The tech underpinning the world’s financial system is dominated by three cloud operators. Regulators believe that new laws are necessary to manage this concentration of risk
In ditching their outdated, expensive and inefficient operational software for advanced cloud platforms, our tech-addicted banks may have swapped one set of stability risks for another.
Regulators worry that so-called cloud concentration risk – relying on a tiny group of providers to provide key services – could trigger the next global meltdown if left unaddressed.
“If the world’s financial market infrastructure ultimately sits with two or three cloud providers, the risk of one of those going down could easily pose a bigger threat to financial stability than the collapses of Lehman Brothers or Northern Rock, if not managed correctly,” warns Bradley Rice, financial services partner at Ashurst.
In the past decade, banks have flocked to three main providers: Amazon Web Services (AWS), Microsoft Azure and Google Cloud. These three are behemoths, with the scale and resources to handle the data processing, maintenance and security demands of the global financial system.
According to research by S&P Global, about 45% of financial services firms use AWS as their primary provider, with Azure clocking a similar percentage. Those with more than one cloud provider also employ a second from the same trio. Azure is used in some shape or form by 79% of financial services firms.
International and domestic regulators think this dominance is unhealthy. In the UK, the Financial Conduct Authority (FCA), the Prudential Regulation Authority and the Bank of England have all warned of cloud concentration risk. They are meeting industry representatives to stress the dangers of relying too much on the outsourcing of services.
What happens if a cloud provider is taken out by a hostile force or otherwise fails? There are also competition concerns: given the amount of responsibility and power the trio hold, there are fears that they could hold firms to ransom.
“If significant numbers of companies in the industry are running on one cloud provider, that provider becomes a systemically important part of the financial system by default,” notes Bo Svejstrup, executive vice-president of COO functions and data at Danske Bank. “If that provider has an issue that causes services to become unavailable for an extended period, this could create systemic problems at national or even regional levels.”
Cloud adoption has soared during the pandemic. But Covid isn’t entirely to blame for the present situation, according to the head of resilience at one UK investment bank. Commenting anonymously, he says that the City has been shifting operations into the cloud to save money for many years.
“This move has taken place in isolation without wider design or consideration for systemic operations,” the executive says, adding that little thought has been given to what would happen should a cloud provider pull the plug or suffer a widespread failure.
“Literally nobody is doing anything. That’s because most big players – Amazon, Google, Microsoft and so on – do not care about some UK bank dictating that they need to send resilience assurance,” he claims.
Given the software giants’ reluctance to submit themselves to the same forensic examination faced by their finance clients, regulators “will have to row back on some of their expectations and deadlines”, the executive says.
“I hear the same thing – ‘my third parties aren’t playing ball’ – on industry call I go on,” he adds. “It’s not realistic to ask banks to consider alternatives to their cloud systems, because the cost and scale of doing that is not sensible.”
Microsoft, Google and AWS are all declining to comment on this issue, as is the FCA. The Bank of England is making no official comment either, but a Bank executive will at least confirm that it has spoken “a fair bit” about the cloud and its respective risks in the past year.
It considers the matter “significant” and will continue to meet industry representatives, the executive says, adding that new policies and laws will be needed to mitigate the stability risks.
Such legislation will invariably try to catch up with new technology by adding to operational resilience demands, says Jonathan Emmanuel, partner at Bird & Bird. But he says firms should continue to think in terms of perceived risk versus the actual risk of retaining archaic legacy systems.
“Regulators are trying to ease firms into a new way of thinking, but it will not be long before we see some major enforcement action over an operational resilience failure,” Rice adds. “Ultimately, I think we will see regulators around the world regulating critical infrastructure providers, like the cloud providers, data providers and other market infrastructure providers.”
For banks themselves, there is no future scenario where the cloud becomes less important or central to operations.
“Many financial services organisations now see themselves more as technology companies that happen to operate in a regulated sector,” Emmanuel says.
Some have no physical presence whatsoever. Their data is spread across geographies rather than hosted on the premises, as was the norm a decade ago. Starling, one of the most popular banking apps, offers a 100% digital service; it is acutely aware of concentration risk.
“From conception, Starling has deployed its systems and services across multiple clouds which work to back up our data in real time,” says Steve Newson, the bank’s chief technology officer. “By doing this, we ensure that we aren’t dependent on one single third-party supplier and we reduce risk.”
Danske Bank also operates with a multi-cloud strategy, accessing various services from different providers. This ensures the firm isn’t in hock to one supplier should the relationship sour.
“For any service provider, we must have an exit strategy allowing us to migrate the service to another provider or to an in-house solution at any point,” says Svejstrup. This covers the hazards of services being unavailable for whatever reason, including a contract dispute between the bank and its cloud operator.
The way forward is to employ a more rigorous approach to resilience, Svejstrup says. The degree of exposure to different providers should be transparent for both regulator and industry, adding transparency to some complex relationships.
“Every institution needs a clear overview of its exposure to cloud providers as well as clearly defined and well-tested exit plans,” he says.
Industries beyond financial services should also heed the lesson and avoid becoming seduced by a single big-name cloud provider promising to take care of everything.
“This fundamental practice is also good for other sectors that provide systemic and critical functions,” Svejstrup says. “It reduces the risk of outages, instability and poor service quality, whatever you provide.”