Big Tech, banking policymakers clash over cloud computing

Consolidation of cloud service providers also seemed to trouble some lawmakers. Amazon Web Services controls 48 percent of the cloud computing market, noted Meredith Broussard, a computer scientist who is an associate professor at New York University, in testimony prepared for the hearing. Together, Amazon, Google, Microsoft, and Alibaba “control 76 percent of the worldwide market for cloud computing,” Broussard said.

The transition to cloud computing is “a double-edged sword,” said Rep. Bill Foster (D-Ill.), chair of the task force, at the hearing. While the benefits of cloud computing are many, the growth of cloud computing and its use of artificial intelligence, which works better with large data sets, could “encourage the consolidation that’s already a natural feature of any digital enterprise, which is essentially a natural monopoly,” Foster cautioned. “We have to be very careful” not to “further force consolidation in an already consolidated industry.”

A late adopter

The banking industry was initially a bit reticent to embrace cloud computing because of “a lack of confidence” that cloud service providers could “effectively support the rigorous regulatory requirements and oversight that financial institutions and their vendors must operate within,” said Paul Benda, senior vice president for risk cyber-security policy at American Bankers Association, in testimony prepared for the hearing.

Now, however, financial services companies increasingly find the cloud a viable place to keep their data. The financial cloud market, according to research firm MarketsandMarkets, is expected to experience a compound annual growth rate of 24.4 percent to $29.47 billion by 2021, reported Steve Grobman, senior vice president and chief technology officer at McAfee, in testimony prepared for the hearing.

An advantage of the cloud for banks is that it enables them “to store and process vast amounts of data and to quickly add new computing capacity to meet changing needs,” the Treasury Department wrote in a 2018 FinTech Report. “Advances in big data analytics, machine learning, and artificial intelligence are expanding the frontiers of financial services firms’ abilities to glean new and valuable business insights from vast datasets,” the department wrote. In short, deciding who is the safest bet to give a mortgage to can be a whole lot easier using contemporary high-speed data crunching capability.

At the same time, the tech folks at cloud service providers likely understand any vulnerabilities of the cloud better than their own customers ever will. “Large cloud service providers typically have the resources and expertise to invest in and maintain state-of-the-art and comprehensive IT security and deploy it on a global basis across their platforms,” said Alla Goldman Seiffert, director of cloud policy and counsel at the Internet Association, in testimony prepared for the hearing. The Internet Association represents more than 40 of world’s leading internet companies—including Google, Amazon, and Facebook—and supports the protection of internet freedom.

In contrast, “financial institutions, especially small and mid-sized firms, could find it economically infeasible to achieve similar levels of security on their own,” Seiffert continued.

Pushback on that inspection thing

Even as banks find cloud computing to be more viable and cloud service providers undoubtedly find that having the financial services industry as a client can be lucrative, there has been a bit of a cultural clash between the two.

“The ‘move fast and break things’ ethos” of the tech world “is diametrically opposed to the mindset of compliance,” Broussard said. Banks have been regulated since forever; the Silicon Valley set, not so much.

That means that when federal examiners visited an Amazon Web Services site earlier this year, they did not notice a Capital One data breach involving the theft of 100 million customers’ data in part because Amazon staff apparently pushed back during that visit, Broussard noted, pointing to a Wall Street Journal article chronicling the saga.

Amazon Web Services staff “‘balked’ when asked to provide additional information” and demanded to know how the requested information would be used by government, the House Financial Services Committee Staff wrote in a memo prepared for the hearing.

“Amazon’s IT staff is not necessarily trained in financial industry compliance the way a bank’s IT staff would be,” noted Broussard, who suggested cloud providers’ staff be trained in financial regulatory requirements.

What’s next

“As a nation, we are in a technology arms race with countries like China,” said Jordan Brandt, CEO and cofounder of Inpher—which calls itself a “Secret Computing” company—in testimony prepared for the hearing.

A bill that would strengthen cyber-security for the financial sector has been drafted. It would give the National Credit Union Administration and the Federal Housing Finance Agency “the same oversight of third-party vendors” for credit unions, Fannie Mae, Freddie Mac, and Federal Home Loan Banks “that bank regulators have for third-party vendors of banks,” the House Financial Services Committee staff wrote.

The Gramm-Leach-Bliley Act, the Bank Service Company Act, and banking agency guidance “already provide a robust regulatory framework to oversee bank utilization of the cloud,” Benda maintained. “Additional clarity would be helpful on the roles and responsibilities of regulators with respect to their direct oversight of cloud service providers,” he said.

Some may be concerned that by the time any law is enacted, it might already be out of date given the rapidity of technological change.

“Policymakers should be wary of imposing additional cyber-security mandates and regulations on the private sector, given the strong possibility that out-of-date, check-the-box compliance rules could be the result,” Grobman cautioned.

Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.