Search
Sourcing SpeakAn Update on Cloud Computing in the Financial Sector
Posted
In 2023, we summarized the U.S. Department of Treasury report that raised concerns about the growing reliance of financial institutions (FIs) on cloud computing. Treasury highlighted structural imbalances and regulatory blind spots in the relationship between FIs and cloud service providers (CSPs).
Since then, in an effort to encourage more compliant relationships, a Treasury group comprising the FSSCC, ABA and SIFMA has proposed guidance in the form of a toolkit that maps FI regulatory obligations to corresponding CSP responsibilities. The toolkit, titled Cloud Outsourcing Issues and Considerations (the “Report”), arms lawyers and procurement teams with specific guidance to bridge regulatory expectations and contractual realities.
Despite their frequent practice outsourcing cloud infrastructure, FIs remain on the hook for compliance of their technology environment. The Report confirms that uneven bargaining power, especially for smaller FIs, continues to constrain their ability to secure meaningful contractual protections from CSPs. To alleviate those risks, the Report distills key issues into actionable recommendations that should shape every cloud outsourcing engagement, and encourages CSPs to embrace the regulations in order to meaningfully enable FIs to meet their regulatory compliance obligations.
For a summary of the Report’s mapping of risks to regulatory requirements and to proposed mitigants, look to this chart for an easy-to-reference guide for FIs (as well as other customers of CSPs that may be a part of an FI’s ecosystem) on issues to address in cloud contracting.
The framework offered by the Report serves not only as a useful starting point for flagging issues in the contracting process, but it also represents a checklist of operational risks that FIs should be hedging against, regardless of the strength of their cloud agreements.
The Report is not meant to be comprehensive—it only addresses three of the six challenges highlighted by Treasury in its 2023 report—nor is it static. As the cloud landscape shifts, these risks and mitigants will require iteration. In particular, FIs purchasing generative artificial intelligence services from their CSPs not only encounter the challenges described above, but a host of other regulatory and operational risks.
Given the broad scope of the risks identified by the Report, the navigation of negotiation and governance of your organization’s relationship with its CSP should be a priority for attorneys in the technology space. Pillsbury’s cross-disciplinary team brings deep experience at the intersection of regulation, risk and technology contracting—making us well-positioned to help your organization to manage the CSP relationships with confidence.
RELATED ARTICLES