The Financial Times reported that UK financial regulators are preparing to step up scrutiny of cloud computing providers “amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them”. According to the article, the UK’s Prudential Regulation Authority (PRA), is considering a joint discussion paper with the FCA and Bank of England in 2022, a joint approach, which is consistent with its previous initiatives on operational resilience. The discussion paper would explore the operational risk consequences of UK regulated financial institutions increasingly relying on cloud-based services, particularly from a number of hyperscale cloud providers.
The risk of concentration of services in a handful of IT service providers has been well known for many years, and therefore there is no surprise that the regulators should look at this in more detail more specifically for cloud. Cloud operators, because of their scale and high technical proficiency generally offer very high degrees of resilience for services, distinguishing clearly between the areas for which they are responsible (so called according to Amazon “security of the cloud”) while leaving their customers to be responsible for taking appropriate security measures with regards to data and other security obligations “in” the cloud. However, as the Bank of England’s financial policy committee noted in in its minutes from September 2021 (referenced in the FT article) “additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services. These policy measures should include: an appropriate framework to designate certain third-party service providers as critical; resilience standards; and resilience testing.”
Since the consolidation of the FCA outsourcing guidelines, where cloud computing was consolidated with other forms of outsourcing, most notably in the European Banking Association’s outsourcing guidelines issued in 2019, cloud has not been separately treated for outsourcing purposes. Other financial services sectors such as insurance are following suit. At the time of the consultation for the outsourcing rules, cloud providers in the responses to the draft guidelines (see in particular page 81 of the final guidance where the responses received are specifically analysed) cloud providers had originally suggested that a lighter framework be created for outsourcing to “multi-tenant service providers” given their standardised services. Operators argued that standardised services cannot comply with all regulatory requirements requiring therefore a proportionate approach to specific issues such as access and audit rights which could be managed on the basis of public certifications rather than detailed access rights. At this point, the EBA took a strict line, and stated clearly “institutions should comply with all regulatory requirements, including with regard to their outsourced functions, independent of the fact that they may be standardised or provided by monopolists”. As such, the obligation has been on financial institutions to ensure compliance with outsourcing regulations, and with recently introduced operational resilience requirements, but the scale and speed of the move to cloud and the subsequent focus on operational resilience has prompted further review.
Most hyperscale cloud providers have been less willing to provide specific individually tailored flow-down terms from the regulated firms’ legal contracts, instead relying on standardised agreements, and industry tailored contract addenda or “patches” which enable firms to assess compliance with regulatory requirements, in particular in relation to audit access to data and other regulatory obligations. It has been a more difficult job for firms to address legal limitations of liability and comprehensive service credit coverage, but arguably these are less important than fully worked operational resilience strategies with regular testing of individual services and on a more systemic basis. Firms have also had to determine whether they are able to require the cloud operators to comply with more individually tailored contract flow-down requirements and it will be interesting to see if this is addressed in the discussion paper.
On the basis of the current reporting, there is no indication that the cloud providers will be directly regulated, although the report will give an interesting insight in to the specific concerns of the UK regulators post-Brexit, and alignment with other regulators, particularly in the European Union and USA, where it is necessary for firms to ensure as standardised an approach to risk irrespective of jurisdiction.
The seven biggest banks in the UK are all heavily using cloud, and we are all invariably going to the same three or four suppliers that they don’t directly regulate.