Banks' over-reliance on a handful of 'secretive' cloud computing services threatens financial stability, Bank of England warns

Moving key services to the cloud enables efficiencies but increases reliance on a few vendors

The over-reliance of Britain ' s financial sector on "secretive" cloud providers could disrupt the normal functioning of the financial system, the Bank of England (BoE) has warned.

For the past several years, banks and other financial institutions in the UK have been outsourcing key services to cloud service providers such as Amazon, Google and Microsoft, which not only helps to boost efficiency but can also cut costs for banks.

The trend has accelerated since March 2020 after the Covid-19 pandemic forced the government to impose lockdown across the country.

While outsourcing work to cloud providers has benefits, BoE is concerned that it could pose threat to financial stability, given the limited number of cloud firms and the vast amount of services and data being outsourced.

The Bank warns that in future, big providers could dictate terms and conditions to major financial firms.

"That concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the sort of information they need to monitor the risk in the service," BoE governor Andrew Bailey told a news conference, as reported by Reuters.

"We have seen some of that going on," he added.

Earlier this week, the BoE's Financial Policy Committee (FPC) also said in a report that additional policy measures were needed to prevent financial instability risks arising from cloud computing.

Such measures will ensure that the BoE can assess the IT infrastructure even when it is run by third parties.

The FPC welcomed the engagement between the BoE, HM Treasury and the Financial Conduct Authority on how to tackle these risks, but said the financial sector needs to seek wider cooperation to mitigate the risk.

"The FPC recognises that absent a cross-sectoral regulatory framework, andcross-border co-operation where appropriate, there are limits to the extent to which financialregulators alone can mitigate these risks effectively," it says in the report.

Bailey recognised that cloud firms may not wish to reveal publicly detailed information on their backend operation, as that may leave them exposed to cyber attacks.

However, he said that cloud providers need to give more information to customers and regulators.

"We have got to strike a balance here," Bailey said.

A Google spokesperson told Reuters that the company was committed to working with regulators and customers to give them controls and assurances on risk management, compliance, transparency and data locality.

The warning from BoE comes about a month after a major internet blackout caused by US-based CDN provider Fastly, which left many of the world's top websites offline for a brief period.

In November last year, a major outage at AWS impacted thousands of online sites and services, including Amazon's own services.

Amazon later revealed that the outage was caused by adding new servers to Kinesis, and also promised that it would apply lessons learned to improve the reliability of its services.