Banking institutions in the United States and other markets increasingly rely on sophisticated technology to manage customer relations, monitor regulatory compliance, and execute core business functions such as lending. These kinds of technologies, in turn, necessitate corporate governance and risk management arrangements that address the associated risks and vulnerabilities.
In our report, Regulation of Governance & Risk Management: The Intersection of Banking & Technology, we evaluate the regulatory structure for risk management at U.S. banking institutions as compared to technology companies, and we devote special attention to firms that provide cloud services to U.S. banks. In a cloud service outsourcing arrangement, the cloud service provider offers the bank access to computing resources over a network (such as the internet) in a manner that scales automatically with demand and allows the bank to pay based on its usage. Banks use cloud services to support various functions, such as delivering mobile services to clients and processing payments. Cloud adoption by banks has been steadily rising, and this trend is expected to continue.
In parts one and two, we comprehensively review the regulation of corporate governance and risk management at U.S. banking institutions and U.S. technology companies, respectively. In part three, we consider whether the banking approach to the regulation of risk management or the technology approach is better suited for cloud service providers to U.S. banks.
In our review of the regulation of risk management at U.S. banking institutions, we find that the regulatory risk management framework for banks is highly prescriptive, imposing specific and extensive procedural requirements and expectations on boards of directors and senior management. These requirements and expectations envision a top-down approach to risk management, directed by boards and senior management. In contrast, the framework for technology companies requires them to satisfy broad risk management goals or address particular substantive risks, but generally do not impose specific procedural requirements or expectations on particular elements of their organizational hierarchy, such as boards or senior management.
Risk Management Regulation for Cloud Service Providers to U.S. Banks
As banking institutions increase their use of cloud service providers, these providers become increasingly important to the financial system. Thus, banking regulators and supervisors with authority over technology service providers to U.S. banking institutions will have to determine between two general approaches to risk management regulation. On the one hand, regulators can adopt a more centralized and prescriptive approach to the regulation of risk management by cloud service providers, like the existing approach for banking institutions. And on the other, regulators can adopt a more decentralized and principles-based approach to the regulation of risk management by cloud service providers, similar to the existing approach for technology companies.
In considering which framework is more appropriate, we consider key differences between the risks faced by U.S. banking institutions as compared to cloud service providers. First, because the widespread failure of banks could pose systemic risk to the U.S. financial system, banks have special access to government support, and the resulting moral hazard justifies the more intrusive regulation of governance and risk management at U.S. banking institutions. Meanwhile, the financial collapse of a major technology company would not pose systemic risk, because technology companies (like airlines) could continue to operate in bankruptcy. Because technology companies do not pose the same systemic risk to the financial system as banks, there is no need for a highly prescriptive approach to risk management regulation at cloud service providers.
Second, core bank-related risks, such as credit and liquidity risks, can often be measured and aggregated in a way that provides a high-level picture. This high-level picture facilitates risk management decisions by directors and senior management, who sit at the top of the institutional hierarchy. In contrast, technology-related risks are difficult to measure and aggregate across distinct product lines. Consequently, technology company boards do not generally review product-related issues; senior management uses standardized processes to oversee distinct and specific product-related security and operational issues; and important risk management decisions rest with lower-level teams.
Because technology-related risks are more difficult to aggregate, a decentralized approach to risk management is more appropriate for cloud service providers. Indeed, prescriptive process-oriented requirements on cloud service providers could reduce their ability to respond with speed and flexibility to security and operational vulnerabilities. Moreover, these requirements threaten to impede innovation, and they would impose technology-related decisions on board members who do not always possess the technical expertise to make them.
Based on these important distinctions, we conclude that a decentralized and principles-based approach to the regulation of risk management and corporate governance at cloud service providers and other technology services providers to banking institutions would likely be better-suited to address the risks faced by such technology companies, rather than a centralized and prescriptive approach to risk management regulation and supervision. Consequently, we recommend that federal banking regulators explicitly acknowledge the utility of the principles-based approach by updating their relevant guidance and policy statements.
Banking regulators have a number of tools to accomplish this. For instance, the Federal Financial Institutions Examination Council should revise its “Supervision of Technology Service Providers” Booklet, which offers guidance to examiners and financial institutions, and its “Management” Booklet, which addresses board oversight of information technology risks, to articulate a principles-based approach to supervision alongside the existing risk-based guidance. The Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency should amend their joint “Implementation of Interagency Programs for the Supervision of Technology Service Providers,” which describe the process that the agencies follow to implement the interagency supervisory programs, to similar effect.
Hal S. Scott, Emeritus Nomura Professor of International Financial Systems, Harvard Law School
Dennis Campbell, Professor of Business Administration, Harvard Business School
John Gulliver, Executive Director, Program on International Financial Systems
The full report can be accessed here.