UK moves to regulate cloud providers to financial services sector
Published on 10th Jun 2022
Plans for new powers aim to mitigate risks stemming from overreliance on small numbers of cloud operators
HM Treasury has published a policy paper entitled "Critical third parties to the finance sector: policy statement" (8 June 2022), which responds to the concerns among UK financial regulators about so-called "cloud concentration" risk.
The Financial Conduct Authority (FCA) has had specific guidance in place in relation to the use of cloud providers since 2016 and, in a demonstration of the continued scrutiny on this issue, the Financial Policy Committee of the Bank of England stated in July 2021 that "the increasing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide".
There is growing concern among UK regulators that, with so many financial institutions relying on such a small group of key-service providers, the collapse of just one service provider could trigger the next financial markets meltdown, in the event others were unable to pick up the slack quickly.
The Treasury's policy statement proposes the introduction of a new regulatory regime applicable to designated cloud providers, bringing material services they provide to the finance sector under the direct supervision of the Prudential Regulatory Authority (PRA) and the FCA.
Why is the UK government introducing this new regulatory framework?
Market commentators such as S&P Global have been recording a trend, over several years, of businesses shifting an increasing amount of data and applications to servers operated by tech companiesAccording to a Competition and Markets Authority report from April 2022, just three cloud providers "account for more than 50%" of global market share. The pandemic has hastened the move to cloud-based services by stoking demand for online services more generally.
This shift to the cloud is attractive for financial services firms, as it removes the cost and security challenges of maintaining in-house data servers and helps make digital services more widely available for customers and staff.
Another benefit of using cloud service providers is that companies can outsource cybersecurity to a third party with particular expertise in IT security, rather than having to update their own systems continually in the face of evolving threats. The increasing risk of cyber threats to supply chain operations is well documented and was highlighted in the UK National Cyber Security Centre's (NCSC) Annual Review 2021. In recent months, the NCSC has noted that this risk is continuing to increase due to geo-political issues.
While outsourcing cybersecurity to IT firms may be a wise move for financial services businesses, if there are only a few such firms underpinning the financial system, a successful attack on one of them could be catastrophic. The stage would be set for potential widespread disruption to critical financial services in the event of an effective cyber attack or other outage affecting one or more cloud providers.
Regulated financial services firms must take responsibility for compliance with their regulatory obligations, including their own operational resilience. Where they outsource a material service or operation (as would be the case with using cloud services), there are specific requirements and expectations relating to access, co-operation, record-keeping, termination, supervision, data security and contingency planning – these requirements are part of new rules for operational resilience that came in on 31 March 2022. However, HM Treasury is very clear in its view that, although these regulatory requirements on firms are important, they are not, on their own, sufficient to tackle the systemic risk that could crystallise in the event of disruption at a third party providing cloud services to multiple firms.
HM Treasury therefore proposes a new framework of direct regulation of these critical third-party providers, intended to complement the regulation of financial services firms.
How will the new regime work?
A "designation framework" will first be set out in primary legislation. Since critical third parties (CTPs) are primarily in the technology sector, the legislation is likely to stand on its own and not be included in any legislative regime applicable to financial services firms, such as the Financial Services and Markets Act 2000. As such, a bespoke regime is expected to be established, so the FCA's Principles for Businesses or the FCA handbook of rules and guidance more broadly is not expected to apply to CTPs. However, this is not confirmed in the policy statement.
The primary legislation will require HM Treasury, in consultation with the PRA and the FCA, to "designate" third parties as "critical", and these CTPs will be caught by the regime. Cloud providers with a smaller share of the financial services market will not be caught by the regime if they are not "designated".
The PRA and FCA:
- Will be given rule-making powers to set minimum resilience standards for CTPs in respect of material services provided to the UK finance sector.
- Will be able to require CTPs to take part in a range of targeted forms of resilience testing, to assess whether these standards are being complied with.
- Will have information gathering (investigation) and enforcement powers.
When will it come into force?
HM Treasury's policy statement only says that the government intends to legislate for this new regime "when parliamentary time allows". Given the focus on the current heightened geo-political risks, it is reasonable to expect this new legislation to be prioritised in the current parliament, which means that it could be in force within the next 24 months.
The PRA and the FCA will publish a joint discussion paper shortly after the new legislation is introduced, setting out how they might use their new powers and seeking views from industry. After the primary legislation has received Royal Assent, the regulators will publish a consultation paper on their proposed rules based on their new statutory powers.
Osborne Clarke comment
In the long term, the move to regulate CTPs should help to protect the stability of financial markets, as cloud services become ever more important to financial institutions' businesses. In the meantime, firms should continue to ensure that they are complying with operational resilience requirements, and working towards putting measures in place to remain within their impact tolerances within the three-year transitional period now running.