This page provides AWS financial institution customers with information about the legal and regulatory requirements in the United States of America (U.S.) that may apply to their use of AWS services. 

Regulations

  • Yes. Financial institutions in the U.S. are permitted to use cloud services, provided that they comply with applicable legal and regulatory requirements, such as those described below.  

  • Financial regulation in the U.S. is carried out by many state and federal agencies based on the legal status of an entity and the types of activities it engages in. The below list identifies several prominent financial regulators AWS customers should be aware of.

    • The principal U.S. banking regulators include the Board of Governors of the Federal Reserve System (Federal Reserve), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC). The Federal Reserve has regulatory and supervisory authority over bank holding companies, state-chartered banks that have chosen to join the Federal Reserve system, certain nonbank companies that support financial infrastructure, and other entities. The OCC regulates and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks, and the FDIC is the primary federal supervisor for state-chartered banks and savings institutions that are not members of the Federal Reserve system. These U.S. banking agencies are responsible for issuing rules and guidance that may affect how customers use AWS.

     

    • The Federal Reserve, OCC, and the FDIC, along with the National Credit Union Administration, State Liaison Committee, and the Consumer Financial Protection Bureau, together form the Federal Financial Institutions Examination Council (FFIEC). Although the FFIEC does not have direct supervisory responsibilities, it publishes guidance to bank examiners on topics including the use of information technology and third-party service providers.

     

    • Another key element of U.S. financial regulation is the role of markets regulators. These regulators include the Securities and Exchange Commission (SEC), which supervises securities exchanges, securities brokers and dealers, investment advisors and mutual funds, and the Commodity Futures Trading Commission (CFTC), which supervises a variety of individuals and organizations including swaps dealers and futures commission merchants. The SEC and CFTC also issue rules to their supervised entities relating to cybersecurity obligations.

     

    • The Financial Stability Oversight Council (FSOC) is empowered by the Dodd-Frank Act to designate certain nonbank entities as systemically important if it determines that a failure or a disruption to such entity’s operations would threaten the stability of the financial markets and the U.S. financial system.

  • Financial institutions in the U.S. may be subject to a number of different legal and regulatory requirements when they use cloud services.

    Some common sources of regulation are identified below:

    FFIEC Guidance: The FFIEC Information Technology Handbook includes several booklets that provide guidance to examiners and financial institutions on identifying and controlling risks associated with electronic banking activities, including risks associated with outsourcing services to third-party service providers.

    U.S. Banking Agency Guidance: Each of the Federal Reserve, the OCC and the FDIC have each issued guidance to regulated entities that is generally consistent with the FFIEC Guidance. 

    Market Regulation: Entities subject to regulation by the SEC and CFTC should consider applicable regulatory requirements when using AWS. For example, the SEC’s Regulation on Systems Compliance and Integrity generally requires covered entities, such as some market utilities, to have policies and procedures in place to ensure an adequate level of integrity, availability, resiliency, capacity, and security for systems that are necessary to maintain a fair and orderly securities market. Entities using AWS information to store records should be aware of SEC and CFTC recordkeeping requirements such as the SEC’s Rules 17a-3 and 17a-4 and the CFTC’s Rule 1.31.

  • AWS is committed to offering customers a strong compliance framework and advanced tools and security measures that customers can use to evaluate meet, and demonstrate compliance with applicable legal and regulatory requirements.

    Financial institutions who are using or planning to use AWS services can take the following steps to better understand their compliance needs:

    1. Consider the purpose of the workload(s) under consideration and the relevant categories of data in order to anticipate which legal and regulatory requirements may apply.

    2. Assess the materiality or criticality of the relevant workload(s) in light of the applicable requirements. For example, the OCC Risk Management Guidance requires more rigorous oversight for certain critical activities.

    3. Review the AWS Shared Responsibility Model and map AWS responsibilities and customer responsibilities according to each AWS service that will be used. Customers can also use AWS Artifact to access AWS’s audit reports and conduct their assessment of the control responsibilities.

    Customers who have further questions about how AWS services can enable their security and compliance needs, or who would like more information, can contact their account representative.

  • Financial institutions in the U.S. using AWS services should also consider applicable privacy requirements, including the General Data Protection Regulation, The Gramm Leach Bliley Act (GLBA), and regulations adopted pursuant to the GLBA. The GLBA requires financial institutions to protect certain nonpublic personal information of their customers and to take reasonable steps to ensure that any service provider that is permitted access to customer information is capable of maintaining appropriate safeguards for such information.

    Most GLBA requirements are controlled by the AWS customer. AWS provides means for customers to protect data, manage permissions, and build GLBA-compliant applications on AWS infrastructure. Customers can use AWS Artifact to access AWS’s audit reports to gain assurance about AWS’s controls.

    Financial institutions in the U.S. should also consider any applicable state laws concerning data privacy and related requirements.

    To help customers further understand how they can address their privacy and data protection requirements, customers are encouraged to read the risk, compliance, and security whitepapers, best practices, checklists, and guidance published on the AWS website. This material can be found at http://aws.amazon.com/compliance and http://aws.amazon.com/security.

    If customers process or are planning to process the personal data of data subjects in the European Union (EU), they should visit AWS’s General Data Protection Regulation (GDPR) Center.

Resources

  • Country-specific
  • Preparing for the California Consumer Privacy Act

    The California Consumer Privacy Act of 2018 (CCPA) grants consumer[s] various rights with regard to their personal information held by a business that is subject to the CCPA. This document begins with an overview of AWS security and compliance and then addresses the three main subsections of the CCPA: Data Collection, Data Retrieval and Deletion, and Data Awareness.

    Internal Revenue Service (IRS) Publication 1075 Compliance in AWS

    The Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US government agencies and their agents to protect Federal Tax Information (FTI).

    While the IRS does not publish an official designation or certification for compliance with Pub 1075, AWS supports organizations to protect FTI managed in AWS by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements.

  • General
  • Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS

    This guide provides customers with sufficient information to be able to plan for and document the Payment Card Industry Data Security Standard (PCI DSS) compliance of their AWS workloads. This includes the selection of controls that meet specific PCI DSS 3.2.1 requirements, planning of evidence gathering to meet assessment testing procedures, and explaining their control implementation to their PCI Qualified Security Assessor (QSA).

    Using AWS in the Context of Common Privacy and Data Protection Considerations

    This document provides information to assist customers who want to use AWS to store or process content containing personal data, in the context of common privacy and data protection considerations. It will help customers understand the way AWS services operate, including how customers can address security and encrypt their content. The geographic locations where customers can choose to store content and other relevant considerations. The respective roles the customer and AWS each play in managing and securing content stored on AWS services.

    AWS Compliance Quick Reference Guide

    AWS has many compliance-enabling features that you can use for your regulated workloads in the AWS cloud. These features allow you to achieve a higher level of security at scale. Cloud-based compliance offers a lower cost of entry, easier operations, and improved agility by providing more oversight, security control, and central automation.

    AWS Operational Resilience

    The purpose of this paper is to describe how AWS and our customers in the financial services industry achieve operational resilience using AWS services.

    Data Classification and Secure Cloud Adoption

    This paper provides insight into classification schemes for public and private organizations to leverage when moving data to the cloud. It identifies practices and models currently implemented by global first movers and early adopters, examines how implementation of these schemes can simplify cloud adoption, and recommends practices to harmonize national requirements to internationally recognized standards and frameworks.

    AWS Policy Perspectives: Data Residency

    This paper addresses: The real and perceived security risks expressed by governments when they demand in-country data residency. Commercial, public sector, and economic impact of in-country data residency policies with a focus on government data. Considerations for governments to evaluate before enforcing requirements that can unintentionally limit public sector digital transformation goals leading to increased cybersecurity risk.

    AWS Risk and Compliance

    This document is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment. This document includes a basic approach to evaluating AWS controls and provides information to assist customers with integrating control environments. This document also addresses AWS-specific information around general cloud computing compliance questions.

    AWS Security Audit Guidelines

    Guidelines for systematically reviewing and monitoring your AWS resources for security best practices.

  • Compliance Programs

  • IRS Pub. 1075

    CSA

    ISO 27018

    FedRAMP

    ISO 9001

    PCI DSS Level 1

    FFIEC

    ISO 27001

    SOC

    SEC Rule 17a-4(f)

    ISO 27017

Review requirements

We are continually adapting to evolving regulations. Check often for updates.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building in the AWS Management Console.

Sign in