The US financial regulatory landscape comprises multiple regulators covering banking, securities, commodities and derivatives, with varying levels of guidance to the institutions they oversee.

Banks

Yes, banking regulators' guidance on third-party risk management applies to the use of cloud services. In addition, the Federal Financial Institutions Examination Council recently issued a statement on security risk management principles for financial institutions using cloud services. 

Financial institutions are required to take a life cycle view of third-party relationships using a risk-based approach appropriate to the criticality and complexity of the function. This risk management process is the purview of senior management and the board of directors. The initial steps are to consider whether the function can be safely outsourced to a third party and conducting appropriate due diligence, while maintaining robust contingency plans. Written contracts with third parties are required, and they should address the following:

• Performance obligations (including quality metrics) and the consequences of the failure to perform
• Notification of financial difficulty, catastrophic events and significant incidents (including security incidents)
• Notification of significant changes, including acquisitions, subcontracting, offshoring, key personnel changes and material policy changes
• Audit rights and requirements, including independent review
• Legal and regulatory compliance, including data privacy, anti-money laundering and sanctions compliance
• Fee calculations and ensuring no unduly burdensome up-front or exit fees
• Exit rights
• Data and IP ownership
• Confidentiality and integrity of data and systems
• Business continuity
• Limits on liability and indemnification
• Insurance
• Dispute resolution
• Regulatory supervision

The regulatory guidance does not mandate the substance of the terms of the parties' contract; rather, the terms are required to reflect the risk profile of the financial institution for the services contracted.

Finally, the guidance requires financial institutions to conduct ongoing monitoring of the third-party relationship. This includes a periodic assessment of the third-party relationship to determine if the services now include critical activities, and assigning staff with the requisite skills to oversee the third-party provider commensurate with the level of risk and complexity of the relationship. An ongoing risk-based monitoring program should have oversight with respect to the following:

• Business strategy and reputation
• Legal and regulatory compliance
• Financial condition
• Insurance coverage
• Key personnel and institutional knowledge
• Identifying and managing risk prior to audit reporting
• Process for policy changes to address new threats
• Response to service interruption and service quality degradation
• Reliance on subcontractors
• Conflicts of interest and operational and reputational risks
• Confidentiality and integrity of data and systems
• Trending in customer complaints and ability to remediate

Broker-dealers ("BDs")

The rules applicable for broker-dealers, investment advisers ("IAs") and Commodity Futures Trading Commission ("CFTC") regulated entities are record-keeping rules and related interpretation and guidance over third-party providers of electronic storage, rather than rules specifically designed around the concept of cloud storage.

For BDs, the core record-keeping rule for cloud governance purposes is Securities and Exchange Commission ("SEC") Rule 17a-4(f)(3) under the Securities Exchange Act of 1934, with a focus on Rule 17a-4(f)(3)(vii) and related SEC interpretation and staff guidance on electronic data storage providers, including a Division of Examinations ("Safeguarding Customer Records and Information in Network Storage — Use of Third-Party Security Features") OCIE alert. In November 2021, the SEC proposed amendments to this rule, although it does not reference cloud-related requirements specifically.   

In addition for BDs, Financial Industry Regulatory Authority ("FINRA") members continue to be governed by guidance previously issued by the National Association of Securities Dealers in conjunction with the New York Stock Exchange, which presents best practices for supervision and reminds them of functions that may not be outsourced to third parties, such as those functions that must be performed by registered persons. Even for functions that may be outsourced, FINRA member firms are not absolved of responsibility for these functions and they must implement supervisory procedures to ensure they are carried out compliantly. There are also regulatory requirements concerning supervision (FINRA Rule 3110) and business continuity planning (SEC guidance and FINRA Rule 4370), as well as Regulation SP on privacy. The 2005 FINRA Outsourcing Guidance and the FINRA 2015 and 2018 Cybersecurity Reports provide requirements for BDs, particularly around controls and authentication. 

For IAs, they are subject to SEC Rule 204-2, which is the books and records rule for IAs. IA compliance with SEC Rule 17a-4, which is the BD rule, assures compliance with SEC Rule 204-2. 

For entities regulated by the CFTC/National Futures Association ("NFA"), there are four categories of applicable rules:

• Record-keeping rules: CFTC Rule 1.31 and NFA Rule 2-10
• Rules relating to supervising the activities of regulated entities — the futures regulators do not have explicit outsourcing rules, but instead generally mandate that the CFTC entities supervise both employees and agents (i.e., third-party service providers) (these rules are contained in CFTC Rule 166.3, NFA Rules 2-9 (CPOs, CTAs and FCMs) and Rule 2-49 (SDs))
• Privacy/data protection rules contained in CFTC Rule 160.1-5
• Business continuity rules contained in NFA Compliance Rule 2-38 (CPOs, CTAs and FCMs) Rule 2-49 (SDs), CFTC Regulation 23.603 and NFA Interpretive Notice 9052

For BDs, a checklist of key matters is as follows:

1. Audit rights
2. The use of subcontractors — addressed in FINRA guidance, but only at a high level in an OCIE alert or SEC guidance
3. Technical and organizational measures or IT guidelines, including security requirements (e.g., encryption and key management) — only addressed in a general way through SEC and FINRA guidance
4. Business continuity/disaster recovery (including whether any specific BCP measures are required) — the SEC has addressed BCP largely through guidance, while FINRA has provided more specific guidance  

BDs are currently required to: (i) preserve the records exclusively in a non-rewritable, non-erasable format; (ii) automatically verify the quality and accuracy of the storage media recording process; (iii) serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and (iv) have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under the rule and as required by the SEC or self-regulatory organizations. An undertaking from the third party is a requirement of the rule.  November 2021 SEC proposed amendments to this rule could eliminate the current requirement that electronic records of BDs be stored solely in a non-rewritable, non-erasable format, also known as "write once, read many" (or WORM) format. The undertaking may also be removed from the rule should amendments be finalized as proposed.

IAs are generally subject to a more principles-based approach as opposed to the prescriptive approach of BDs. 

CFTC/NFA

The core record-keeping rules are CFTC Rule 1.31 (in particular, Rule 1.31(c)-(d)) and NFA Rule 2-10. Generally, records must be retained in a form and manner that ensures the authenticity and reliability of such regulatory records in accordance with applicable law. Electronic records systems must include: (i) systems that maintain the security, signature and data as necessary to ensure the authenticity of the information contained in electronic regulatory records and to monitor compliance with applicable law; (ii) systems that ensure the CFTC entity is able to produce electronic regulatory records in accordance with Rule 1.31, and ensure the availability of such regulatory records in the event of an emergency or other disruption of the CFTC entity's electronic record retention systems; and (iii) the creation and maintenance of an up-to-date inventory that identifies and describes each system that maintains information necessary for accessing or producing electronic regulatory records.

Such records must be available to the regulator promptly upon request in a reasonable form and medium in which the CFTC entity must produce such regulatory records.

NFA Rule 2-10 requires members to maintain adequate books and records necessary and appropriate to conduct its business. The rule's broader requirements are harmonized with CFTC Rule 1.31.

As a general matter, the CFTC and NFA take a principles-based approach to compliance with these (and other requirements). As a result, different CFTC entities may tailor their compliance programs to their specific circumstances.