Concentration of cloud providers raises financial stability risks
The use of cloud technology is gaining traction among financial institutions due to the efficiency, scale and saving that it affords. Regulators however caution that cloud concentration risks could jeopardise financial stability.
In its July financial stability report, Bank of England (BOE) repeated its warning that the concentration in the cloud services market among a few providers could increase risks to financial stability. This mirrors past pronouncements and guidelines by the Financial Stability Board and Bank for International Settlements on managing third-party risks and dependencies in cloud services.
Cloud outsourcing which enables companies to keep and access data and software through cloud-based shared servers usually operated by third parties, instead of local network, has gained popularity among financial institutions (FIs) as part of their digital transformation. This is especially so as changing customer expectations are forcing FIs to emulate the agility, scale and quality of customer engagement of cloud-native e-commerce and internet firms.
Regulators have also in recent years shifted their stance on the benefits and risks of cloud services. Some continue to prohibit the use of cloud for critical functions without prior approval to taking a more measured approach. Philippines’ Bangko Sentral ng Pilipinas for example recognises that the cloud allows even smaller institutions to access “affordable, elastic, convenient, and attested computing capabilities”.
In December 2019, BOE issued a consultation paper that sets out expectations on outsourcing, including the use of cloud. It published a report a year later to explain how it was evaluating the benefits and risks of cloud use across FIs. It also surveyed the 30 largest banks and 27 largest insurers under its supervision to understand how they use the cloud. It concluded that the provision of IT infrastructure in the cloud is already highly concentrated for banks and insurers.
The survey showed that FIs were using cloud outsourcing primarily for software-as-a-service (SaaS) applications and less for infrastructure-as-a-service (IaaS) facilities, and more so for banks than insurers.
Moreover, it noted that since the start of 2020, FIs have accelerated plans to scale up use of cloud services. This could well be driven by the COVID-19-induced wave of digitalisation that is rippling across economies at large. Indeed, the increased use of digital services since the pandemic has led to central banks such as the Monetary Authority of Singapore to revise their guidelines on banks’ IT risk management and operational resilience, particularly around third-party providers’ vulnerabilities in cybersecurity and susceptibility to cyber-attacks.
While the BOE through the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have strengthened regulation of FIs’ operational resilience and third-party risk management, it said that the increasing reliance on a small number of CSPs and other critical third parties could increase financial stability risks and stressed that greater direct regulatory oversight of the resilience of the services they provide is required.
It also recognises that a cross-sectoral regulatory framework and cross-border cooperation is needed to mitigate these risks effectively.Separately, the industry through independent bodies like the Fintech Open Source Foundation (FINOS), whose membership includes global banks such as Citi, Deutsche Bank, Goldman Sachs and JP Morgan, is creating a common set of controls for cloud services.
The latest caution from the BOE is a timely reminder of the potential risks involved and the need for greater oversight in the current rush to the cloud
Keywords: Cloud Technology, Cloud Outsourcing, Fintech, Agile, Digitalisation, Online Banking