UK regulators to scrutinise cloud resilience in response to financial services sector's reliance on the fluffy stuff

Banking regulators in the UK are considering closer scrutiny of cloud providers in light of recent outages and the financial services sector's increasing dependence on the computing model.

The Bank of England's Prudential Regulation Authority (PRA) is currently looking into how it can get more access to data and systems used by Amazon, Microsoft, and Google to assess their operational flexibility in response to outages and possible cyber-attacks, according to the FT.

One person with knowledge of the plans said the regulator was looking at cloud providers from an "operational resilience perspective". It needed to step in more to understand how confidence levels in the cloud providers' durability as they are "critical third parties that we need more oversight of," the business daily claimed.

Banks and other financial services are among the stampede of businesses betting the farm on the cloud computing in the hope it can offer "modernisation", flexibility, and reduced cost.

In 2020, Deutsche Bank invited bids from Microsoft, Google, and Amazon before opting for the Chocolate Factory as its cloud provider. Its Oracle applications are run on an on-prem cloud from Big Red.

HSBC has deals with Google and AWS for various cloud services while Lloyds Bank has a collaboration with Google.

Meanwhile, Barclay's works with ASWS and recently opted for the private cloud model supported by HPE.

Some experts can see regulators across the globe getting their teeth into the cloud industry and enforcing greater resilience from providers that have seemingly become “too big to fail”.

Sid Nag, Gartner veep of cloud and edge technology research, told us:

“The top four or five providers control 90 per cent of the market, so the question then becomes, what is the impact of a failure? Our lives are being impacted when a single provider goes down, but they have no sort of backup redundancy. In other words, cloud providers don't have a mechanism where they feel they can hand the traffic to another cloud provider.

“But the time will come sooner rather than later, when regulators will have to get involved and almost force them to do something about these things,” Nag said.

For example, providers could be forced to create a network of second tier cloud companies which can pick up workloads should they fail. “That's a really interesting conversation,” he said.

The PRA was seemingly alarmed by the AWS outage in December last year and how it affected clients.

• Nationwide Building Society's Faster Payments turn into Slower Payments for 2022
• AWS power failure in US-EAST-1 region killed some hardware and instances
• Oh no, here we go again, groans the internet as AWS runs into IT problems. Briefly this time
• Microsoft extends 'outage mode' for Azure Active Directory to bake more resilience into cloudy services

It is set to publish a joint discussion paper with the Bank of England and the Financial Conduct Authority in 2022 to look into the issues raised by cloud computing. A Bank of England Financial Policy Committee meeting last September discussed the "increasing reliance by the financial system on critical third parties, including cloud service providers".

"The increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight," the minutes said.

"Regulated firms will continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies. However, additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services."

The PRA declined to comment on its plans.

A Google spokesperson said: "In many instances, public cloud has proven to be more resilient and more secure than on-premise solutions, and the cloud's benefits have come into full view during the COVID-19 pandemic. Google Cloud supports openness, multicloud and the ability for financial firms to freely choose which services and providers best meet their needs. We're committed to working with financial services customers and regulators to provide them with controls and assurances on risk management, data locality, transparency, and compliance."

The Register has contacted AWS and Microsoft for a response.

In October last year, AWS published a blog saying it would continue "to engage with policymakers and financial regulators globally" in response to greater regulatory oversight. ®