Banks' growing reliance on cloud computing could pose a risk to financial stability and will require stricter oversight, according to top executives from the UK's central bank.
In a report focusing on financial stability in the UK over the past few months, the Bank of England drew attention to the increasing adoption of public cloud services, and voiced concerns about those services being provided by only a handful of huge companies that dominate the market.
Outsourcing key banking data and services to a small number of cloud service providers (CSPs), said the Bank of England, means that those providers have the power to dictate their own terms, potentially at the expense of the stability of the financial system.
For example, cloud providers might fail to open up the inner workings of their systems to third-party scrutiny, meaning that it is impossible for customers to know if they are ensuring the level of resilience that is necessary to carry out banking operations.
"As regulators and people concerned with financial stability, as (CSPs) become more integral to the system, we have to get more assurance that they are meeting the level of resilience that we need," Andrew Bailey, the Bank of England governor, told reporters in a press conference.
In the past years, financial institutions have accelerated their plans to scale up their reliance on CSPs. From file sharing and collaboration to fraud detection, through business management and communications, banks have used cloud outsourcing both to run software and access additional processing capacity, and to support IT infrastructure.
Until recently, cloud services were used mostly to run applications at the periphery of banking operations, such as HR systems, with no direct impact on financial services. According to the Bank of England, however, this is now changing, with CSPs being called in to process operations that are more integral to the core running of banks.
"We've crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud," said Sam Woods, the chief executive officer of the Prudential Regulation Authority (PRA). "As you'd expect, we track that quite closely."
Last year, the Bank of England opened bidding for a cloud build partner, with the goal of creating a fit-for-purpose cloud environment that could better support operations in a digital-first environment. At the time, the institution said that it had already been in talks with Microsoft's Azure, Google Cloud and Amazon's AWS, and that it would likely be targeting Azure in a first instance. The possibility of adopting a multi-cloud strategy was also raised.
Another advantage of public cloud services is that they are more resilient. The sheer scale of CSPs enables them to implement infrastructure that integrates multiple levels of redundancy, and as such, is less vulnerable to failures.
Moving to the cloud, therefore, is not intrinsically detrimental to banking services – quite the contrary. But the main sticking point, according to the regulators, lies in the concentration of major players that dominate the cloud market. According to tech analysis firm Gartner's latest numbers, the top five cloud providers currently account for 80% of the market, with Amazon holding a 41% share and Azure representing nearly 20% of the market.
"As of course a market becomes more concentrated around one supplier or a small number of suppliers, those suppliers can exercise market power around of course the cost but also the terms," said Bailey.
"That is where we do have a concern and do have to look carefully because that concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the information they need in order to be able to monitor the risk in the service. And we have seen some of that going on."
As Bailey stressed, part of the reason for CSPs to remain secretive comes down to better protecting customers, by not opening up key information to potential hackers. But the regulator said that a careful balance has to be maintained on transparency, to enable an appropriate understanding of the risks and resilience of the system without compromising cybersecurity.
Leighton James, CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country, explained that these issues are not unprecedented, and it is unsurprising to see them trickle down to financial services.
"We're anxious about cloud providers becoming so big that the terms and conditions are pretty much 'take it or leave it'. We've definitely seen that happening already in the public sector, and we can definitely see it happening in the financial services sector if we are not careful," James told ZDNet.
According to James, part of the risk stems from traditional banks attempting to compete against new disruptive players in the sector. Financial institutions are now rushing to overhaul their legacy infrastructure and catch up with the digital-native customer experiences that were born in the cloud and are now widely available thanks to fintech companies.
"It's clearly imperative for the financial sector to modernize and adopt digital technologies," said James. "The question becomes how best they can do that by balancing the risk of digital transformation."
And in this scenario, the risks of placing all of banks' eggs in a handful of CSP's baskets is too high, argued James.
The Bank of England has similarly urged financial institutions to exert caution when developing their digital transformation strategies, and is currently in talks with various regulators to discuss how to best tackle those risks.
With cloud concerns widely shared by other nations, especially in the EU, those discussions are likely to become international, and the UK's central bank predicts that global standards will be created to develop a consistent approach to the issue.