Cloud giants to face greater scrutiny from UK financial regulators

Regulators are working with the Bank of England to assess the potential risks to the UK's financial sector

Image:

Regulators are working with the Bank of England to assess the potential risks to the UK's financial sector

Regulators are concerned about the over-reliance of the UK's financial sector on just three cloud providers

The UK's Prudential Regulation Authority is planning to step up its supervision of major cloud providers such as AWS, Microsoft Azure, and Google Cloud, as concerns grow that a service outage or data breach could seriously disrupt the country's increasingly cloud-reliant banking system.

Citing people familiar with the matter, the Financial Times says the PRA is investigating how to access more data from tech giants, including information on their services' operational resilience.

The PRA's operational resilience framework covers UK banks' use of cloud computing service; however, the regulator is concerned about banks' reliance on a small number of large firms for their online services, especially in light of recent outages. An outage or successful cyberattack could hit the banking system especially hard, with huge knock-on effects.

In July, a report from the Bank of England's Financial Policy Committee (FPC) said that additional policy measures were needed to prevent financial instability risks arising from cloud computing. Such measures will ensure the BoE can assess IT infrastructure even when it is run by third parties, it added.

AWS, Microsoft Azure and Google Cloud are frequently cited as the world's top three cloud providers, with each company becoming more involved in the financial sector.

All three tech giants have struck extensive deals with UK banks in recent years, offering services to boost efficiency and cut costs by migrating businesses from on-premise to the cloud, where customers can take advantage of new technologies like AI.

AWS has agreements with HSBC and Barclays, while Lloyd Banking Group is with Google Cloud and Microsoft Azure.

The PRA is now considering the implementation of outage and disaster recovery tests to assess the potential impact of cloud-related technical issues on banks.

"We are looking at cloud providers from an operational resilience perspective," a person familiar with the PRA's plans told the FT.

"Do we need to step in more, how do we get confidence in them? We are starting to consider them critical third parties that we need more oversight of."

Last month, a massive AWS outage a wide range of companies, including robot vacuum producer Roomba and dating app Tinder, highlighting the potential threat to the financial sector.

Since that incident, regulators worldwide have been paying more attention to the cloud, according to an official at a large US bank with UK operations.

The Prudential Regulation Authority is working with the Bank of England and the UK's Financial Conduct Authority on the issues related to cloud computing, and is expected to publish a paper later this year.

Google says it is committed to working with financial services customers and authorities to give controls and assurances on risk management, data localisation, transparency and compliance.

AWS has said in the past that the security of cloud services is its top priority.

Microsoft did not respond to a request for comment.