U.S. flag

An official website of the United States government

Financial Institution Letter

FFIEC Joint Statement on Risk Management for Cloud Computing Services

April 30, 2020  |  FIL-52-2020

Summary:

The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached statement addressing the use of cloud computing services and security risk management principles in the financial services sector.

Statement of Applicability to Institutions under $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-Supervised Financial Institutions.

Highlights:

  • Inherent in the use of cloud computing services are shared responsibilities between the provider and the client. The attached document identifies responsibilities financial institutions would have when contracting with cloud computing providers.
  • The attached document provides examples of risk management practices for a financial institution's safe and sound use of cloud computing services and safeguards to protect its customers' sensitive information from risks that pose potential consumer harm.
  • The attached document includes a list of public and private sector resources and references that can assist financial institutions with managing cloud computing services.

Suggested Distribution:

FDIC-supervised financial institutions and their service providers

Suggested Routing:

Chief Executive Officer
Chief Information Officer
Chief Information Security Officer

Related Topics:

FFIEC IT Examination Handbook

Attachments:

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).