IBM Cloud compliance programs

Industry compliance regulations impose additional requirements on organizations handling sensitive data, or those that engage in certain types of commerce. IBM Cloud® infrastructure and platform-as-a-service (PaaS) offerings can help your organization meet sector-specific compliance requirements with services that support key industry programs.

IBM Cloud for Financial Services™ is a first-of-its-kind cloud designed to help financial institutions (FIs) modernize faster by mitigating risk and accelerating cloud adoption for even the most sensitive workloads. With security and controls built into the platform, not just offered as tools or DIY features, FIs can automate their security and compliance posture, making it easier for them and their digital supply chain partners to simplify risk management, demonstrate regulatory compliance and speed innovation.

Central to IBM Cloud for Financial Services is the IBM Cloud Framework for Financial Services, which provides a common set of automated, preconfigured controls that are applied across IBM Cloud services, third-party applications and financial institution workloads.  Created in collaboration with major FI experts, the controls are designed to align with industry standards and global regulatory bodies. The framework is frequently validated with advice from the IBM Financial Services Cloud Council, and guidance from Promontory Financial Group®, an IBM Company and a global leader in regulatory compliance consulting.

The IBM Cloud for Financial Services European Regulatory Guide (PDF, 2.7 MB) maps selected EBA, EIOPA, and ESMA provisions to IBM references that indicate how IBM supports clients in meeting featured guidelines.

AUP Report

The IBM Cloud for Financial Services Agreed Upon Procedures (AUP) Report was commissioned by IBM and completed by a big four public accounting firm in accordance with the American Institute of Certified Public Accountants (AICPA). The report demonstrates to IBM Cloud for Financial Services clients that IBM Cloud services have been implemented against, and adhere to, the IBM Cloud Framework for Financial Services technical, administrative and physical control requirements.

To request a copy of the report, please contact your IBM Representative. 

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance to conduct research on topics that are related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information. 

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products to manage or process PHI must enter into a Business Associate Agreement (BAA) with IBM.

To request the list of IBM Cloud services that are HIPAA-ready in addition to the ones listed below: Contact an IBM representative

Clients can build HIPAA-ready environments and applications using IBM Cloud. Read the guide (PDF, 1.7 MB).

IBM Cloud platform services ready for use with PHI and HIPAA (BAA required) include:

United States International Traffic in Arms Regulations (ITAR) controls the export of defense-related articles from the US. ITAR requires that no non-US person can have physical or logical access to the data stored in ITAR-compliant environments. 

IBM Cloud platform provides both federal and commercial offerings that support ITAR.

The United States Securities and Exchange Commission (SEC) is a government agency that enforces federal securities laws, proposes new regulations and regulates the security exchange. SEC Rule 17 CFR 240.17a-4(f) outlines electronic storage media, data retention, and preservation requirements for broker-dealer books and records.  This rule requires that broker-dealer records are stored in a manner that prevents the alteration or deletion of records for required retention periods.

Independent assessor Cohasset Associates has validated that IBM Cloud Object Storage, when Immutable Object Storage features are appropriately configured and applied, retains records in non-rewriteable, non-erasable format and meets the relevant storage requirements of SEC Rule 17a-4(f), Financial Industry Regulatory Authority (FINRA) Rule 4511 (c), and Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).

View the Cohasset Associates SEC 17-a4(f) Assessment Report (PDF, 613 KB)