Finance in the cloud: Why are regulators concerned?
As finance in the cloud becomes more of a reality, regulators are targeting strict controls against cloud lock-in and its risks
The business world relies on cloud services to an increasing extent, as organizations migrate more services to the cloud and embrace cloud-native microservices. Organizations across a range of sectors have already unlocked the benefits of cloud services such as improved scalability.
Even as these benefits have been realized, regulators have expressed objections to what they see as overreliance on limited cloud service providers (CSPs) by key institutions. In October 2023, communications regulator Ofcom asked the Competition and Markets Authority (CMA) to investigate the hold that the major CSPs have over the public cloud infrastructure market.
The relationship between financial services and the cloud and the spread of finance in the cloud in recent years has also been placed under particular scrutiny. A discussion paper by the Bank of England (BoE) and the Financial Conduct Authority (FCA) published in 2022 examined how the cloud hyperscalers are tackling the financial market.
There are undoubtedly some nervous figures among the regulators as more institutions are turning to the cloud. It’s been a slow process, as early concerns over security and the protection of customer data eased and banks got on board with the cross-sector technology that had so far passed them by.
Much has changed when it comes to finance in the cloud. Banks are now progressing with some speed, having so far moved 15% of their workload to the cloud according to a 2023 Accenture survey. This is nearly double the amount moved in 2021 – but it’s clear the market still has a huge opportunity for growth from this relatively low number.
This shift has thrown up a range of issues that have concerned treasury officials and financial regulators on both sides of the Atlantic, with the US and the EU both looking to address the issue.
Finance in the cloud: what are the risks?
In the UK, Ofcom has accused hyperscalers Microsoft and AWS of limiting competition in the cloud market through vendor ‘lock-in’ that allegedly impedes custoemrs and cloud competitors. Though contested by Microsoft and AWS, these claims have by extension raised concerns around the potential impact of limited cloud competition on financial services.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
The BoE’s 2022 discussion paper highlighted three main areas of concern:
The US Treasury has also addressed these fears and has raised the issue of competition. It contends that by concentrating within the cloud, financial services could expose their clients to cyber attacks, cloud outages, or other region-wide risks. Finance is among the most targeted industries for cyber attacks, necessitating as many steps to protect financial institutions to be taken as possible.
Maximize the value of the cloud and bring your technology, business, and finance teams together
DOWNLOAD NOW
This is precisely the issue that Ofcom is looking to address. In a statement, the watchdog said “Our market study has identified features that make it more difficult for UK businesses to switch and use multiple cloud suppliers. We are particularly concerned about the position of the market leaders Amazon and Microsoft.”
David Terrar, chief executive of cloud computing business group the Cloud Industry Forum is well aware of some of the discussions. “The October Ofcom report has triggered the CMA investigation,” he tells ITPro.
“And I know the FCA is talking about regulation for AI.”
Terrar also highlights the BoE’s intervention “They have raised three issues: concentration of data centers; concentration of financial services firms that operate data centers; and concentration of cloud service providers themselves. According to the BoE, addressing these issues will be necessary to prevent systemic risk in the banking system.”
Finance in the cloud: what are the benefits and steps to safety?
In a 2023 update, the BoE and FCA have called for greater operational resilience enforcement when it comes to financial services and the cloud. Under new powers established in the Financial Services and Markets Act 2023, regulators can designate third-party service providers such as CSPs as ‘critical third parties’ (CTPs). These CTPs could be compelled to meet new supply chain risk management standards and be far more transparent around incidents that affect their core services.
Given the nature of the business, banks are always going to be highly security-conscious– this is one of the reasons why the sector has been so slow to move to the cloud in the first place. But there’s been a definite shift in opinion about security and while Terrar appreciates the financial regulators’ concerns, there is plenty of evidence to suggest those fears can be allayed.
“We've got major banks, the BoE itself, the Ministry of Defense, the Ministry of Justice, the NHS, and then major corporations putting their trust in cloud technology. Trusted cloud technology and services underpin the UK's digital economy,” he says, while acknowledging the ever-present need to take cyber security seriously in the face of increasingly sophisticated criminals. "Cybersecurity is an arms race, and the threat landscape gets broader and tougher all the time, and we have to keep pace with it and take responsibility for the way we defend ourselves.”
The BoE has acknowledged there are a range of benefits associated with CSPs with particular gains to be made by financial services firms including improved efficiency, reduced costs, hastened sustainable transformation and reduced energy bills, and improved partnerships with customers. It also noted that in contrast to many of the security fears surrounding the use of CSPs, cloud services often improve upon the operational resilience of firms’ existing IT infrastructure and ease reliance on outdated, legacy tech.
Finance in the cloud: What's next for financial services?
Cloud providers have declined to discuss the pending investigations in any great depth and this is unsurprising. “As cloud becomes more prevalent in the financial services industry, we expect and have been preparing for greater regulatory oversight,” a Microsoft spokeswoman told ITPro. “We are committed to supporting our customers throughout this transition and building trust with governments and enterprises worldwide.”
This stance was mirrored by Google. “Cloud has emerged as an important driver of innovation for the financial industry across the globe. In many instances, the public cloud has proven to be more resilient and more secure than on-premise solutions. Google Cloud supports openness, multi-cloud, and the ability for financial firms to freely choose which services and providers best meet their needs. We're committed to working with financial services customers and regulators to provide them with controls and assurances on risk management, data locality, transparency, and compliance,” said a Google spokeswoman.
The move towards cloud is not slowing down any time soon and there’s little prospect of new cloud operators emerging to challenge the big three players. The BoE’s and FCA’s proposed framework could pave the way forward in 2024 and 2025, internationally as well as domestically as its authors proposed the regime could be made interoperable with the US’ Bank Service Company Act and the EU’s Digital Operational Resilience Act (DORA).
Max Cooter is a freelance journalist who has been writing about the tech sector for almost forty years.
At ITPro, Max’s work has primarily focused on cloud computing, storage, and migration. He has also contributed software reviews and interviews with CIOs from a range of companies.
He edited IDG’s Techworld for several years and was the founder-editor of CloudPro, which launched in 2011 to become the UK’s leading publication focused entirely on cloud computing news.
Max attained a BA in philosophy and mathematics at the University of Bradford, combining humanities with a firm understanding of the STEM world in a manner that has served him well throughout his career.