- The speed and scale at which financial institutions are moving critical operations such as payment systems and online banking to the cloud constituted a step change in potential risks;
- On the one hand, banks and technology companies say greater use of cloud computing is a win-win;
- On the other hand, regulatory sources say they fear a glitch at one cloud company could bring down key services across multiple banks and countries.
More than a decade on from the financial crisis, regulators are spooked once again that some companies at the heart of the financial system are too big to fail. But they’re not banks.
This time it’s the tech giants including Google, Amazon and Microsoft that host a growing mass of bank, insurance and market operations on their vast cloud internet platforms that are keeping watchdogs awake at night.
Central bank sources told the speed and scale at which financial institutions are moving critical operations such as payment systems and online banking to the cloud constituted a step change in potential risks.
“We are only at the beginning of the paradigm shift, therefore we need to make sure we have a fit-for-purpose solution,” said a financial regulator from a Group of Seven country, who declined to be named.
It is the latest sign of how financial regulators are joining their data and competition counterparts in scrutinising the global clout of Big Tech more closely.
Banks and technology companies say greater use of cloud computing is a win-win as it results in faster and cheaper services that are more resilient to hackers and outages.
But regulatory sources say they fear a glitch at one cloud company could bring down key services across multiple banks and countries, leaving customers unable to make payments or access services, and undermine confidence in the financial system.
The U.S. Treasury, European Union, Bank of England and Bank of France are among those stepping up their scrutiny of cloud technology to mitigate the risks of banks relying on a small group of tech firms and companies being “locked in”, or excessively dependent, on one cloud provider.
“We’re very alert to the fact that things will fail,” said Simon McNamara, chief administrative officer at British bank NatWest. “If 10 organisations aren’t prepared and are connected into one provider that disappears, then we’ll all have a problem.”
The EU proposed in September that “critical” external services for the financial industry such as the cloud should be regulated to strengthen existing recommendations on outsourcing from the bloc’s banking authority that date back to 2017.
The Bank of England’s Financial Policy Committee (FPC) meanwhile wants greater insight into agreements between banks and cloud operators and the Bank of France told lenders last month they must have a written contract that clearly defines controls over outsourced activities.
“The FPC is of the view that additional policy measures to mitigate financial stability risks in this area are needed,” it said in July.
The European Central Bank, which regulates the biggest lenders in the euro zone, said on Wednesday that bank spending on cloud computing rose by more than 50% in 2019 from 2018.
And that’s just the start. Spending on cloud services by banks globally is forecast to more than double to $85 billion in 2025 from $32.1 billion in 2020, according to data from technology research firm IDC shared with Reuters.
An IDC survey of 50 major banks globally identified just six primary providers of cloud services: IBM, Microsoft, Google, Amazon, Alibaba and Oracle.
Amazon Web Services (AWS) – the largest cloud provider according to Synergy Group – posted sales of $28.3 billion in the six months to June, up 35% on the prior year and higher than its annual revenue of $25.7 billion as recently as 2018.
While all industries have ramped up cloud spending, analysts told that financial services firms had moved faster since the pandemic after an explosion in demand for online banking and emergency lending schemes.
“Banks are still very diligent but they have gained a higher level of comfort with the model and are moving at a fairly rapid pace,” said Jason Malo, director analyst at consultants Gartner.
No more secrecy
Regulators worry that cloud failures would cause banking systems to fall over and stop people accessing their money, but say they have little visibility over cloud providers.
Last month, the Bank of England said big tech companies could dictate terms and conditions to financial firms and were not always providing enough information for their clients to monitor risks – and that “secrecy” had to end.
There is also concern that banks may not be spreading their risk enough among cloud providers.
Google told that less than a fifth of financial firms were using multiple clouds in case one failed, according to a recent survey, although 88% of those that did not spread their risk yet planned to do so within a year.
Central bank sources said part of the solution may be some form of mechanism that offers reassurance on resilience from cloud providers to banks to mitigate the sector’s aggregate exposure to one cloud service – with the banking regulator having the overall vantage point.
“Regardless of the division of control responsibilities between the cloud service provider and the bank, the bank is ultimately responsible for the effectiveness of the control environment,” the U.S. Federal Reserve said in draft guidance issued to lenders last month.
FINRA, which regulates Wall Street brokers, published a report on Monday ahead of potential rule changes to ensure that using the cloud does not harm the market or investors.
Being able to switch cloud providers easily when needed is, however, a task that is more easily said than done and could introduce disruptions to business, the FINRA report said.
“The buck stops with us”
Banks and tech firms contest the suggestion that greater adoption of the cloud is making the financial system’s infrastructure inherently riskier.
Adrian Poole, director for financial services in the United Kingdom and Ireland for Google Cloud, said the cloud can be more effective in bolstering a bank’s security capabilities than by building it in-house.
British digital lender Zopa said it had moved 80% of its transactions to the cloud and was working to mitigate risks. Zopa Chief Executive Jaidev Janardana said the company was also deliberately leaning on tech firms’ expertise.
“Cloud providers invest a lot of resources in security at a scale that few individual companies could manage,” he said.
Google‘s Poole said the company was open to working more closely with financial regulators.
“We may one day see regulators pulling data on demand from regulated banks with cloud-enabled application programming interfaces (APIs), instead of waiting for banks to periodically push data at them,” he said.
NatWest’s McNamara said the bank was collaborating closely with tech firms and regulators to mitigate risks, and had put alternative services in place in case things went wrong.
“The buck stops with us,” McNamara said. “We don’t put all our eggs in one basket.”
One problem, though, is that not all banks have a full understanding of the risks to resiliency that could come with a wholesale shift to the cloud, said Jost Hoppermann, principal analyst at Forrester, particularly the smaller lenders.
“Some banks do not have the necessary know-how,” he said. “They think doing this will vanish all their problems, and certainly that isn’t true.”