To answer this question, let’s use the NIST definition of Cloud, which is referenced by the FFIEC, most financial institution service providers are technically not Cloud. Using the strict criteria outlined by NIST, Cloud providers would be services like Dropbox, Gmail, etc where anybody can sign up and get resources dynamically allocated.
However, many of our clients and some examiners have expanded the definition to include all things web-based. Traditionally known as Software-as-a-Service (SAAS), these services are hosted by the vendor and accessed via web browser so they look like a Cloud solution.
To keep data safe in the Cloud, do not use true Cloud services for sensitive data unless you have a reasonable assurance of security. For example, copy.com hosted by Barracuda, and ShareFile hosted by Citrix are reputable brands that offer relatively secure Cloud file storage. When using these information security services it is still a good idea to encrypt sensitive data before moving them online.
For banking solutions that may or may not meet the strict definition of Cloud, lean heavily on your vendor management process. Develop a thorough questionnaire and send to each web-based service provider. Contact us for a sample questionnaire.