Stay informed with free updates
Simply sign up to the UK financial regulation myFT Digest — delivered directly to your inbox.
UK financial regulators want to introduce sweeping new rules to ensure that cloud computing giants and the other “critical third parties” relied on by banks and insurers do not endanger the UK’s financial system.
The Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England on Wednesday issued a joint consultation paper setting out proposals to strengthen oversight of providers to the financial sector.
The paper outlined “a set of fundamental rules” as well as more granular requirements for key areas such as cyber resilience and disruption testing.
“Third party service providers often play a vital role in the delivery of important services by banks and insurers,” said Sam Woods, head of the PRA. “These arrangements bring benefits, but also potential risks.”
UK regulators have been increasingly focused on the dangers linked to cloud computing giants and other third parties in recent years as financial firms outsource data storage and processing to a small number of US Big Tech providers.
The BoE is concerned that outages, hacks and other service interruptions could materially undermine the operations of the companies they support, as well as wanting greater guarantees that customer data will be protected.
Regulators were given powers by parliament to tackle these risks in the 2023 Financial Services and Markets Act, which enabled the Treasury power to designate some cloud service providers as critical while strengthening regulators’ rule-setting and oversight capabilities.
“With a concentration of third parties serving multiple clients in financial services, there is, however, a risk of major impact if they are disrupted or fail,” said Nikhil Rathi, chief executive of the FCA.
“These proposals will improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth.”
Under the proposals, cloud and technology providers would be subject to more robust disclosure requirements, including annual self-assessments and regular “scenario testing” of their ability to provide services during severe disruptions.
Additionally, tech companies would have to notify supervisors of any outages or issues they experience.
Regulators have expressed concern about concentration risk for the UK financial system, given that the US trio of Amazon, Microsoft and Google dominate the market for cloud computing.
Amazon Web Services has struck deals with Barclays and HSBC, while Lloyds Banking Group has contracts with Google Cloud, Microsoft Azure and Thought Machine.
Lenders hope that the partnerships will reduce their IT costs, help them to overhaul antiquated infrastructure and capitalise on AI to automate customer service and detect financial crime.
The consultation runs until March 2024. The BoE said its framework should be “interoperable” with those in the US and EU.
