This time it's the tech giants including Google, Amazon, and
Microsoft that host a growing mass of bank, insurance and market operations on
their vast cloud internet platforms that are keeping watchdogs awake at night.
Central bank sources told Reuters the speed and scale at
which financial institutions are moving critical operations such as payment
systems and online banking to the cloud constituted a step change in potential
risks.
"We are only at the beginning of the paradigm shift,
therefore we need to make sure we have a fit-for-purpose solution," said a
financial regulator from a Group of Seven country, who declined to be named.
It is the latest sign of how financial regulators are
joining their data and competition counterparts in scrutinising the global
clout of Big Tech more closely.
Banks and technology companies say greater use of cloud
computing is a win-win as it results in faster and cheaper services that are
more resilient to hackers and outages.
But regulatory sources say they fear a glitch at one cloud
company could bring down key services across multiple banks and countries,
leaving customers unable to make payments or access services, and undermine
confidence in the financial system.
The US Treasury, European Union, Bank of England, and Bank
of France are among those stepping up their scrutiny of cloud technology to
mitigate the risks of banks relying on a small group of tech firms and
companies being "locked in", or excessively dependent, on one cloud
provider.
"We're very alert to the fact that things will
fail," said Simon McNamara, chief administrative officer at British bank NatWest.
"If 10 organisations aren't prepared and are connected into one provider
that disappears, then we'll all have a problem."
‘Rapid Pace'
The EU proposed in September that "critical"
external services for the financial industry such as the cloud should be
regulated to strengthen existing recommendations on outsourcing from the bloc's
banking authority that date back to 2017.
The Bank of England's Financial Policy Committee (FPC)
meanwhile wants greater insight into agreements between banks and cloud
operators, and the Bank of France told lenders last month they must have a
written contract that clearly defines controls over outsourced activities.
"The FPC is of the view that additional policy measures
to mitigate financial stability risks in this area are needed," it said in
July.
The European Central Bank, which regulates the biggest
lenders in the Euro zone, said on Wednesday that bank spending on cloud
computing rose by more than 50 percent in 2019 from 2018.
And that's just the start. Spending on cloud services by
banks globally is forecast to more than double to $85 billion in 2025 from
$32.1 billion in 2020, according to data from technology research firm IDC
shared with Reuters.
An IDC survey of 50 major banks globally identified just six
primary providers of cloud services: IBM, Microsoft, Google, Amazon, Alibaba, and
Oracle.
Amazon Web Services (AWS) — the largest cloud provider
according to Synergy Group — posted sales of $28.3 billion in the six months to
June, up 35 percent on the prior year and higher than its annual revenue of $25.7
billion as recently as 2018.
While all industries have ramped up cloud spending, analysts
told Reuters that financial services firms had moved faster since the pandemic
after an explosion in demand for online banking and emergency lending schemes.
"Banks are still very diligent but they have gained a
higher level of comfort with the model and are moving at a fairly rapid
pace," said Jason Malo, director analyst at consultants Gartner.
No More Secrecy
Regulators worry that cloud failures would cause banking systems
to fall over and stop people accessing their money, but say they have little
visibility over cloud providers.
Last month, the Bank of England said big tech companies
could dictate terms and conditions to financial firms and were not always
providing enough information for their clients to monitor risks - and that
"secrecy" had to end.
There is also concern that banks may not be spreading their
risk enough among cloud providers.
Google told Reuters that less than a fifth of financial
firms were using multiple clouds in case one failed, according to a recent
survey, although 88 percent of those that did not spread their risk yet planned
to do so within a year.
Central bank sources said part of the solution may be some
form of mechanism that offers reassurance on resilience from cloud providers to
banks to mitigate the sector's aggregate exposure to one cloud service - with
the banking regulator having the overall vantage point.
"Regardless of the division of control responsibilities
between the cloud service provider and the bank, the bank is ultimately
responsible for the effectiveness of the control environment," the US
Federal Reserve said in draft guidance issued to lenders last month.
FINRA, which regulates Wall Street brokers, published a
report on Monday ahead of potential rule changes to ensure that using the cloud
does not harm the market or investors.
Being able to switch cloud providers easily when needed is,
however, a task that is more easily said than done and could introduce
disruptions to business, the FINRA report said.
‘The buck stops with us'
Banks and tech firms contest the suggestion that greater
adoption of the cloud is making the financial system's infrastructure
inherently riskier.
Adrian Poole, director for financial services in the United
Kingdom and Ireland for [Google Cloud], said the cloud can be more effective in
bolstering a bank's security capabilities than by building it in-house.
British digital lender Zopa said it had moved 80 percent of
its transactions to the cloud and was working to mitigate risks. Zopa Chief
Executive Jaidev Janardana said the company was also deliberately leaning on
tech firms' expertise.
"Cloud providers invest a lot of resources in security
at a scale that few individual companies could manage," he said.
Google's Poole said the company was open to working more
closely with financial regulators.
"We may one day see regulators pulling data on demand
from regulated banks with cloud-enabled application programming interfaces
(APIs), instead of waiting for banks to periodically push data at them,"
he said.
NatWest's McNamara said the bank was collaborating closely
with tech firms and regulators to mitigate risks, and had put alternative
services in place in case things went wrong.
"The buck stops with us," McNamara said. "We
don't put all our eggs in one basket."
One problem, though, is that not all banks have a full
understanding of the risks to resiliency that could come with a wholesale shift
to the cloud, said Jost Hoppermann, principal analyst at Forrester,
particularly the smaller lenders.
"Some banks do not have the necessary know-how,"
he said. "They think doing this will vanish all their problems, and
certainly that isn't true."
© Reuters
0 comments:
Post a Comment