UK financial regulators to step up scrutiny of cloud computing giants

The Prudential Regulation Authority is concerned at risk of disruption to banks if cloud services fail or are hacked

UK financial regulators are preparing to step up their scrutiny of cloud computing providers amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them.
UK financial regulators are preparing to step up their scrutiny of cloud computing providers amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them.

UK financial regulators are preparing to step up their scrutiny of cloud computing providers amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them.

The Prudential Regulation Authority (PRA) is exploring ways to access more data from cloud providers Amazon, Microsoft and Google, including on the operational resilience of their services, according to sources.

The trio dominate cloud computing, a global market that has boomed as more companies transfer data and IT services to third-party servers run by Big Tech.

All three companies have in recent years struck deals with UK banks, which have turned to them to reduce IT costs, overhaul antiquated infrastructure and capitalise on technologies such as AI to automate customer service and detect financial crime.

READ MORE

Resilience

Although UK banks’ use of cloud computing is covered by the PRA’s operational resilience framework, concerns are mounting over the scale of disruption that could be unleashed if one or more of the services were to fail or be subject to a cyber attack at the same time.

According to people familiar with the PRA’s plans, the regulator is also considering the introduction of more robust outage and disaster recovery tests. The security of customer data remains regulators’ chief worry, but UK banks’ reliance on a handful of providers is also emerging as a concern, the people said.

“We are looking at cloud providers from an operational resilience perspective,” said one person familiar with the regulators’ plans. “Do we need to step in more, how do we get confidence in them? We are starting to consider them critical third parties that we need more oversight of.”

The potential threat to the financial sector was highlighted in early December when an outage at Amazon Web Services, the cloud arm of Amazon, hit a wide range of companies spanning robot vacuum maker Roomba and dating app Tinder.

Since that high-profile failure regulators around the world have been even more focused on the cloud, according to an executive at a large US bank with UK operations.

The PRA is set to publish a joint discussion paper with the Bank of England (BoE) and the Financial Conduct Authority on issues raised by cloud computing this year, but concerns were already highlighted in the minutes of last September meeting of the BoE's Financial Policy committee, which monitors financial stability risks.

The minutes noted that “the increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.”

The PRA declined to comment on its plans.

Google said that it was “committed to working with financial services customers and regulators to provide them with controls and assurances on risk management, data locality, transparency, and compliance”.

Amazon Web Services has said that the security of its cloud services is its “highest priority”. Microsoft did not respond to a request for comment.

Regulators are facing a UK banking system being rapidly reshaped by Big Tech companies. Amazon Web Services has struck high-profile deals with Barclays and HSBC, while Lloyds Banking Group has announced partnerships with both Google Cloud and Microsoft Azure.

Forecast

Consultancy McKinsey has forecast that between 40 and 90 per cent of banks’ IT operations globally could move to the cloud within a decade.

UK banks’ data centres were historically subject to periodic regulatory “failover” tests on Sundays, which required lenders to show that data could be instantly transferred between servers.

Now that many banks share the same cloud providers – rather than running their own proprietary IT operations – executives expect the PRA to develop a broader co-ordinated “war game” that models Amazon Web Services and Azure failing at the same time.

“This is a thorny issue, [regulators] are really nervous about it and we’ve spent a lot of time on it in recent discussions,” said one senior UK banker.

“The seven biggest banks in the UK are all heavily using cloud, and we are all invariably going to the same three or four suppliers that they don’t directly regulate.” – Copyright The Financial Times Limited 2022