The Financial Stability Board (FSB) published on December 9, 2019, its report on financial institutions’ increasing reliance on third parties to provide cloud computing services (the Report). Established by the G-20 in April 2009 to promote international financial stability, the FSB is an international body that assesses vulnerabilities in the global financial system and coordinates the work of national financial authorities and international standard-setting organizations to develop and promote appropriate regulatory and supervisory policies.
The Report outlines the benefits from the increasing use of third-party cloud computing services, focusing primarily on cost savings, improved competition and cybersecurity, and increased operational resilience. It notes, though, the new challenges that the current scale of use may pose, such as the significant and systemic effects that an operational failure of critical third-party infrastructure could have. This is due to the highly concentrated cloud computing sector and the increasingly complex network of third-party suppliers and dependencies.
While the Report concludes that there are no immediate financial stability risks, it recommends further discussion among supervisory and regulatory authorities.
Third-party Dependencies – An Opaque and Complex Network
The Report identifies a range of third-party digital services on which many financial institutions currently rely, including data communications, data center hardware management, networking hardware management, and cloud computing services. New interdependencies may now exist as a result of financial institutions outsourcing functions (such as human resources and accounting functions) that depend themselves on cloud services and so financial institutions may become reliant on a network of disparate services. In particular, Open Banking and the EU Payment Services Directive II have led to more financial institutions partnering with fintech firms, which often rely on cloud services rather than develop their own in-house IT infrastructure. (Read our prior blog, What Is Open Banking?)
The ability to manage risks in this context is vital, as a failure of a third party within the network could cause systemic issues. The Report suggests ensuring the rapid and well-ordered transfer of a failing provider’s services and recommends retaining talent that can assess and supervise third-party dependencies.
Current Status of the Cloud Computing Market
The Report includes extensive market data illustrating the cloud computing market’s growth, including the following:
- Public cloud services spending is expected to grow 17.5% this year with worldwide revenue reaching $331 billion in 2022, up from $182 billion in 2018
- The banking sector spends more on IT than any other sector (around 9% of revenues), with an increasing proportion of that spend going on cloud services
- 70% of financial services companies reported that they remain at the initial phase of implementing cloud technologies
- The use of cloud services for critical functions remains low
- The five top cloud companies constitute three-quarters of the industry’s revenues and their dominance is global
The Report provides a detailed overview of the benefits of using cloud services. For example, foregoing expensive IT infrastructure may have significant cost savings and should reduce the need for lengthy procurement exercises. This may provide financial institutions with more time to focus on innovation. The Report employs data stating that companies receive on average a net return of two-and-a-half dollars for every dollar invested in cloud services. This is primarily achieved by a 19% reduction in IT expenditure and staff time savings of two to three hours per week per employee.
Further, economies of scale achieved by cloud providers allow smaller financial services companies to access robust security services less expensively than developing their own security systems. The Report notes, however, that this practice must be appropriately managed to ensure that any security and compliance incidents resulting from a misconfiguration of cloud infrastructure are reduced as much as possible.
Despite many benefits, the Report states that increased reliance on third-party providers for cloud computing poses new challenges. Broadly, outsourcing arrangements can challenge a firm’s ability to manage risks effectively and cloud computing providers report that the shared responsibility model is not well understood by clients. There are concerns that existing knowledge asymmetries between financial institutions and cloud providers may increase due to a lack of investment in outsourcing oversight or mitigation measures as the technologies continue to develop.
Further, temporary outages and data breaches have occurred among financial institutions and third-party cloud computing providers and it may be difficult for a firm to maintain the relevant service if there is disruption to, or failure in, the services provided by its third-party provider. These risks may be amplified due to the concentrated market and complex network of third-party providers and their interdependencies. It may also be problematic if market concentration leads to “lock-in,” whereby it becomes difficult for a firm to transfer to a new cloud provider.
The Report highlights existing measures that mitigate some of these concerns. Cloud providers have demonstrated a strong ability to respond to technological failures in a manner that avoids significant customer impact. Additionally, several cloud providers offer solutions to issues such as data privacy, concentration risk, operational resilience, and lock-in risk, reducing risks associated with infrastructure failure in a concentrated and highly interdependent network of cloud providers.
The Report also suggests other measures that may alleviate other concerns, such as financial institutions adopting a “multi-vendor” approach so that services are replicated across several providers and “lock-in” issues can be avoided.
The Report highlights the FSB’s satisfaction with the measures currently in place to avoid financial stability risks, but recommends that discussions continue between the relevant supervisory and regulatory bodies and further assessment of the
- adequacy of current regulatory standards;
- coordinating abilities of regulators when considering cloud services used by financial institutions; and
- current standardization efforts relating to the interoperability and data portability in cloud computing.
Implications for Member Regulatory Authorities and Regulated Financial InstitutionsThe Report itself is not an immediate call to action by FSB member regulatory authorities, but it does provide a more current framework for the review of financial institution outsourcing arrangements with information technology providers. Regulatory authorities in member jurisdictions such as the United Kingdom and United States already are sensitized to the benefits and risks associated with third-party arrangements with cloud computing providers, and expect their regulated institutions to implement appropriate measures for the identification and management of risks associated with these activities. The Report, however, may provide useful guidance and benchmarks for member regulatory authorities and their regulated financial institutions constituents to manage these outsourcing activities to their maximum benefit, and acceptably modest risk. That said, it remains to be seen whether cloud computing itself will become regulated at some point in the future.