Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
FFIEC Joint Statement on Risk Management for Cloud Computing Services


The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached statement addressing the use of cloud computing services and security risk management principles in the financial services sector.

Statement of Applicability to Institutions under $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-Supervised Financial Institutions.


  • Inherent in the use of cloud computing services are shared responsibilities between the provider and the client. The attached document identifies responsibilities financial institutions would have when contracting with cloud computing providers.
  • The attached document provides examples of risk management practices for a financial institution's safe and sound use of cloud computing services and safeguards to protect its customers' sensitive information from risks that pose potential consumer harm.
  • The attached document includes a list of public and private sector resources and references that can assist financial institutions with managing cloud computing services.

Suggested Distribution:

FDIC-supervised financial institutions and their service providers

Suggested Routing:

Chief Executive Officer
Chief Information Officer
Chief Information Security Officer

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).

Last Updated: April 30, 2020