UK regulators are taking steps to look under the bonnet of cloud service providers, viewing them as a potential threat to bank resilience. By Justin Pugsley.
What is happening?
The UK’s Prudential Regulation Authority (PRA) recently said it intends to probe deeper into the workings of the leading cloud service providers Amazon Web Services, Microsoft Azure and Google Cloud.
In particular, regulators are concerned about data security and the resilience of these firms. Cloud services come under the banner of outsourcing and generally the regulators leave it to the banks to sort out those arrangements, but hold them responsible if something goes wrong.
But such is the growing importance of cloud services providers, and their concentration, that the PRA clearly feels it needs to understand these firms a lot better. Though it may never directly regulate them, it will nonetheless influence how they provide services to the financial services industry and possibly even the type of services.
And regulators are right to be concerned, as every year a brief cloud outage occurs somewhere in the world. So far these interruptions have not been particularly serious and were quickly addressed. But what if there was a really serious one that lasts weeks or sees a huge leakage of critical customer data?
Why is it happening?
The march into the cloud is nothing new — banks have been doing this for years. The attraction for banks is clear: it enables them to reduce costs and complexity, and to ensure that their software is constantly updated. The latter matters for issues such as cyber security and the growing digitisation of financial services.
Regulators acknowledge those benefits while keeping a beady eye on the progress of these providers. Their concern is that if one of them keels over, it could simultaneously cripple multiple banks. In a worst-case scenario, this could start a domino effect where payments fail and capital markets become severely disrupted.
The likes of the Basel Committee on Banking Supervision and the Financial Stability Board (FSB) have been monitoring the growing use of the cloud by banks. Individual regulators are now steadily taking action to safeguard the financial system from potential problems in the cloud.
Already in the EU there is the Digital Operational Resilience Act, which potentially empowers the three European supervisory authorities to directly supervise technology providers serving the financial industry. And last year, the PRA was calling for more powers to have some legislative rights to oversee the three leading cloud service providers.
What do bankers say?
The big cloud service providers pay a lot of attention to resilience — it is a key part of their offering. If a set of servers goes down somewhere in the world, others in another geography kick in, usually quickly and seamlessly. Also, those services are specifically tailored to client needs, including those in the financial sector. Nonetheless, bankers should welcome the greater involvement of regulators in the operations of cloud service providers. If that involvement leads to more robust cloud services, then there is less chance of one of these providers falling over. After all, customers could not care less whether it is a cloud provider’s fault that they cannot make payments or access their money — they still blame their bank.
Will it provide the incentives?
Cloud providers are rapidly becoming a critical backbone of the global economy and their reach spreads well beyond financial services. This is being heavily driven by digitisation. Nearly every industry, including utilities, food retailers and telecoms, are in some way dependent on them.
This means a significant failure of just one of these providers could have a devastating impact on the global economy. Under those circumstances, it would take far more than central banks printing money to save the day or the authorities conducting a weekend rescue.
Given that cloud service providers are of concern to so many industries, there is a strong argument for them to have their own dedicated national regulators and a global standard setting body. Not only would such bodies have the expertise to properly oversee such entities, and to quickly order remedial actions where necessary, but could also incorporate the concerns of all the other industry regulators.
Unfortunately, it will probably require a crisis for such an outcome. After all, in the banking space, the Basel Committee and FSB were both born out of financial crises.
