Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 15, 2020

A Cloudy Day Is No Match for a Sunny Disposition

Heading into 2020, investments in companies providing cloud computing services were on fire. Various research firms (hereOff-site link and hereOff-site link) estimate that worldwide spending on public cloud services is growing at a compound annual growth rate that falls between 15 percent and more than 22 percent. As cloud computing matures, many financial institutions are considering the benefits that it can provide. In an October 2019 report on a worldwide survey of bankers, a vendor reportedOff-site link that just over half of all bankers surveyed indicated that they currently have or plan to have a cloud adoption strategy in place within the next two years. Keep in mind that this survey was administered before COVID-19 changed, at least temporarily, the business environment.

Because so much work, banking, and commerce occurs remotely, demandOff-site link for cloud computing has risen. Although cloud computing can offer advantagesOff-site link, financial institutions need to assess and monitor the risks just as they do with other third-party providers. This may be why the Federal Financial Institutions Examination Council (FFIEC) thought the timing was right to release a statement in late April on Security in a Cloud Computing Environment Adobe PDF file formatOff-site link.

A key takeaway from the FFIEC statement is that even though cloud providers have controls in place, or offer controls, to create a secure environment, the "buck" ultimately stops with the financial institution. It remains the financial institution's responsibility to ensure that proper security protocols are in place based on the service level agreement with its cloud providers. As with other third-party relationships, financial institutions are responsible for ongoing oversight and monitoring of their cloud providers. It may be necessary for a financial institution to implement security protocols above and beyond what cloud providers offer.

Cloud computing can make our lives easier, as evidenced by those who have been able to work remotely during the past few months. But we must also recognize the risks it poses and mitigate those as much as possible. Although the FFIEC statement doesn't contain any new regulatory expectations, it does provide excellent guidance along with a multitude of resources and references for financial institutions seeking information on cloud computing risk management. By employing effective risk management practices, financial institutions can minimize the risks of the cloud becoming a storm cloud and keep the sun shining brightly on a secure environment!

Take On Payments Search

Recent Posts