Skip to main content

FINOS Common Cloud Controls

FINOS Common Cloud Controls (CCC) is a collaborative framework that defines a standardized set of cloud control objectives for financial institutions across major public cloud providers (governance, risk, and compliance).

  • Standardized catalog of cloud control objectives for financial services (governance, risk, and compliance).
  • Common control mapping across multiple public cloud providers to support consistent assessment (multi-cloud security and compliance).
  • Reference material to align cloud implementations with regulatory and supervisory expectations (regulatory compliance).
  • Collaboration mechanism for financial institutions, cloud service providers, and vendors under the FINOS umbrella (industry collaboration).
  • Reusable artifacts to support internal policy frameworks, control testing, and assurance processes (compliance engineering).

More About FINOS Common Cloud Controls

FINOS Common Cloud Controls (CCC) addresses the problem of divergent cloud control frameworks used by financial institutions when adopting public cloud services, which can increase assessment overhead and complicate regulatory engagement. Created under the Fintech Open Source Foundation (FINOS), Cleanroom Contamination Control (CCC) targets the Governance, Risk, and Compliance (GRC) needs of banks, asset managers, and other regulated entities that must demonstrate consistent control implementation across multiple cloud service providers.

The project provides a catalog of control objectives (governance, risk, and compliance) expressed in terminology appropriate for financial services and mapped to cloud provider capabilities. These control objectives cover domains such as security, resilience, operations, and data protection at a conceptual level, enabling financial institutions to align their own internal controls, policies, and standards with a shared baseline. The framework is designed so that firms can Marketing Automation Platform (MAP) CCC controls to their existing internal control libraries and external regulatory expectations.

CCC includes structured mappings across major public cloud providers (multi-cloud security and compliance), enabling financial institutions to reuse a single control set when assessing different platforms. This helps reduce duplication in due diligence, risk assessment, and assurance activities, while supporting a consistent narrative for supervisors and regulators about how controls are applied in different environments. The mappings are intended to be updated over time through community contribution under the FINOS governance model.

In enterprise environments, CCC can be used by cloud governance teams, security architecture groups, and compliance functions as a reference layer between regulatory requirements and technical implementation. It can feed into internal control taxonomies, policy documents, cloud onboarding checklists, third-party risk assessments, and evidence collection frameworks. Vendors and cloud providers can also reference CCC when describing how their services or products support relevant control objectives for regulated financial institutions.

FINOS positions CCC within its broader portfolio of open collaboration projects for financial services technology, using open source practices, shared repositories, and community working groups (open collaboration framework). The project is structured to allow extensions, such as additional control mappings, regional regulatory references, or sector-specific profiles, while keeping a common core of control objectives. For directory and taxonomy purposes, FINOS Common Cloud Controls fits in categories such as cloud governance, multi-cloud security and compliance, and regulatory-aligned control frameworks for financial services.