The Bank of England has said that cloud hyperscalers like Amazon’s AWS and Google Cloud may have to comply with minimum resilience standards and testing in future. The BoE is increasingly worried about the reliance of banks on a small handful of cloud providers, and what this could mean for critical banking services in the case of an outage. A new era of regulatory scrutiny of Big Tech in the banking sphere may be on the horizon.
“This is a big topic both within the UK and internationally,” Victoria Saporta, BoE executive director for prudential supervision said this week.
Cloud banking systems: a competitive necessity
Banks are rapidly moving critical services like online banking and payment systems to the cloud, because the infrastructure is cheaper, faster, and more resilient than in-house systems.
“At this point, the big cloud providers are introducing valuable IT services at a rate and on a scale that simply can’t be matched by enterprises whose primary business lies elsewhere,” says Jean Atelsek, research analyst at S&P Global Market Intelligence’s 451 Research. “It becomes a competitive necessity to move some services to cloud.”
Indeed, cloud providers such as AWS and Microsoft Azure have introduced specific industry clouds for financial services. As a result, research firm IDC forecasts that banks’ spending on cloud services globally will more than double from $32.1bn in 2020 to $85bn in 2025.
Big cloud providers are introducing valuable IT services at a rate and on a scale that simply can’t be matched by enterprises whose primary business lies elsewhere.
Jean Atelsek, 451 Research
One of the issues inherent to this trend is that the world’s banks and financial services companies are reliant on a very small number of cloud providers. An IDC survey of 50 major banks worldwide highlighted just six primary providers of cloud services: IBM, Microsoft, Google, Amazon, Alibaba and Oracle.
A Google survey found that fewer than a fifth of the 1,300 financial companies it asked were using multiple clouds in case one should fail, although 88% of these said they were planning to do so within a year.
“[BoE’s announcement] doesn’t feel like a reaction to a failure on any of the providers, but more a way to address critical infrastructure risk as more financial services institutions leverage cloud services,” says Gartner analyst Jason Malo.
Increased regulation on the horizon for cloud banking services?
The BoE’s Financial Policy Committee said in July that additional policy measures would be required to help mitigate these risks. The EU has also proposed that “critical” external services for the financial industry including cloud should face increased regulation.
Big providers’ “concentrated power on terms [and conditions] can manifest itself in the form of secrecy, opacity, not providing customers with the sort of information they need to monitor the risk in the service,” BoE Governor Andrew Bailey said. He added that cloud providers had to be more transparent with banks to help address these issues, and held to resilience standards.
New resilience standards could include asking companies about the frequency of their drills to ensure disaster recovery, and making sure critical outage remediation practices are in place and that teams are trained to deal with such an eventuality, says Malo.
“Banks may outsource aspects of their IT, but cannot lose their ability to respond to regulators about the technology they use,” says Malo, although he stresses this isn’t about opening up all cloud providers’ data and operations for inspection. “A balance is needed.”
Some banks have already begun to exercise the right to audit banks’ cloud implementations, says Malo, including the central bank of the Netherlands. “They do still affirm the banks’ continued responsibility, however.”
Moving capabilities to the cloud involves giving up control of the underlying physical assets that power a company’s software. “Given that software embodies the very essence of financial institutions’ value proposition, it’s no surprise that banks want to ensure the integrity of the underlying hardware beyond the service-level agreements that the cloud providers offer by default,” says Atelsek.
“I see the BoE’s move as part of a drip-drip-drip of regulations that (like GDPR) are putting in safeguards in a world where it’s nearly impossible to function without having sensitive information pass through the domains of the tech giants.”
Homepage image courtesy Yau Ming Low/Shutterstock