Financial services companies gain efficiencies by using cloud technology, but reliance on a small number of "big tech" IT providers also brings concentration risk and could lead to uncompetitive pricing.
Following concerns from the Financial Stability Board, or FSB, and the Bank for International Settlements, which said an outage at one of the major cloud providers could trigger "financial instability," bank regulators will need to come up with more targeted rules governing third-party providers to nip potential systemic risks in the bud, industry insiders say.
Amazon Web Services Inc. and Microsoft Azure have the lion's share of the public cloud market for financial services in the U.S. and Europe, the Middle East and Africa, according to 451 Research, an S&P Global Market Intelligence company. Some 45% of financial services respondents to a 2019 market survey said they use AWS as their primary cloud provider, with a further 45% saying they use Microsoft Azure. Banks often use more than one cloud provider, but tend to pick their second from the same small pool of firms, according to 451 Research data. A total of 69% of financial companies said they use AWS, 79% Microsoft Azure and 21% Alphabet Inc.'s Google Cloud Platform.
Banks are using cloud outsourcing for an increasing number of use cases, from fraud detection to communications. It could help them cut tech infrastructure costs by 30% to 50%, and it offers greater security and flexibility for smaller companies in particular, according to a 2019 Bank of England report.
But there are risks, including that of concentration. The top four cloud providers have a 65% market share among U.K. financial services firms, it said, without naming the providers.
A heavy reliance on a small number of big tech companies means there would be an outsize impact on financial services if there were to be some kind of failure at one of them, according to Lisa Quest, U.K. and Ireland head of public policy at Oliver Wyman.
"A single point of failure [in outsourced infrastructure] could create systemic issues," she said in an interview.
Simon Briskman, partner at law firm Fieldfisher, agreed that concentration could lead to systemic risks. Banks are using the cloud more intensively, and this raises questions about how they would cope if there were a supplier outage, he said in an interview.
"Supervisory authorities will have to ask themselves about the robustness of cloud providers," he said.
Cybersecurity is another concern, according to Virginie O'Shea, founder of Firebrand Research, a financial technology consultancy company focused on capital markets.
"From the perspective of regulators, concentration of the financial services industry in using one or two cloud providers — if all of a firm's stack is only in one cloud — is risky from a cybersecurity standpoint," she told S&P Global Market Intelligence.
The dominance of a small number of big tech firms also risks leading to uncompetitive pricing, she said.
"This is a big concern for firms because of the lack of interoperability between providers — essentially you are beholden to the cloud provider if your cloud-native technology has been built using all of their tools," she said. "This could mean less-than-favorable pricing schemes for clients due to the lack of an ability to negotiate."
Banks can mitigate risks by making sure that they use multiple cloud providers, and that they do not use a single cloud provider for too many custom-built tech tools, according to O'Shea.
There is a "giant paradox" around the cloud that has not been lost on the regulator, according to Mark Lewis, senior consultant, commercial practice: cloud, fintech and outsourcing, and Joy Davey, senior solicitor, financial services regulation practice: financial services outsourcing and cloud, both at law firm Macfarlanes.
Concentration risk arises due to the fact that financial services firms flock to the same three providers — AWS, Google and Microsoft — because they have invested heavily in security, maintenance and data centers across the world in a way that other competitors would struggle to match, they told S&P Global Market Intelligence.
Taming 'big tech'
For Briskman, it seems inevitable that financial regulators will subject cloud outsourcing to greater scrutiny. The problem is that, in the U.K. at least, the Financial Conduct Authority does not have the statutory powers to regulate IT giants that are not providing regulated activities — as is the case with cloud provision, he said.
Oliver Wyman's Quest said the growing participation of big tech in financial services may mean that regulators have to look beyond the traditional, sector-oriented supervision. While the FSB and the BIS have an "extremely important" role to play, the moment may have arrived for a new breed of cross-industry regulator, she said.
"To have some kind of digital-specific, supra-national standard-setting body would be really useful," she said in an interview.
In the meantime, some industry participants are taking matters into their own hands.
FINOS, the Fintech Open Source Foundation, an industry body that counts Goldman Sachs Group Inc., Morgan Stanley and HSBC Holdings PLC among its members, is in the process of developing standards for the use of cloud services in banking.
"One obstacle we're hearing our bank members bring up in particular is the lack of common controls and control tests across cloud providers," Rob Underwood, chief development officer at FINOS, said in an email.
FINOS launched a Cloud Service Certification project in late 2018, spearheaded by JPMorgan Chase & Co., which aims to forge common industry standards for cloud use around issues such as security, privacy, governance and interoperability between different providers. Banks participating include Deutsche Bank AG, UBS Group AG and Itaú Unibanco Holding SA.