Chapter 27: Case Study 1 — Verdant's AWS Migration: The Compliance Checklist They Forgot

Background

Verdant Bank UK is a mid-sized challenger bank regulated by the FCA and PRA. It has approximately £4.2 billion in assets, 340,000 retail customers, and a compliance function of eighteen people led by Maya Osei. Verdant's technology transformation program, launched in 2023, identified cloud migration as a strategic priority. The first major migration — KYC document storage, the repository of identity documents collected during customer onboarding — was selected as a relatively straightforward starting point before the more complex AML system migration.

The KYC document storage system held approximately 1.2 million document images (passports, driving licences, utility bills) and associated metadata. The existing on-premise system used a vendor-managed document management platform running in Verdant's co-location data center. The migration project was led by the IT transformation team with a target of moving the entire document store to Amazon S3 in eu-west-1 (Ireland) by April 2024.

The migration completed on schedule. The IT team was pleased. The project was closed.

Three months later, during a routine FCA inspection focused on operational resilience and data governance, inspectors asked to review Verdant's cloud governance documentation. What they found prompted a follow-up inspection focused specifically on the KYC document storage migration.

What the FCA Found

The FCA's inspection identified three distinct compliance failures in the KYC document storage migration.

Finding 1: No Formal Vendor Due Diligence on AWS

The IT transformation team had selected AWS based on a commercial assessment — cost, feature set, and existing enterprise relationships. No formal vendor due diligence had been conducted or documented. Verdant had no record of reviewing AWS's ISO 27001 certificate, no record of reviewing AWS's SOC 2 Type II report, no assessment of AWS's sub-outsourcing arrangements, and no documented assessment of AWS's financial stability or incident history.

The FCA's inspector noted that Verdant's Third-Party Risk Management policy required formal due diligence for all material outsourcing arrangements, and that the KYC document storage system plainly constituted a critical or important function given that it held identity documents necessary for ongoing KYC obligations. The due diligence requirement had simply not been applied to the AWS engagement.

The IT team's position — that AWS was "well known" and "obviously secure" — did not satisfy the regulatory expectation. The obligation is to conduct and document due diligence, not to assume that a reputable provider has been assessed.

Finding 2: The Contract Does Not Include the Right to Audit

Verdant's arrangement with AWS was based on the standard AWS Customer Agreement. The standard agreement does not include the enhanced contractual provisions required by the EBA Outsourcing Guidelines or DORA Article 30. Specifically, the standard agreement does not contain the provisions that would allow Verdant to conduct or commission an audit of AWS's controls applicable to Verdant's data.

The FCA inspector asked to see the contractual provision giving Verdant the right to audit AWS. Verdant's legal team provided the standard Customer Agreement, which does not contain this provision. The AWS Financial Services Addendum — which does include provisions allowing customers to rely on pooled third-party audit reports — had not been executed. The AWS GDPR Data Processing Addendum had been accepted online (by clicking through), but this addendum does not include the enhanced audit rights required for regulated outsourcing arrangements.

The practical consequence was that Verdant held no contractual right to verify that AWS was maintaining the controls applicable to its KYC document store. In the event of a data security incident, Verdant would have no contractual basis for demanding access to incident investigation findings or AWS's internal audit results.

Finding 3: Backups Configured to us-east-1 — A Data Residency Breach

The IT team had configured Amazon S3 Cross-Region Replication (CRR) to replicate Verdant's KYC document store to a second region for disaster recovery purposes. The destination region selected was us-east-1 (Northern Virginia, USA).

This configuration transferred personal data — the identity documents of Verdant's UK retail customers — to the United States on a continuous basis. Under UK GDPR, this transfer required one of several legal mechanisms: a UK adequacy decision for the US, standard contractual clauses (SCCs), or binding corporate rules. No such mechanism had been confirmed. The AWS Data Processing Addendum that had been clicked through online did reference SCCs for UK-to-US transfers, but the addendum had not been formally reviewed by Verdant's legal team, and it was not clear that the SCC provisions covered the specific data flows created by the S3 CRR configuration.

The data residency breach was compounding: not only had personal data been transferred to the US for three months without a confirmed legal mechanism, but the configuration had been made by a junior IT engineer without any compliance review. The IT team was not aware that S3 Cross-Region Replication had data protection implications — they understood it as a purely technical resilience decision.

Maya's Remediation Program

Maya received the FCA's provisional findings in a pre-inspection meeting and immediately placed the KYC document storage arrangement under a compliance hold — no further changes to the configuration pending remediation. She then built a remediation program with three parallel workstreams.

The first workstream addressed the immediate data residency breach. The S3 Cross-Region Replication to us-east-1 was disabled within forty-eight hours. A replacement disaster recovery configuration was designed using eu-west-2 (London) as the secondary region, keeping all data within the UK. A formal data transfer impact assessment was completed for the three months during which data had been replicated to us-east-1, concluding that the AWS DPA's SCC provisions did technically cover the transfer but that the absence of a formal legal review represented a process failure rather than an unlawful transfer. This assessment was shared with the FCA.

The second workstream addressed the contractual gaps. Verdant's legal and compliance teams conducted a full review of the AWS Customer Agreement and identified the additional addenda required. The AWS Financial Services Addendum was negotiated and executed within six weeks, providing the pooled audit right, enhanced data protection provisions, and incident notification terms required by the EBA Outsourcing Guidelines. The AWS GDPR Data Processing Addendum was formally reviewed and the legal team confirmed it was fit for purpose with one supplementary clause added relating to UK GDPR specifically.

The third workstream built the vendor due diligence that should have preceded the migration. Verdant completed a formal AWS due diligence assessment using a standardized framework developed by Maya's team, covering AWS's ISO 27001 certificate (reviewed and filed), SOC 2 Type II report (reviewed and filed with a formal assessment note), sub-processor list (reviewed and approved by the TPRM committee), financial stability (rated "Strong"), and incident history (three significant incidents in the prior twelve months, all resolved within SLA, noted in the assessment).

The FCA's final inspection report acknowledged the remediation program as prompt and thorough. It issued two requirements: that Verdant apply its cloud governance framework retrospectively to all existing cloud arrangements within six months, and that future cloud migrations include a mandatory compliance sign-off before go-live. It did not issue a financial penalty, noting that no customer harm had resulted from the data residency breach and that Verdant had cooperated fully with the inspection process.

Maya subsequently used the KYC document storage case as the primary training scenario for her compliance team's cloud governance education program. "The lesson," she told her team, "is not that the IT team was wrong to choose AWS. It's that IT decisions and compliance decisions are not separate things. Every architecture choice has a compliance consequence, and compliance has to be in the room when the architecture is designed."

Analysis: How the Failures Happened and Why They Are Common

The three failures identified at Verdant — absent due diligence, incomplete contract, and inadvertent data residency breach — are representative of the most common cloud compliance failures identified in regulatory inspections of financial firms.

The due diligence failure is typically driven by an assumption that reputable cloud providers do not require formal assessment. This assumption conflates the provider's general reputation with the firm's specific obligation to document its assessment. The regulatory obligation is procedural as well as substantive: a firm must be able to demonstrate that it assessed the provider, not merely that the provider is well-regarded.

The contractual failure is typically driven by a procurement process that treats cloud services like software licenses — standard terms, click-through agreement, no negotiation. Cloud agreements for regulated workloads must be treated like outsourcing contracts: negotiated, reviewed by legal and compliance, and documented. The compliance addenda available from major cloud providers are often comprehensive, but only if they are actually executed.

The data residency failure is typically driven by the separation between technical decisions and compliance oversight. Disaster recovery configuration is treated as a technical decision; data transfers are treated as a compliance matter. The connection between them — that DR configuration can create data transfers — is not always visible to either party. The solution is to include compliance review in the technical design process for any cloud workload, not only at the point of initial migration but whenever the configuration changes.

Discussion Questions

1. The FCA found that Verdant had not conducted formal vendor due diligence on AWS despite AWS being a widely used and reputable provider. What is the regulatory rationale for requiring documented due diligence on providers whose security posture is generally considered strong? Is this requirement purely procedural, or does it serve a substantive risk management purpose?

2. Verdant's IT team selected us-east-1 as the disaster recovery region for the KYC document store without any compliance review of the data residency implications. Design a governance process that would prevent this type of technical decision from being made without compliance input. What are the practical challenges of embedding compliance oversight into technical architecture decisions?

3. The FCA did not issue a financial penalty in this case, noting the absence of customer harm and Verdant's cooperation. Evaluate whether the absence of customer harm is a sound basis for penalty mitigation in data residency breach cases. What harm, if any, did the three-month US data transfer actually cause?

4. Maya's remediation program included retroactive application of the cloud governance framework to all existing cloud arrangements. This is a significant resource commitment for a compliance function of eighteen people. How should a compliance function prioritize a retrospective cloud governance review when it cannot assess all arrangements simultaneously? What criteria should drive the prioritization?

5. The AWS Financial Services Addendum provides the contractual protections required by DORA and EBA outsourcing guidelines. However, the standard AWS Customer Agreement does not. Given that major cloud providers publish these addenda and make them available, why do you think firms frequently fail to execute them? What process changes would systematically close this gap?