SIFMA developed this white paper to demonstrate the fundamental role the U.S. financial services industry plays in the U.S. economy…
Navigating Regulatory Challenges in Cloud Infrastructure Services Agreements
Financial institutions adopt innovative technology to provide better client service, improve operational efficiency, enhance compliance, and save money. Cloud technology may help financial institutions reach these goals. Many financial institutions want to expand their use of cloud technology primarily for faster and cheaper scalability of computing power and data storage than is currently offered by more traditional, locally installed solutions. To date, many financial institutions have not expansively adopted cloud technology, partially due to the obstacles imposed by regulations and guidance and partially due to the industry’s judiciousness in adopting new technologies. Nevertheless, financial institutions should address the increasingly critical position that cloud technology will occupy in their operations directly or indirectly.
Financial institutions should weigh the overall risks associated with having only a small number of vendors that provide Infrastructure as a Service services (“IaaS Vendors” and “IaaS Services”). The same IaaS Vendors provide IaaS Services directly to financial institutions as well as indirectly as subcontractors to many Software as a Service vendors (“SaaS Vendors”), Platform as a Service vendors (“PaaS Vendors”) and other types of vendors (e.g., managed and professional service providers, consultants, law firms) that provide services to financial institutions (IaaS Vendors and all vendors that use IaaS Services to provide services to financial institutions are referred to as “Vendors”). Such widespread reliance on IaaS Vendors constitutes a concentration risk to financial institutions. To help mitigate concentration risks, and other risks associated with the failure or poor performance of IaaS Vendors, financial institutions could consider contractual obligations that support, and are consistent with, the applicable regulatory expectations and requirements.