Cloud computing giants under scrutiny from Financial Services regulators4 min read
The UK’s Prudential Regulation Authority (PRA), which oversees financial stability, is to take steps to bolster banks on the cloud. Data storage is a systemic vulnerability just like financial risk.
The regulator is preparing to step up their scrutiny of cloud computing providers amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them.
The PRA is exploring ways to access more data from cloud providers Amazon, Microsoft and Google, including on the operational resilience of their services.
The trio dominate cloud computing, a global market that has boomed as more companies transfer data and IT services to third-party servers run by Big Tech.
All three companies have in recent years struck deals with UK banks, which have turned to them to reduce IT costs, overhaul antiquated infrastructure and capitalise on technologies such as AI to automate customer service and detect financial crime.
UK Banks in the Cloud
Although UK banks’ use of cloud computing is covered by the PRA’s operational resilience framework, concerns are mounting over the scale of disruption that could be unleashed if one or more of the services were to fail or be subject to a cyber attack at the same time.
According to the PRA’s plans, the regulator is also considering the introduction of more robust outage and disaster recovery tests.
The security of customer data remains regulators’ chief worry, but UK banks’ reliance on a handful of providers is also emerging as a concern.
“We are looking at cloud providers from an operational resilience perspective,” said one person familiar with the regulators’ plans. “Do we need to step in more, how do we get confidence in them? We are starting to consider them critical third parties that we need more oversight of.”
The potential threat to the financial sector was highlighted in early December when an outage at Amazon Web Services, hit a wide range of companies spanning robot vacuum maker Roomba and dating app Tinder.
Since that high-profile failure regulators around the world have been even more focused on the cloud, according to an executive at a large US bank with UK operations.
The PRA is set to publish a joint discussion paper with the Bank of England and the Financial Conduct Authority on issues raised by cloud computing this year, but concerns were already highlighted in the minutes of last September’s meeting of the BoE’s financial policy committee, which monitors financial stability risks.
The minutes noted that “the increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.”
Few doubt the vulnerability of the troves of banking data stored on the cloud. Man-made threats range from ransomware to systems failures. Nature could atomise information in a single solar storm such as the Carrington event of 1859.
Banks have been decanting customer data from clunky mainframes to third-party data managers for a decade and more. These groups, led by Amazon Web Services, Microsoft’s Azure and Google, are typically better skilled and resourced than in-house IT departments.
The counter argument is that there are only a few big cloud businesses. That means they concentrate risk. This is one reason many financial institutions have already adopted multi-cloud strategies. Rules on onshoring sensitive information also encourage this. HSBC, for example, uses Google and AWS.
Heavy Hand Vs Softly, Softly
The risk of a heavy-handed approach is already evident in Europe. There, regulators’ desire to coalesce fragmented legislation and level the playing field have resulted in a demanding road map that financial institutions must follow.
The European Commission’s proposed Digital Operational Resilience Act, (Dora) aims to bolster financial institutions’ defences against cyber attacks and other risks. Banks have to create a whole new risk management framework.
European nations have also banded together over Gaia-X, a software framework for control and governance that sits on top of existing cloud platforms. UK banks and financial services companies would chafe at provisions as onerous as Dora. That explains why the PRA is proposing a less prescriptive cloud charter.
Regulators are facing a UK banking system being rapidly reshaped by Big Tech companies. Amazon Web Services has struck high-profile deals with Barclays and HSBC, while Lloyds Banking Group has announced partnerships with both Google Cloud and Microsoft Azure.
Consultancy McKinsey has forecast that between 40 and 90 per cent of banks’ IT operations globally could move to the cloud within a decade.
The PRA has, to date, declined to comment on its plans. Google said it was “committed to working with financial services customers and regulators to provide them with controls and assurances on risk management, data locality, transparency and compliance”. Amazon Web Services has said that the security of its cloud services is its “highest priority”.