How banking’s big-tech partners could be subjected to regulatory oversight

The growing dependence of UK banks on a few cloud service providers presents a material risk to the nation’s financial stability. What protective measures are the industry’s watchdogs considering?
Canary Wharf seen at dusk

During the 1950s, lengthy power cuts weren’t unusual in the UK, but people were able to shrug them off because most homes and services hadn’t come to rely on electricity. If the grid were to fail completely tomorrow, it would bring down the nation’s telecoms systems and force most of us to buy bottled drinking water – if we could find the cash to pay for it and shops still open to sell it – in a matter of days, according to the Energy Research Partnership.

But electricity is not the only critical service. Seven decades ago, banks could have functioned by candlelight. Today, they rely on cloud computing. Providers of cloud services have become what the government calls critical third parties, which “could affect financial stability and cause harm to consumers if they fail or are disrupted”. The financial services and markets (FSM) bill, which has had its second reading in the Commons, aims to grant the industry’s regulators oversight of those critical third parties. 

Monica Sasso is chief technologist for the EMEA financial services industry at Red Hat, a subsidiary of IBM. She observes that the sector has made dramatic changes to the hardware and software it uses in recent years, including the widespread adoption of public cloud services. 

“In many places this move has evolved, rather than being part of a strategic plan. Meanwhile, fintech firms have been able to scale up quickly because they haven’t needed to maintain hardware or decide where the software is run,” Sasso says. “But at what point does the hardware – that is, the servers in the cloud – become part of their business processes?”

Getting the oversight right

There are good reasons for banks to enter the cloud. It can reduce their costs, increase their resilience and give them access to the latest technological innovations. But most public cloud services are provided by a small number of so-called hyperscalers – particularly Amazon Web Services (AWS), Google Cloud and Microsoft Azure – which gives rise to concentration risk. 

What measures, then, could regulators have in mind to manage that risk? 

Simon Crown is a partner specialising in financial regulation at magic-circle law firm Clifford Chance. With the FSM bill at committee stage in the Commons, he believes “it’s unlikely that the Treasury will tie its own hands, or allow regulators to do so, by giving the term ‘critical third party’ a narrow and tightly worded definition”. 

Crown expects the Financial Conduct Authority (FCA) and the Bank of England’s Prudential Regulation Authority (PRA) to issue guidance in light of responses to Operational Resilience: critical third parties to the UK financial sector, the discussion paper they published jointly in July. 

“That may give more colour to the quantitative criteria that will be considered,” he says.

Sasso hopes that this process will stimulate “a conversation about what ‘state of the art’ means – for example, when it comes to security and the software supply chain”. 

Her concern is that, below the container platform layer where the applications are managed, there are several pieces of software and hardware that banks can lose control of when outsourcing. “That comes with benefits and challenges,” she says. “It’s a bit of a dance to get the oversight right.” 

A modern regulatory framework

It’s not that banks aren’t extremely careful when outsourcing such critical infrastructure, stresses Nitesh Palana, director of risk and compliance at Thought Machine, a provider of core banking software.

“They don’t just flip over to us. There’s a whole process that they go through,” he says, adding that this can take months to complete. 

Are banks at risk of getting tied to a particular cloud provider? “Moving from one cloud to another is always a challenge, but there are strategies to manage it,” says Daniel Blander, Thought Machine’s director of security. “The reason we use [application management system] Kubernetes is that it’s ubiquitous across platforms. It enables us to run services in parallel on different clouds.” 

It’s unlikely that the Treasury will tie its own hands, or allow regulators to do so, by giving the term ‘critical third party’ a narrow and tightly worded definition

Kubernetes is designed to manage applications that work using small units of software known as containers, which can run on a wide range of hardware. The flexible functionality offered by Kubernetes and containers is one reason why the forthcoming legislation won’t need to apply to pure banking software providers such as Thought Machine. 

Hardware providers, by contrast, will be covered. Could that be a burden? Michael Jefferson, head of UK financial services public policy at AWS, views the bill more as an opportunity for his company to shape the industry’s development. 

“We look forward to working with the Bank of England, PRA and FCA to support a future framework that accelerates the digitalisation and modernisation of the financial sector,” he wrote in a post on the AWS Blog in July. 

Banking on the cloud

Will the watchdogs need oversight of the opaque algorithms used by the machine-learning tech that’s becoming increasingly prevalent in financial services? 

Daniel Schwarz, a senior associate with Clifford Chance and a legal fellow at the Cambridge Centre for Finance, Technology & Regulation, believes it’s “important that regulators have an understanding of these algorithms, so that they can monitor risk. This area is becoming ever more important as both the volume and the velocity of data increase. It will be subject to greater scrutiny.”

Sasso points to another likely topic of interest for regulators: the use of fintech firms by non-banking businesses to offer their customers banking as a service (BaaS).

“The new risk is that a BaaS provider may not have control over who the fintech firm is onboarding as a customer, yet it needs to manage the risk this presents in terms of the anti-money-laundering and know-your-customer requirements,” she says, adding that this calls for the traditional three lines of defence – front office, compliance and internal audit – to adopt a more joined-up approach. 

Despite the sector’s widespread adoption of the cloud, many players are still using at least some legacy IT. Banks in the US are facing regulatory pressure to migrate away from old in-house technologies. The FCA stresses that it is focused on outcomes and doesn’t prescribe which hardware and software to use. It’s unlikely to need to, given that the Bank of England noted in its response to the 2019 van Steenis review of the future of finance that moving to the cloud could cut a bank’s tech infrastructure costs by as much as half. There is only one direction of travel – for both banks and their regulators.