The Treasury Department warned of the potential risks to the banking sector as financial institutions continue to use cloud-based technologies, according to a report released Wednesday.
The report cautions against letting a growing number of financial institutions rely on a relative handful of cloud providers to support remote work and promote innovation through artificial intelligence, for example.
Such partnerships can reduce costs, rapidly deploy new information technology assets, lessen the development time for new products and services. But the benefits come at a cost. Risk can vary based on how much of an institution’s IT infrastructure depends on one provider, or how complex the interplay is for a large institution that may use a mix of public and private cloud services along with their own data centers.
Though cloud-computing services are offered by many tech firms, Amazon Web Services, Microsoft Azure and Google Cloud Platform are among the most sought-after.
“A large system failure or data breach at one of these [cloud-service providers] could impact multiple financial institutions or U.S. consumers, though there are open questions about the extent of that impact,” the Treasury Department noted.
The responsibility of cloud providers in case of a breach of banking data has been hotly debated. Lawmakers, banks and cloud providers all seemed to offer differing perspectives on the breakdown of responsibilities in the wake of the 2019 Capital One breach. (The bank uses Amazon Web Services as its cloud provider.)
In the same year, an investigative report by The Wall Street Journal found that China’s intelligence service allegedly stole volumes of intellectual property records from scores of companies for many years. The hackers apparently entered through cloud service providers, where companies thought their data was in safe hands.
But companies like Google and Microsoft vouch that their cloud services are very secure.
“We’re committed to working with financial services customers and regulators to provide them with controls and assurances on risk management, data locality, transparency, and compliance,” a Google spokesperson told The Wall Street Journal.
Financial regulators from various government agencies are expected to discuss the Treasury report this week at the Financial Stability Oversight Council, headed by Janet Yellen.
The report noted some significant challenges, such as how to increase transparency to support better due diligence and monitoring by financial institutions. The report also cited gaps in the talent pool deploying cloud services, limited negotiation on contracts given the cloud providers’ market concentration, and the prospects for global regulatory consensus.
Treasury will launch an interagency Cloud Services Steering Group within the next year to handle most of the issues identified in the report — namely, closer domestic cooperation among U.S. regulators on cloud services and development of best practices for cloud adoption frameworks and cloud contracts.
Officials from Treasury, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau will be part of the group, a Treasury official told The Wall Street Journal.
Though the report neither endorses nor discourages the use of cloud computing services, it tries to evaluate the risks associated with the limited number of providers.
“There is no question that providing consumers with secure and reliable financial services means greater demand for cloud-based technologies,” said Wally Adeyemo, deputy secretary of the Treasury. “Treasury is committed to working with financial regulators, industry partners and cloud service providers to drive greater collaboration and transparency.
“By building trust, cooperation, and collaboration at the outset, we can promote safe and effective migration for financial institutions that choose to adopt cloud services,” he said.