Mission Critical Banking Services in the Cloud: The Regulatory Compliance Risk to Financial Institutions and Vendors.

Mission Critical Banking Apps in the Cloud

The recent trend by Financial Institutions in moving "Mission Critical" applications to the Cloud is great news. While the benefits of the Cloud are exponential, it is imperative to understand that the risk is commensurate. Moving to the Cloud (Private, Public or Hybrid) will reduce IT overhead costs, streamline management and oversight burdens, creating a highly efficient, and highly-scalable environment for applications to live.  But, the risk for managing Mission Critical services in the Cloud extends beyond the heavily regulated Financial Institutions and the long arms of the CFPB, SEC, FDIC, OCC and FTC may be soon reaching into the vendor’s back-office as it relates to the vendors role in supporting these banking Mission Critical Cloud-based applications.

Slick mobile applications are the key for the Financial Services industry to unlock, access and capture the Millennial Generation. But the application must work on all devices, at all times, without any glitches, constantly enhancing the user experience, regardless of time of day or day of the month.  Cloud providers, like AWS, provide all of the tools to Financial Institutions to maximize the use and efficiency of the cloud, whether it be data storage tools, auto provisioning tools, or data security and monitoring tools. But the problem is, the Cloud providers do not tell Financial Institutions how to best use these tools to protect and preserve their Consumer Data and access to Mission Critical services. This awareness of data security obligations, business continuity and disaster recovery obligations, and the ongoing management of the requisite level of these controls will be the key to successfully moving an application and/or an ecosystem to the Cloud. Can all Financial Institutions build the internal expertise to do this? Most likely not, thus logically the solution would be to move to Managed Service Providers (“MSPs”) to design, build and run these applications or ecosystems on behalf of the Financial Institutions. 

Because moving to the Cloud permits organizations to shift the IT cost structure to focus less on hardware and managing data centers, and focus more on developing the Applications, all Financial Institutions will ultimately have to figure out how to successfully get to the cloud to stay competitive on a cost and content basis. Cost is the current primary driver in Cloud adoption, it is an unfortunate reality. The second driver should be data security and redundancy, and what affirmative regulatory obligations Financial Institutions have in managing all cloud vendors and/or partners.

U.S. Regulatory bodies are fully aware of the Financial Industry’s reliance upon third party service providers, and when Mission Critical applications are involved the CFPB (via CFPB Bulletin 2012-03), the OCC (via OCC Bulletin 2013-29), the FDIC, the SEC, and the FTC are watching… and waiting. If you are a Financial Institution, relying upon MSPs you must adequately vet the MSP's Compliance IQ. And the MSPs should know, that the long arm of the regulatory agencies are merely one intrusion, breach, or inquiry away from invoking their authority over MSPs which could be financially and reputationially catastrophic for the Financial Institution, the MSP and/or all of the MSPs other Customers. What is your MSPs Compliance IQ?