The UK financial system’s growing reliance on a small number of cloud service providers (CSPs) could be subject to closer regulatory scrutiny, based on the findings of a report by the Bank of England’s Financial Policy Committee (FPC).
The FPC’s biannual Financial stability report sets out to identify areas for banks and building societies to be wary of that could pose a systemic risk to their operations and the overall resilience of the UK financial system.
The financial services sector’s growing use of cloud technologies is one area that the July 2021 edition of the FPC’s Financial stability report flags as a concern, particularly the sector’s growing reliance on the tools and services offered by a relatively small pool of providers.
“Since the start of 2020, financial institutions have accelerated their plans to scale up their reliance on CSPs,” said the report, a nod to how the onset of the Covid-19 pandemic led to a surge in cloud use by financial services companies.
This development has not gone unnoticed by the sector’s regulators, which include the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), said the report, but concerns persist about the risk involved in having so many firms relying on such a small number of providers.
“Although the PRA and FCA have recently strengthened the regulation of firms’ operational resilience and third-party risk management, the increasing reliance on a small number of CSPs and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide,” the report stated.
In the light of this situation, the FPC’s view is that additional policy measures should be pushed through to help mitigate the “financial stability risks” and it is already working with the Bank of England, the FCA and the Treasury to achieve this.
“The FPC recognises that absent a cross-sectoral regulatory framework, and cross-border co-operation where appropriate, there are limits to the extent to which financial regulators alone can mitigate these risks effectively,” said the report.
While the report stops short of calling out specific cloud providers, all three of the major public cloud firms – Amazon Web Services (AWS), Microsoft and Google – are known to have a firm footing in the financial services sector.
Also, all three organisations are known to have made a concerted effort in recent years to court financial services companies through the roll-out of industry-specific offerings and support teams with skills and experience of working with firms in the sector.
And even without the Covid-19 pandemic as a backdrop, the willingness of financial services firms to use cloud has increased markedly over the past decade, with regulators, including the FCA, issuing guidance advising firms within its scope on how to move to cloud in a safe and secure way.