The Wall Street Journal reported on November 21, 2019, that the Federal Reserve is considering whether to begin examining data storage technology service providers (“TSPs”) of the banks that it regulates. While financial regulators have long scrutinized TSPs generally, this report indicates a new interest by a federal regulator in direct oversight of TSPs, particularly those that provide data storage on media such as the cloud.
Possible Fed Exams of TSPs
Some banks utilize TSPs for data storage and other services, and according to the deputy general counsel for litigation, enforcement, and system matters at the Federal Reserve, the Federal Reserve believes it has the authority under the Bank Service Company Act (“BSCA”) to examine TSPs even though they might be technology companies and not banks. According to the WSJ report, the Federal Reserve is still considering the appropriate scope of any examinations. Consistent with its authority to ensure the safety and soundness of the financial system, the Federal Reserve appears to be focused on systemic risk, especially where multiple banks rely on the same third-party provider or vendor.
Actions by Other Regulators
The WSJ report is representative of an increased focus by several regulators on the use of third-party data storage and other cloud services — focusing sometimes on regulated financial services intermediaries and sometimes on the technology companies that provide such data storage and other services to financial intermediaries.
- In March 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations of issued a “Risk Alert” identifying steps that investment advisers and broker-dealers might take to mitigate risks relating to “various network storage solutions, including those leveraging cloud-based storage,” and encouraged regulated intermediaries to “actively oversee any vendors” of such products and services.
- The Financial Industry Regulatory Authority (“FINRA”) issued a notice in October 2019 about steps that FINRA member firms are taking to address the risk of cloud-based email account takeovers.
- The National Futures Association (“NFA”) issued an interpretive notice, last updated in September 2019, that includes guidance on the kinds of due diligence that an NFA member’s information systems security program (“ISSP”) should include with regard to such ISSP elements as “cloud-based services such as data storage.”
- The SEC has examined its own use of cloud computing services, including the agency’s responsibilities in “protecting agency systems that use cloud computing services,” as set out by the SEC’s Inspector General in a report published in November 2019.
- At its November 7, 2019 meeting, the Financial Stability Oversight Council received a presentation on whether TSPs could be classified as financial market utilities and discussed how existing banking laws might apply to TSPs.
Common to all of these regulatory initiatives is a focus on the potential risks to the broader financial system posed by cloud or technology-based data storage, as well as a myriad of measures that are intended to identify and mitigate such risks. Ultimately, regulators are seeking to balance the tremendous benefits afforded by technology-based data storage against information security concerns that could materially impair the financial system. As the technology and financial services integrate more comprehensively, regulators and the financial industry will have to consistently work together to identify, mitigate, and reduce the potential risks.