GKSD - stock.adobe.com

Financial services sector’s cloud use set for more regulatory scrutiny on resilience grounds

Financial stability report by Bank of England’s Financial Policy Committee raises red flag about banks’ growing reliance on a small number of cloud service providers

The UK financial system’s growing reliance on a small number of cloud service providers (CSPs) could be subject to closer regulatory scrutiny, based on the findings of a report by the Bank of England’s Financial Policy Committee (FPC).

The FPC’s biannual Financial stability report sets out to identify areas for banks and building societies to be wary of that could pose a systemic risk to their operations and the overall resilience of the UK financial system.

The financial services sector’s growing use of cloud technologies is one area that the July 2021 edition of the FPC’s Financial stability report flags as a concern, particularly the sector’s growing reliance on the tools and services offered by a relatively small pool of providers.

“Since the start of 2020, financial institutions have accelerated their plans to scale up their reliance on CSPs,” said the report, a nod to how the onset of the Covid-19 pandemic led to a surge in cloud use by financial services companies.

This development has not gone unnoticed by the sector’s regulators, which include the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), said the report, but concerns persist about the risk involved in having so many firms relying on such a small number of providers.

“Although the PRA and FCA have recently strengthened the regulation of firms’ operational resilience and third-party risk management, the increasing reliance on a small number of CSPs and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide,” the report stated.

In the light of this situation, the FPC’s view is that additional policy measures should be pushed through to help mitigate the “financial stability risks” and it is already working with the Bank of England, the FCA and the Treasury to achieve this.

Read more about cloud adoption in the financial services sector

“The FPC recognises that absent a cross-sectoral regulatory framework, and cross-border co-operation where appropriate, there are limits to the extent to which financial regulators alone can mitigate these risks effectively,” said the report.

While the report stops short of calling out specific cloud providers, all three of the major public cloud firms – Amazon Web Services (AWS), Microsoft and Google – are known to have a firm footing in the financial services sector.

Also, all three organisations are known to have made a concerted effort in recent years to court financial services companies through the roll-out of industry-specific offerings and support teams with skills and experience of working with firms in the sector.

And even without the Covid-19 pandemic as a backdrop, the willingness of financial services firms to use cloud has increased markedly over the past decade, with regulators, including the FCA, issuing guidance advising firms within its scope on how to move to cloud in a safe and secure way.

Simon Hull, head of financial services at technology consultancy BJSS, said it is right for the FPC to be concerned about the dominant hold a small number of very large cloud firms have on the sector.  

“One of the drivers for cloud migration is to improve operational resiliency of individual firms and the ecosystem in general, but if there are problems with the underlying infrastructure itself, this could impact thousands of systems at once,” he said.

“Financial service firms themselves understand this and are taking steps to both ensure resiliency and avoid supplier lock-in by introducing different arrangements such as hybrid private/public cloud and using more than one CSP in a multi-cloud strategy.”

At the same time, most cloud service providers rely on multiple datacentre availability zones to ensure resiliency, he added.

“While this should give some comfort, the desire to better understand and manage this risk is natural, however the innovation enabled by cloud technology must also not be unduly stifled. Given its global nature and evolving state, this will require collaboration across regulatory bodies and industry participants,” Hull concluded.

Read more on Infrastructure-as-a-Service (IaaS)