Companies like Amazon and Microsoft that offer cloud computing services are becoming systemically important pillars of the financial system. Does that mean they should undergo the kind of regulatory scrutiny that banks receive?
The Bank of England (BOE), which includes the Prudential Regulation Authority (PRA), doesn’t do formal on-site examinations of cloud computing providers, according to a response from the central bank to a Freedom of Information Act (FOIA) request from Quartz. That contrasts with the approach taken across the Atlantic, where the Federal Reserve has visited Amazon’s cloud facilities (paywall) for on-site inspection.
There’s good reason for financial watchdogs to be paying attention to the cloud. Entire banks are now hosted on it, and most major financial institutions engage with vendors that at least use the cloud. Consultancy research signals (pdf, p. 10) that global banks could be reliant on these services for the majority of their workload within a decade. In a sign of cloud computing’s growing importance, Goldman Sachs recently made Amazon Web Services (AWS) executive Marco Argenti a partner and co-chief information officer.
But there are also risks. A handful of big technology companies—notably Amazon, Google, and Microsoft—dominate this service, which raises concentration concerns (they could become a single-point-of-failure risk for the system). And while there are reasons to think the cloud could be more secure from hackers than traditional on-premises data centers, the breach reported in July of Capital One’s cloud servers shows that they are far from bulletproof.
“As fintechs and incumbent financial institutions move services onto cloud platforms, major cloud providers may become systemically important,” according to the Future of Finance review for the BOE that was published this summer. “This means they might be of concern to the financial system as a whole. The small number of service providers could risk becoming a single point of failure.”
Given that cloud computing already underpins an important swath of the financial system, it’s worth asking whether regulators have fallen behind. The BOE said in its response to Quartz’s FOIA that these tech providers “sit outside the financial regulatory perimeter.” It engages with cloud providers through PRA-regulated firms—the companies it formally regulates—to “ensure they continue to meet our expectations for operational resilience,” the BOE said.
The UK’s Financial Conduct Authority doesn’t, as of yet, perform on-site examinations of cloud providers either.
It’s a thorny question for financial authorities who have deep expertise in assessing risk ratios and other financial measurements, but perhaps less history when it comes to measuring technology risks. It’s not necessarily clear that central banks, and other regulators like the FCA, should be expected to have this expertise.
But some regulatory heavyweights see value in on-site visits to cloud providers. Last year, the European Banking Authority (EBA) published guidelines for cloud outsourcing. It recommended that companies using cloud services have a written agreement that gives the competent authority, such as the PRA, full access to cloud operators’ business premises, including all the applicable devices, systems, networks, and data.
In the US, although the Fed has shown its willingness to undertake on-site visits, the central bank’s authority to examine these companies and their technology is limited. The Fed doesn’t regulate AWS or other providers, but it does have some limited authority. The examiners who went to Amazon’s facilities in Virginia earlier this year were focused on backup systems and resiliency, according to the Wall Street Journal (paywall), which reported that the site visit was the first of what is expected to be ongoing oversight.
Technology companies are likely wary of getting deeply entangled with financial regulators, where they might face overlapping obligations from multiple watchdogs. And while on-premise visits aren’t part of the cloud oversight in the UK, these tech providers are already in dialogue with financial authorities.
In the meantime, the BOE is adding talent to prepare for a cloud-dependent financial world. The central bank “is recruiting more diverse candidates, looking beyond its traditional skills to fields such as data science and cloud computing,” the institution said in response (pdf) to the Future of Finance review. Huw van Steenis, who chaired the review, suggested that regulators may have to directly deal with cloud providers, which could become more like regulated public utilities with special certifications.
There is some precedence for the BOE to take on more oversight of a third-party service provider. A company called Vocalink became significant enough within the UK’s payment systems that it was brought into the “regulatory perimeter,” and the central bank now has “direct supervisory responsibility” for the company, according to David Bailey, executive director for financial market infrastructure.
“We have tools that we can use,” Bailey said during a Treasury Committee hearing in the UK parliament about IT failures in July. The PRA plans to publish a consultation later this year that will consider “operational resilience.”
Meanwhile, as they ramp up oversight, watchdogs also risk imposing controls that are so restrictive or confusing that banks and other firms avoid using the cloud. Indeed, the biggest worry in this summer’s Future of Finance review for the BOE seemed to be that UK firms weren’t migrating to the cloud quickly enough. Van Steenis cited a survey by Finastra indicating that 43% of British financial companies said complex regulation was a sizeable barrier to adopting the cloud.
The financial sector’s interest in cloud computing underscores that although there are concerns, it also offers a number of benefits. The technology can slash infrastructure costs and lower the barrier to entry for smaller firms. It could also improve protection against cyber attack because cloud providers tend to invest more in those defenses than most financial companies.
“UK banks and insurers lag global leaders, and many firms I met are keen to take advantage of cloud at scale,” van Steenis wrote.