View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
December 7, 2023updated 08 Dec 2023 8:48am

More oversight needed for the banking sector’s cloud arrangements, say UK regulators

The Bank of England, the Financial Conduct Authority and the Prudential Regulation Authority say more needs to be done to protect financial services from cloud outages and cyberattacks.

By Greg Noone

New regulations are needed to prevent system failures at hyperscaler cloud firms and other “critical third parties” from endangering the UK’s banking sector, according to a consultation paper from the country’s leading financial regulators.

The document, published jointly by the Financial Conduct Authority (FCA), the Bank of England (BoE) and the Prudential Regulation Authority, proposes additional rules to tighten and strengthen the cyber resilience of cloud service providers (CSPs) working with UK banks. The proposals come amid mounting concern at the international banking sector’s increasing reliance on a handful of major cloud companies. 

Exterior shot of the Bank of England, used to illustrate an article about cloud computing and the banking sector.
The Bank of England leads a trio of regulators in calling for greater resilience in the cloud market as it pertains to financial institutions. (Photo by William Barton/Shutterstock)

The consultation paper also proposed new requirements for so-called “Critical Third Parties” (CTPs) designed to improve incident management, ameliorate supply chain risks and set up new mechanisms for such firms to provide “certain information and assurance to the regulators, including submitting an annual self-assessment”. Additionally, the three regulators proposed that CTPs should be compelled to immediately notify their customers and regulators about specific disruptions that have implications for the wider financial services sector. 

“Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted,” explained Sarah Breeden, the BoE’s deputy governor for financial stability. “The proposals in this consultation paper build on last year’s discussion paper to enable the Bank of England, in coordination with the PRA and the FCA, to manage these systemic risks, while enabling UK FMIs [financial market infrastructure entities] also to benefit from using such providers.”

Cloud, banking and systemic risk

The reliance of financial institutions on public cloud providers has grown markedly in recent years, thanks largely to decreased costs and computational scaling advantages afforded by these providers relative to in-house data centres. Critics also argue that this has led to swathes of the global banking system becoming overly reliant on a handful of cloud companies capable of offering the kind of scale that banks are looking for – namely, so-called “hyperscaler” providers like AWS, Azure and Google Cloud.

According to the consultation paper, this is an issue that has vexed the BoE for at least six years, with the institution’s Financial Policy Committee requesting “annual updates from the financial authorities on the cyber resilience of firms” in its June 2017 Financial Stability Report. Its concern at the potential ripple effect of outages at, or cyberattacks on, cloud providers on the UK financial system increased in subsequent years, culminating with regulators being granted new powers to inspect data centre facilities in the Financial Services and Markets Act 2023. 

That concern is shared by other international regulators and central banks. In February, for example, the US Treasury Department warned that financial institutions should pay close attention to the integrity of their arrangements with CSPs, lest a lack of in-house technical knowledge expose them to large-scale data breaches. That followed an alert last year from the Bank of International Settlements claiming that the global financial sector’s embrace of cloud computing is “forming single points of failure, and hence creating new forms of concentration risk at the technology services level”.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Read more: Big banks badly need a cyber security overhaul

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.