Regulators worried over UK finance's reliance on a few big cloud providers

Regulators worried over UK finance's reliance on a few big cloud providers

Image:
Regulators worried over UK finance's reliance on a few big cloud providers

Prudential Regulation Authority is looking at banks' rising cloud use as concerns grow about cyber crime and outages

UK financial authorities are worried about the industry's dependence on a limited number of cloud computing providers, leaving banks open to service interruptions and hackers.

Amazon Web Services (AWS), Google Cloud and Microsoft Azure are currently the three biggest cloud service providers in the world, with each firm becoming more engaged in the finance sector.

Banks and other financial institutions in the UK have outsourced important services over the last several years to these cloud providers in order to boost efficiency and cut costs.

The trend has accelerated since March 2020 after the Covid-19 outbreak caused the government to enact a nationwide lockdown.

AWS signed an agreement with HSBC in 2020, while Google arranged similar deals with Deutsche Bank and Goldman Sachs.

Although the Prudential Regulation Authority's (PRA) operational resilience framework covers UK banks' use of cloud computing, there are increasing concerns about the scale of damage that might be unleashed if one or more of the services failed or were the target of a cyberattack at the same time.

"Everything is a candidate for being moved over to the cloud," Gavin Goveia, a partner at Deloitte, who is assisting a client in moving all of their financial applications to Google Cloud Platform in the next two years, told The Telegraph.

According to a recent EY poll, 27% of UK banks want to transfer the bulk of their operations to the cloud by the end of the year.

Such eagerness indicates a big shift in the mindset of banking CEOs, but one that is not surprising given numerous high-profile failures of internal banking systems.

Around 1.9 million TSB customers were locked out of their accounts for up to a week in 2018 due to the transition from old IT systems to a single new platform, which resulted in significant service interruption and instability. Cloud is now seen as a more reliable alternative to maintaining complex in-house systems.

However, there are concerns banks may have too many eggs in too few baskets.

According to Synergy Research Group, the two biggest cloud service providers, AWS and Microsoft Azure, control more than half of the $200 billion worldwide cloud industry.

"Imagine a customer has three different payment cards," said Clare Reynolds, a lawyer at Taylor Wessing.

"If there's an outage at one of those, normally they can just use one of the other bank cards to make that payment. That mightn't be possible if those three banks were using the same cloud provider."

Moving to the cloud creates additional worries about data theft in addition to the possibility of services breaking down.

The sheer magnitude of cloud service providers has made them appealing targets for hostile actors, according to researchers at the London School of Economics.

The migration of banks to the cloud also broadens the influence and strength of Google, Microsoft and Amazon.

Regulators now want to get a handle on these issues.

Earlier this year, it emerged that the PRA was planning to step up its supervision of major cloud providers. According to the Financial Times, the Authority is investigating how to access more data from tech giants, including information on their services' operational resilience.

It is also working with the Bank of England and the UK's Financial Conduct Authority on various issues related to cloud computing, and is expected to publish a paper later this year.