Today’s digital landscape has transformed the operational calculus for financial institutions (FIs) and corporations.
And with the news Thursday (July 17) that the U.S. Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) published a suite of resources to share with financial services institutions on effective practices for their secure cloud adoption journey, bringing financial and payments workflows and processes securely and compliantly up to date with the latest technology is top-of-mind for forward-thinking organizations.
That’s because — even though traditional, on-premises solutions simply aren’t cutting it in today’s fast-moving environment, where even the smallest frictions can see customers moving their business to more streamlined offerings — security-critical organizations across finance and payments may be hesitant to update systems they already feel comfortable with.
“Banks and other financial services firms know they must adapt to new technologies, but many have been uncertain as to how to do so safely and soundly,” said Acting Comptroller of the Currency Michael J. Hsu in a statement provided to PYMNTS. “Today’s publications mark a significant step forward by providing a roadmap and helpful resources for banks of all sizes. These documents also clarify cloud service providers’ responsibilities for ensuring a secure and resilient financial system.”
The financial sector’s ongoing transition to cloud-native services is being driven by several factors, including the need for greater agility, cost efficiency, enhanced security and the ability to leverage additional advanced technologies such as artificial intelligence (AI) and machine learning (ML).
“Our financial system is essential infrastructure for the entire economy, and it is deeply reliant on a handful of powerful Big Tech cloud service providers,” said Consumer Financial Protection Bureau Director (CFPB) Rohit Chopra in a statement. “Our work will help protect the financial industry from outages and disruption by leveling the playing field between financial firms of all sizes and big cloud service providers.”
Read more: 2024 Is the Year Businesses Put Technical Debt to Bed
The initiative, driven by the Financial Stability Oversight Council (FSOC), aims to address several critical gaps identified in the Treasury’s landmark report on the Financial Services Sector’s Cloud Adoption.
These gaps include the need for a common lexicon, enhanced information sharing, better oversight, third-party risk management and improved transparency and monitoring of cloud services.
Addressing the first challenge, the lack of a common vocabulary, The Cloud Lexicon, developed by the Office of the Comptroller of the Currency (OCC) and published Wednesday, provides a standardized set of terms used by cloud service providers (CSPs) and financial institutions. The foundational document is meant to ensure that all parties involved can communicate clearly and effectively, reducing misunderstandings and aligning expectations.
The new resources also include an assessment of existing authorities for CSP oversight. This assessment helps financial institutions understand the regulatory landscape and ensures that their cloud strategies comply with current legal and supervisory frameworks.
And given the significant risks associated with third-party service providers, the FSSCC has developed a document titled “Financial Sector Cloud Outsourcing Issues and Considerations.”
Read more: Recent High-Profile Cyber Breaches Highlight Need for Fault-Tolerant Security
This document, created in collaboration with the American Bankers Association (ABA) and the Securities Industry and Financial Markets Association (SIFMA), provides key considerations for developing contractual provisions between FIs and CSPs. These provisions address cybersecurity, resilience, third-party due diligence and compliance with regulatory expectations.
“These documents are an important step forward in the CESG’s effort to make the cloud safer and more resilient within and beyond the financial services industry,” said Bill Demchak, Chairman and CEO, PNC Financial Services Group, in a statement shared with PYMNTS. “The strong partnership between public- and private-sector leaders allows us to take a more holistic, collaborative approach to defending against evolving threats.”
PYMNTS has been tracking the rapid evolution of the cyber threat landscape, underscored by the number of attacks this summer, including a “significant volume of data” being stolen last month from at least 165 customers of multi-cloud data warehousing platform Snowflake — including the theft of personal information from “nearly all” of AT&T’s wireless customers.
See also: The Cost of Legacy Payments in Light of Innovation’s ROI
Included in the newly published resources, The Transparency and Monitoring for Better “Secure-by-Design” document, created by the FSSCC Transparency and Monitoring Secure-by-Design Workstream and the Financial Services Information Sharing and Analysis Center (FS-ISAC), addresses service transparency, architecture best practices, and CSP resilience management.
The document proposes baseline security configurations that simplify the deployment of secure CSP workloads, making it easier for financial institutions to implement secure infrastructure with minimal engineering.
Taken together, the resources published by the Treasury and the FSSCC represent a significant advancement in guiding financial institutions through the complexities of secure cloud adoption, providing a robust framework for FIs to safely and effectively embrace cloud technologies.
After all, as experts have repeatedly told PYMNTS for the “What’s Next in Payments” series, banking’s future is set to be transformative — and defined increasingly by digital shifts, FinTech collabs and open banking opportunities.
That’s why modernization, ultimately, is not just a technological upgrade; it’s a strategic necessity being driven by the need to meet the dynamic, emerging expectations of end-customers.