The House Financial Services Committee Task Force on Artificial Intelligence considered proposed legislation on the regulation of cloud service providers ("CSPs"). The draft bill – the "Strengthening Cybersecurity for Financial Sector Act of 2019" - would authorize the National Credit Union Administration ("NCUA") and the Federal Housing Finance Agency ("FHFA") to oversee third-party cloud service vendors for (i) credit unions, (ii) Fannie Mae, (iii) Freddie Mac and (iv) Federal Home Loan Banks.

Background

In a memorandum prepared by HFC majority staff ("Staff"), the "cloud" was generally defined as business strategies, technologies and related architectures that "permit users to receive information, data, and files on demand from a third-party service provider though the internet." Staff noted that many analysts predict large banks will migrate most of their data to cloud platforms in the next five to ten years. Artificial intelligence ("AI") is expected to become increasingly important to cloud activity, as it will (1) streamline tasks and movement toward self-managed clouds, and (2) improve the management of data, including faster updates and indexing.

According to the Memorandum, two laws currently govern CSPs: (i) the >Bank Service Company Act and (ii) the Gramm-Leach-Bliley Act ("GLBA"). Staff asserted that - aside from 2012 Federal Financial Institutions Examination Council guidance on outsourced cloud computing - regulators have provided minimal instruction on how financial institutions should engage with CSPs. The proposed legislation would make regulatory expectations current and would address the concentration of cloud services among a few large technology companies, which heightens the potential impact of a security incident. Staff stated that the proposed authority for the NCUA and FHFA would be similar to banking regulators' oversight of the third-party vendors of banks.

Testimony

New York University Associate Professor Meredith Broussard, an affiliate of the NYU Center for Data Science, supported the bill, saying that "citizens' rights and human rights must be protected online as they are offline." She advocated for (i) the "abundant oversight of CSPs, "(ii) legislation that would mandate financial regulatory compliance training for staffers of CSPs, and (iii) legislation that would make data server farms liable for data breaches.

Internet Association Cloud Policy Director and Counsel Alla Goldman Seiffert minimized concerns regarding cloud computing by emphasizing its potential to help the financial sector enhance cybersecurity and operational resilience.

McAfee, LLC Senior Vice President and Chief Technology Officer Steve Grobman urged policymakers to avoid imposing additional cybersecurity regulations and, instead, to (i) support industry-approved standards and best practices (e.g., the NIST Cybersecurity Framework) and (ii) update existing cybersecurity rules to address new technologies when necessary. Mr. Grobman stated that the biggest challenges facing financial services and cloud providers are (i) conflicting regulations, (ii) a constantly evolving technology landscape, and (iii) the increasing sophistication of cyberattacks.

Inpher CEO and Co-Founder Jordan Brandt advocated for AI and privacy protections. Dr. Brandt warned that the United States is in a "technology arms race" against other countries, such as China, that do not protect individual rights.

American Bankers Association Senior Vice President of Risk Cybersecurity Policy Paul Benda reminded the Task Force that:

  1. financial institutions are required to protect their data, regardless of where it is stored, pursuant to Title V of the GLBA;
  2. each financial institution must determine whether using the cloud is the right option based on its business model and risk analysis and mitigation strategy, as well as regulatory requirements;
  3. financial institutions, CSPs and regulators should work together to create the appropriate governing framework for cloud security; and
  4. additional clarification of the roles and responsibilities of regulators with oversight of the CSPs would be helpful to market participants.

Primary Sources

  1. U.S. House Financial Services Committee Calendar: Friday, October 18, 2019
  2. YouTube Video of U.S. House Financial Services Committee Hearing: "AI and the Evolution of Cloud Computing - Evaluating How Financial Data Is Stored, Protected and Maintained by Cloud Providers"
  3. U.S. House Financial Services Committee Majority Staff Memorandum: "AI and the Evolution of Cloud Computing - Evaluating How Financial Data Is Stored, Protected, and Maintained by Cloud Providers" (Oct. 18, 2019)
  4. House Financial Services Committee Discussion Draft of H.R. ___: "Strengthening Cybersecurity for Financial Sector Act of 2019"
  5. Congressional Testimony, Meredith Broussard, Remarks on AI and Evolution of Cloud Computing
  6. Congressional Testimony, Alla Goldman Seiffert, Remarks on AI and Evolution of Cloud Computing
  7. Congressional Testimony, Steve Grobman, Remarks on AI and Evolution of Cloud Computing
  8. Congressional Testimony, Jordan Brandt, Remarks on AI and Evolution of Cloud Computing
  9. Congressional Testimony, Paul Benda, Remarks on AI and Evolution of Cloud Computing
  10. Federal Financial Institutions Examination Council ("FFIEC"): Informational Statement on Outsourced Cloud Computing (July 10, 2012)
  11. National Institute of Standards and Technology ("NIST"): Cybersecurity Framework

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.