemic, it is on-demand as long as you have access to an Internet connection. In a nutshell, there are reduced infrastructure costs for your various locations; applications can grow easier and can scale up or down at a short notice; you aren’t considering a ten year growth plan, building an infrastructure and only pay for what you need at the time; and finally the cloud environment is managed under a service-level agreement (SLA).

So, what does this mean for you? Compliance Professionals help institutions manage risk, so it means that you must have both a strong vendor management program and information security program that include compliance as a resource for all things regulatory. Compliance Professionals as a group should ask some of the following questions:

• There are three types of cloud computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Which one are we considering?
• Is the cloud environment public, private, or a hybrid?
• If it is a public cloud, who is providing it?
• What cloud components are accessible to public web? What components restricted?
• What cloud components are shared with other tenants?
• What level of segregation exists between tenants and production vs non-production environments?
• Who is able to physically or logically access my services and data?
• What country and locations may my data, or access to my data, reside?
• Describe the levels/layers of encryption?
• What is the turnaround time if a service goes down?
• Are services updated automatically without notice and / or approval?
• Is there a redundant backup of all of our information?
• How often do you have a SOC2 Type II performed of your environment?
• What steps do you take to secure the privacy and confidentiality of the data?
• Do you require independent penetration testing to be performed?
• If they had a penetration test, what were the results?
• What is the security incident policy if a hack is detected?

In the end, securing your customer data has to be top of mind for any decision that you make. The FFIEC has provided some great resources within the IT Handbook that will aid you in all of your decisions. In addition, the Temenos Compliance Team will be hosting a monthly Live Q&A Webinar. Attend the next Q&A on May 20th, focusing on Fair Lending. This blog will be updated with the registration link when that becomes available. Watch the recorded version of the April webinar here, covering Payment Deferral Programs, held on April 22nd, 2020.

Filed under:

Greg Sawyers
Greg Sawyers – Product Compliance Officer