On October 18, 2019, the Task Force on Artificial Intelligence, which is a task force within the House Financial Services Committee (FSC), held a hearing titled “AI and the Evolution of Cloud Computing: Evaluating How Financial Data is Stored, Protected, and Maintained by Cloud Providers.” In a memorandum published before the hearing, the FSC noted that financial institutions have adopted cloud computing for non-core purposes (e.g., human resources, customer relationship management, etc.) while exercising caution when migrating over core services and activities (e.g., payments and retail banking). However, the memorandum notes that over the next five to 10 years, the expectation is that banks will move over more core functions to the cloud. The FSC notes that AI is a component of cloud computing because it helps streamline tasks, improves how data is managed and provides real-time cyber defense.
Financial institutions that use cloud computing and cloud service providers (CSP) have legal compliance obligations when financial institutions use cloud computing to perform both non-core and core functions. For example, federal regulators require CSPs to meet the same regulatory requirements as if the financial institution performed the activities (e.g., complying with the Bank Service Company Act or the Gramm-Leach-Bliley Act (GLBA)). As the FSC memorandum notes, examiners from the Federal Reserve recently visited a large CSP, and the CSP “balked” when the Federal Reserve asked the CSP to provide additional information after the on-site examination. Further, the CSP sought clarity from the Federal Reserve on how the Federal Reserve would use and store that information and who would have access to it. Therefore, the concerns over data privacy run both ways. As numerous witnesses in the hearing and members of the FSC noted, greater clarity from regulators regarding the use of CSPs by financial institutions would be beneficial. This echoed a 2018 Treasury report on Nonbank Financials, Fintech, and Innovation, which noted that “[f]inancial services firms face several regulatory challenges related to the adoption of cloud, driven in large part by a regulatory regime that has yet to be sufficiently modernized to accommodate cloud and other innovative technologies.”
The hearing addressed these compliance issues as well as issues related to consolidation, privacy and security. Below is a summary of the participants’ presentations.
- Meredith Broussard – Ms. Broussard, who is an Associate Professor at NYU and an Affiliate Faculty Member of the NYU Center for Data Science, spoke about cybersecurity and the cloud. Specifically, she voiced her concerns over the security risks presented by consolidation in the CSP industry. She asked whether it made sense for multiple financial institutions to store their data in the same location and noted some of the risks with doing so. Relatedly, she said that because a low number of skilled cybersecurity professionals exist and the CSP industry is top-heavy, more government regulation may be necessary to protect consumers from the risks caused by numerous financial institutions housing their data in a small number of CSPs. Regarding AI, Ms. Broussard addressed how data sets have the potential to discriminate and noted that the critical question was not where the financial institution ran the AI – either via a CSP or on-premises – but how the AI was used (note that the prior Task Force hearing addressed this issue, which we covered here).
- Alla Seiffert – Ms. Seiffert, who is the director of cloud policy and counsel at the Internet Association, spoke on three themes: (1) the shared responsibility between CSPs and their customers, which means that CSPs are responsible for security of the cloud while the customer is responsible for the security and resources they store in the cloud (g., the CSP is responsible for ensuring the integrity of the servers and the physical location, while the bank is responsible for ensuring the security of the mobile app used to access that customer’s data); (2) cloud adoption increases security because it modernizes applications and allows customers better visibility into their networks; and (3) cloud computing increases resilience.
- Steve Grobman – Mr. Grobman, who is a senior vice president and chief technology officer at McAfee, highlighted the benefits for companies that migrate operations to CSPs while also acknowledging that the consequences of security vulnerabilities may be more significant because of CSP concentration, even though the likelihood of any such risk occurring is lower. Mr. Grobman analogized it with the risks associated with driving versus flying, where flying is statistically safer, but when a crash occurs, the consequences are more far-reaching. Regarding the benefits, Mr. Grobman noted that CSPs allow companies to benefit from advanced technology that is generally only available to those with sufficient resources. Regarding AI, Mr. Grobman pointed out that AI is the foundation of cyber defense and that its use helps alleviate the talent shortage. Specifically, Mr. Grobman noted that adversaries are creating attacks to fool AI and that companies are working on making AI more resilient to such attacks.
- Jordan Brandt – Mr. Brandt, who is the CEO and Cofounder of Inpher, discussed how cloud computing and AI are distinct and complementary technologies. Specifically, cloud technology democratizes access to resources, which in turn powers AI to streamline business functions and improve consumer welfare. However, Mr. Brandt noted that the consolidation of personal data into any one entity, which can be mined by AI, poses both an economic risk and a risk to privacy. Mr. Brandt noted that the emergence of privacy-enhancing technologies, specifically those addressing encryption-in-use capabilities, can address the data privacy and security concerns.
- Paul Benda – Mr. Benda, who is the Senior Vice President of Risk Cybersecurity Policy at the American Bankers Association, addressed how cloud technology provides valuable tools for financial institutions to use. Mr. Benda noted that financial institutions are responsible for their data (g., Title V of GLBA requires confidentiality of a customer’s information), whether that information is stored or handled by a financial institution or its vendor on the financial institution’s own system or in a third-party cloud. Mr. Benda noted that risks need to be managed and that the decision to use cloud services should be left to each bank, as the bank is the entity most appropriate to perform the risk-benefit analysis. Mr. Benda noted that while all parties should collaborate to improve cloud security and efficiency – no other industry has such robust regulatory oversight and guidance or an examination structure to ensure that data is protected – it would be helpful for regulators to provide greater clarity concerning their oversight of CSPs.
The question and answer session that followed repeatedly focused on security issues posed by the use of CSPs, including whether and how CSPs can be better trained to understand the financial regulatory requirements imposed on their financial institution clients. Another concern mentioned was the difficulty associated with attribution when an error or breach occurs with a CSP (from the perspective of who may have been at fault and who actually committed the act – Ms. Broussard noted that AI is useful in helping identify and protect against known vulnerabilities but that it struggles with unknown unknowns). Finally, near the end of the question and answer session, Mr. Benda noted the difficulties associated with the need to comply with both state laws – which can vary, sometimes significantly, in their requirements – and federal laws and requested that one harmonized approach be adopted so that banks do not have to answer to “51 masters.”
This was the third hearing of the Task Force on Artificial Intelligence. You can watch the full hearing here. Follow us here as we continue to provide you with information related to this committee’s efforts as well as other news related to AI.