With respect to banks, there are no specific laws or regulations that expressly allow or govern the use of cloud services. Banks would be expected to manage a relationship with a cloud service provider in accordance with the general safety and soundness standards applicable to all banks, as well as guidance and guidelines issued by the Federal Reserve Board ("Fed"), the Federal Deposit Insurance Corporationd(collectively, "Banking Agencies"), as well as the Federal Financial Institutions Examination Council ("FFIEC") (an interagency council that prescribes uniform principles and standards for the examination of financial institutions). The Banking Agencies have issued consolidated joint supervisory guidance on sound risk management of all third-party relationships, namely the Interagency Guidance on Third-Party Relationships: Risk Management (Fed Letter SR 23-4; OCC Bulletin 2023-17; FDIC Financial Institution Letter FIL 29-2023). The FFIEC issued the Outsourcing Technology Services Booklet to provide guidance to banks on establishing, managing and monitoring third-party relationships. More recently, it issued the Joint Statement on Security in a Cloud Computing Environment, which highlights examples of bank risk management practices for safe and sound use of cloud computing services.

None of these statements or guidelines are laws or regulations. These documents are intended to provide guidance to banks and bank examiners to assist in evaluating a bank's risk management processes for establishing, managing and monitoring third-party and outsourcing relationships, including third-party cloud computing services. They are a reflection of both regulatory expectations and industry best practices, both of which are continually evolving.

Broker-dealers and investment advisers are permitted to use cloud services, although no statute or rule affirmatively confers this permission, and no relevant regulator has defined the term "cloud services" or "cloud service providers" through rulemaking. Rather, the recordkeeping rules envisage the use of electronic storage providers. Regulatory guidance issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority has accepted that electronic storage providers may include cloud services.

Entities regulated by the Commodity Futures Trading Commission ("CFTC") may also use cloud services. Both the CFTC and National Futures Association considered cloud services while recently revising their recordkeeping rules; therefore, both accept that CFTC entities will use cloud services.