New regulations are needed to prevent system failures at hyperscaler cloud firms and other “critical third parties” from endangering the UK’s banking sector, according to a consultation paper from the country’s leading financial regulators.
The document, published jointly by the Financial Conduct Authority (FCA), the Bank of England (BoE) and the Prudential Regulation Authority, proposes additional rules to tighten and strengthen the cyber resilience of cloud service providers (CSPs) working with UK banks. The proposals come amid mounting concern at the international banking sector’s increasing reliance on a handful of major cloud companies.
The consultation paper also proposed new requirements for so-called “Critical Third Parties” (CTPs) designed to improve incident management, ameliorate supply chain risks and set up new mechanisms for such firms to provide “certain information and assurance to the regulators, including submitting an annual self-assessment”. Additionally, the three regulators proposed that CTPs should be compelled to immediately notify their customers and regulators about specific disruptions that have implications for the wider financial services sector.
“Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted,” explained Sarah Breeden, the BoE’s deputy governor for financial stability. “The proposals in this consultation paper build on last year’s discussion paper to enable the Bank of England, in coordination with the PRA and the FCA, to manage these systemic risks, while enabling UK FMIs [financial market infrastructure entities] also to benefit from using such providers.”
Cloud, banking and systemic risk
The reliance of financial institutions on public cloud providers has grown markedly in recent years, thanks largely to decreased costs and computational scaling advantages afforded by these providers relative to in-house data centres. Critics also argue that this has led to swathes of the global banking system becoming overly reliant on a handful of cloud companies capable of offering the kind of scale that banks are looking for – namely, so-called “hyperscaler” providers like AWS, Azure and Google Cloud.
According to the consultation paper, this is an issue that has vexed the BoE for at least six years, with the institution’s Financial Policy Committee requesting “annual updates from the financial authorities on the cyber resilience of firms” in its June 2017 Financial Stability Report. Its concern at the potential ripple effect of outages at, or cyberattacks on, cloud providers on the UK financial system increased in subsequent years, culminating with regulators being granted new powers to inspect data centre facilities in the Financial Services and Markets Act 2023.
That concern is shared by other international regulators and central banks. In February, for example, the US Treasury Department warned that financial institutions should pay close attention to the integrity of their arrangements with CSPs, lest a lack of in-house technical knowledge expose them to large-scale data breaches. That followed an alert last year from the Bank of International Settlements claiming that the global financial sector’s embrace of cloud computing is “forming single points of failure, and hence creating new forms of concentration risk at the technology services level”.