A bank's engagement of any third party to perform services, including cloud services, does not remove the bank's obligation to operate in a safe and sound manner, as well as ensure compliance with applicable laws and regulations to the same extent as if the services or activities were performed by the bank itself.

With respect to broker-dealers ("BDs") and investment advisers, the Securities and Exchange Commission ("SEC") has not defined "third-party cloud service providers" with any specificity in its rules. Rather, third-party providers have been part of the electronic storage media paradigm since the 1997 amendments to SEC Rule 17a-4. 

While there are no SEC regulations specific to services provided by cloud vendors, the scope of the SEC's approach to using third parties for recordkeeping and storage has remained broad over the years. SEC guidance in the form of risk alerts and Financial Industry Regulatory Authority ("FINRA") reports for BDs will likely be the way that these regulators continue to set expectations regarding cloud outsourcing.

In addition, the use of a cloud service vendor for data storage by any BD entities would be considered outsourcing under FINRA guidance. Accordingly, a BD must conduct appropriate due diligence prior to the implementation of such a vendor's services, and procedures for ongoing supervision. These may involve (i) using programmatic checks through business operations, (ii) including the procedures in the contracts with the vendors, (iii) requiring status reports and periodic meetings and (iv) testing and reviewing the vendor's procedures.

Moreover, in 2015, the FINRA undertook a comprehensive review of member firms and published a study that set forth a set of principles and best practices regarding BD approaches to cybersecurity. Notably, the FINRA specifically addressed firms' use of cloud service providers and, in particular, stressed the importance of identity and access management to establish appropriate controls to limit users' access to a firm's systems and data. While the report does not impose new rules on FINRA firms, it makes clear the expectations that regulators have regarding supervision and controls with respect to vendor management.

For Commodity Futures Trading Commission ("CFTC") entities, similarly, the CFTC and the National Futures Association ("NFA") do not define "third-party cloud service providers" within their rules. They have not adopted specific outsourcing rules similar to those found in other jurisdictions. However, both the CFTC and NFA considered cloud computing while revising their recordkeeping and supervision rules in recent years. Both the CFTC and NFA rules are expressly intended to be technology-neutral and therefore do not address specific types of cloud storage medium vendors.