Table of Contents
Click to navigate to section
Part I: Cloud Adoption in the Financial Sector
a. Types of cloud services
b. Factors shaping the cloud adoption decision
c. Benefits and risks of cloud adoption by financial institutions
d. The current state of cloud adoption in the financial sector
Part II: Cloud Adoption and “Concentration Risk”
a. Concentration risk in the financial sector
b. To what extent are concentration risks systemic?
c. Concentration risks and cloud adoption
d. How do financial institutions and cloud providers mitigate concentration risk?
Part III: Regulatory Frameworks For Managing “Concentration Risk”
a. The U.S. regulatory framework
b. Regulatory frameworks in international jurisdictions
Part IV: Policy Recommendations
a. Focus on information gathering and sharing to monitor concentration risks
b. Clarify and tailor concentration risk guidance
c. The importance of cross-border coordination and solutions
d. Ensure that regulatory tools and practices are fit for purpose
Cloud services have become an important part of the information technology toolkit in the global financial sector. As cloud adoption by financial institutions has increased, financial regulators have raised concerns about potential concentration risk resulting from cloud migration. This report aims to provide clarity around the discussion of cloud adoption and concentration risk in the financial sector.
Section I of the report provides background on cloud adoption in the financial sector. Section II clarifies the potential risks associated with the use of third-party technology service providers by financial institutions, and examines those risks in the context of cloud adoption and traditional information technology (IT) infrastructure. Section III outlines the regulatory frameworks in different jurisdictions for addressing potential concentration risks associated with cloud adoption. Section IV concludes by setting out policy recommendations for mitigating potential concentration risks associated with cloud adoption in the financial sector.
The report has several key takeaways:
- Concentration risk is not new to the financial sector, nor is it unique to the cloud. Indeed, it is not obvious that such risks could be avoided if financial institutions were to rely on traditional IT infrastructure instead of the cloud. The critical question is how to manage or mitigate concentration risk.
- In order to assess the landscape of concentration risk in the financial sector, regulators should develop a clear and consistent definition of concentration risk and the underlying scenarios to which that definition applies.
- Regulators should also focus on gathering information about technology outsourcing by financial institutions, including the use of cloud-based services. Concentration risk can be addressed through information sharing and coordination among FIs, cloud providers, and supervisory authorities.
- Cloud adoption in the financial sector is still in its early stages. As cloud adoption increases, regulators should weigh the risks of concentration against the benefits of scale and quality of services provided by major cloud providers.
- In developing regulatory and supervisory approaches, regulators should engage directly with cloud providers in order to understand the tools available to financial institutions and the security and resiliency practice of cloud providers.
- Regulatory requirements and supervisory practices for cloud adoption should be tailored to specific risks and a one-size-fits-all approach should not be adopted for all financial institutions.
PART I: CLOUD ADOPTION IN THE FINANCIAL SECTOR
Cloud services have become important IT building blocks for financial institutions globally. Before considering how cloud adoption affects concentration risk in the financial sector, this section provides necessary background on cloud adoption in the financial sector: it distinguishes between different types of cloud services, outlines the benefits and risks of cloud adoption, and describes the current state of cloud adoption by financial institutions.
A. Types of cloud services
Financial institutions (FIs) have historically relied on their own IT infrastructure, which was typically managed internally and by third-party technology companies. To better manage increasing IT demands, such as those associated with digital delivery channels including mobile and internet services, FIs are transitioning from this on-premises IT infrastructure model to the use of cloud-based services offered by individual cloud service providers to many different customers at scale.
Cloud computing can refer to any use of computing resources over a network, such as the internet, in a manner that is scalable with demand. Cloud-based services can be divided into three basic types, based on the nature of computing resources that the cus-tomer uses: infrastructure, platform, and software services.
When a FI uses computational infrastructure, such as servers, storage capacity or net-working, cloud providers control the underlying infrastructure and orchestration while the FI defines and manages a significant part of the virtual infrastructure using these services, including the operating systems and the applications that run on that infrastructure. At the other end of the spectrum, FIs can run software developed and controlled by a cloud service provider on remote servers. A FI can also use platform services to develop and use software on hosting and development infrastructure offered by a cloud service pro-vider. Platform services offer more structure than more bare-bones infrastructure services but more flexibility than provider-developed and -controlled software services. Figure 1 illustrates the three types of cloud-based services.
These different types of cloud services can be layered on top of each other. For example, fintech startups that offer cloud-based software services often build those services using the infrastructure or platform services of a major cloud provider, rather than using their own computing infrastructure.
An FI’s choice of cloud services is shaped by its needs, technical capabilities and staff knowledge and skill. For example, FIs with more in-house technical expertise, whether large banks or small fintech startups, may use infrastructure resources to build entirely new applications. FIs with less technical expertise may choose to use the cloud to run software developed by third-party solutions providers, which is easier to deploy and operate.
B. Factors shaping the cloud adoption decision
The decision to move from traditional on-premises IT infrastructure to the cloud is often driven by the lower costs and increased efficiency of cloud services. Cloud services are also more agile than traditional IT infrastructure, an aspect highlighted by the COVID-19 pandemic. Still, FIs must evaluate potential technological and operational challenges when considering cloud adoption.
Reasons for cloud adoption
To ensure their smooth operation on traditional on-premises IT infrastructure, FIs often need to maintain IT resources—and the human and organizational resources necessary to manage them—at a level that exceeds their everyday needs. This excess capacity is necessary to support FIs’ highest projected volume requirements, even if that capacity is rarely used. Cloud technology can minimize the need for this kind of costly over-provisioning by allowing FIs to benefit from the economies of scale inherent in sharing a cloud provider’s computing resources across its many customers. FIs can quickly scale up in an automated manner when additional resources are needed and scale down when demand subsides.
By making computing resources available on demand to customers who pay only for what they actually use, the cloud turns large, up-front capital expenditures into variable operational costs that depend on actual usage. For FIs, this translates to lower costs for pur-chasing, support and maintenance of IT infrastructure. It also makes FIs more technologically agile: they can test new scenarios, software tools and alternative configurations without a lengthy purchasing and provisioning process. Deploying a server on the cloud can take as little as a few minutes, as opposed to the up to nine weeks it can take to deploy a server in a traditional proprietary data center.
The increased agility made possible by cloud services was on display during the Covid-19 pandemic. The pandemic caused an abrupt transition to a remote workplace environment for corporate employees. FIs were forced to rapidly expand their reliance on cloud-based services, especially collaboration tools, to support their remote workforce. The onset of the pandemic also forced FIs to offer remote services to clients, instead of in-person options like bank branches. Many FIs used cloud-based tools like virtual desktops to maintain service levels in a remote environment.
Other factors affecting cloud adoption
Other considerations have also affected cloud adoption in the financial sector. Some of these considerations are institutional: generally, FIs tend to be largely conservative organizations and can therefore be reluctant to deploy new technologies. Deployment-related challenges are another factor in impeding cloud adoption; FIs can have difficulty integrating their legacy infrastructure with newer cloud resources. As a result, many FIs initiate their cloud adoption with newer or novel workloads and applications, rather than moving older legacy applications to the cloud.
Regulatory considerations also factor into financial firms’ decisions regarding cloud adoption. As described in Part III, while some financial regulations and guidance have been updated—or are in the process of being updated to explicitly address cloud adoption, regulatory uncertainty persists. In addition, for FIs that operate across different jurisdic-tions, inconsistent cross-border requirements and data localization restrictions can limit the benefits of cloud adoption by making it more difficult to leverage the distributed nature of cloud services and enable greater operational resilience.
C. Benefits and risks of cloud adoption by financial institutions
In addition to the efficiency and agility benefits that are driving the shift to cloud services, FIs that have made the move to the cloud find that it offers additional benefits. Cloud adoption also offers potential benefits for the broader financial sector. At the same time, cloud adoption also gives rise to potential risks.
Benefits of cloud adoption
Cloud services can be more secure than traditional IT platforms. While some FIs—especially larger, more sophisticated ones—are able to devote significant financial and per-sonnel resources to security, smaller FIs may not. The major cloud providers, by contrast, tend to be at the forefront of security research and implementation, enabling the faster discovery and mitigation of security vulnerabilities, which benefits FI customers of all sizes. Major cloud providers’ infrastructures are also generally built to support stringent security requirements and protocols—although it is ultimately up to individual FIs to make use of those tools.
Since the cloud infrastructure of major cloud providers is widely distributed, with hundreds of data centers located across the globe, the cloud can also enable greater resiliency in the financial sector. FIs can distribute processes and data across a cloud provider’s different data centers, allowing them to build applications that can be online even if a particular data center or region experiences a disruption. Likewise, the scalability of cloud services allows FIs to handle unexpected capacity requirements, whether due to an unanticipated surge in trading activity or a malicious cyberattack, in ways that they would not otherwise be able to if relying solely on their own IT infrastructure.2
Another benefit of the increased computing resources and scalability of the cloud is the ability to build analytic tools that can be leveraged by FIs and regulators to better understand and manage operational risks in the financial system. In addition, the cloud can benefit the financial sector by creating a more level playing field between FIs of different sizes. The lower up-front costs of cloud services allow small-and medium-sized FIs, as well as fintech startups, access to computing resources that previously would have been available only to larger FIs.
Risks related to cloud adoption
Many of the risks related to cloud adoption are also associated with traditional IT infrastructure. The use of cloud services, for example, does not entirely eliminate the need for capacity planning with respect to computing resources. It just delegates the underlying infrastructure-related capacity planning decisions to cloud providers, who must predict aggregated demand for resources across all of their customers to meet their needs.
Nor does cloud adoption eliminate the potential for unauthorized access to an FI’s data or processes. Most cloud service providers run on a shared responsibility model. The cloud service provider leaves certain customer environment specific configurations to the customers that, if poorly managed, can lead to security risks. In a cloud environment, customers remain at risk, for example, of overly permissive access controls or mismanagement of encryption keys. These risk would exist whether these credentials were stored on-premises or in the cloud.
Multi-tenancy—the ability of multiple customers to share the same infrastructure—is a critical feature of cloud services. However, it is not unique to the cloud; it has existed in hosted applications and other traditional IT configurations that predate cloud computing. Some cybersecurity analysts have raised concerns that customers using shared infrastructure resources in the cloud might expose their data or processes to unauthorized parties. Such exposure may result from the exploitation of vulnerabilities associated with the hypervisor (the software program which manages the virtual machines that make up the cloud). However, such risks may be mitigated in the cloud through the use of a dedicated host (a physical server that is dedicated for a customer use) instead of multi-tenant servers.
The relationship between FIs and their cloud service providers can result in operational risks, which are also similar to those that arise in connection with traditional IT outsourcing. In any relationship with a third-party vendor, FIs must manage the risks associated with subcontracting by the vendor. Likewise, in any relationship with an IT service provider, FIs can be exposed to a degree of “lock-in” risk. Lock-in can arise out of an FI’s legal obligations, for example, where its agreement with a cloud services provider includes exclusivity terms. Even in the absence of any such exclusivity requirements, an FI can become excessively dependent on a particular service provider.
The on-demand nature and scale of cloud services allows them to be provided to more customers in a more automated manner than traditional technology platforms, potentially increasing the concentration of FIs using a particular cloud provider. Reliance by FIs on a small number of cloud providers or services could theoretically result in the emergence of new dependencies at both the firm level and in the financial system as a whole. The risks arising out of these potential dependencies, are addressed in more detail in Part III.
D. The current state of cloud adoption in the financial sector
The move toward cloud services in the financial sector was already well underway prior to the onset of the COVID-19 pandemic. According to one industry survey, as of 2021 more than 90 percent of responding banks had adopted cloud for at least some work-loads. Another survey, taken during the first months of the pandemic, reported that a third of all IT spending at banks was allocated to public cloud, up from less than 20 percent in 2018. As noted above, the pandemic accelerated the demand for cloud services in the financial sector.
Nevertheless, cloud adoption in the financial sector is varied and, for many FIs, still in its early stages. Some FIs have retired their on-premises IT architecture and gone “all-in” on cloud adoption. Other FIs have moved certain operations, especially enterprise applications such as human resources and collaboration tools, to the cloud. However, critical operations—those involved in processing transactions, updating accounts, and reconciling ledgers—are still largely conducted using legacy IT systems. A post-pandemic sur-vey of over 100 global banks reported that North American banks had migrated just 12 percent—and European banks just five percent—of their total workloads to the cloud. For “core” workloads—defined as workloads related to core systems, such as back-end process and systems that manage customer interactions throughout the bank—the percent-age of workloads that had been migrated to the cloud by the responding banks stood at a paltry three percent.
PART II: CLOUD ADOPTION AND “CONCENTRATION RISK”
As the use of cloud services in the financial sector becomes more prevalent, financial regulators and other policymakers, including the U.S. Treasury Department in its recently released report on cloud adoption in the financial sector, have raised concern about potential “concentration risks”. This section aims to clarify the potential concentration risks associated with FIs’ use of third-party technology service providers. It then considers those risks in the context of cloud adoption and compares them to concentration risks associated with traditional IT infrastructure. Finally, this section concludes with a discussion of the measures that FIs and cloud providers already take to mitigate concentration risks associated with cloud adoption.
A. Concentration risk in the financial sector
Although there is no agreed-upon definition of concentration risk, it can be thought of as including any “probability of loss arising from a lack of diversification.” As a result, there is no single source of concentration risk in connection with the use of technology service providers. Rather, the lack of diversification that results from technology outsourcing can arise in a number of different ways and at several different levels. These different types of concentration risk are outlined below.
FI-specific concentration risk
Concentration risk can potentially arise at the “micro” level—at the level of an individual institution—if an FI becomes so dependent on a particular infrastructure or technology service provider that a disruption affecting that infrastructure or provider impairs the FI’s ongoing functioning (see Figure 2). This risk is exacerbated by “vendor lock-in”, where an FI must rely on an individual provider, even in the event of failure, because it has no reasonable alternatives or substitute.
Although it arises at the level of an individual FI, this kind of concentration risk can have consequences for the broader financial system. The financial system depends on a few key institutions and utilities. If one of those institutions or utilities becomes dependent on a particular vendor, a disruption that affects the availability or integrity of that provider could have negative consequences for the financial system.
Systemic concentration risk
Another type of concentration risk—“macro” concentration risk—could theoretically arise in connection with the use by many FIs of the same third-party technology service provider (see Figure 3). In this situation, the failure of that service provider may adversely impact a significant portion of the financial sector. That failure could result from a major technological disruption—for example, if a disruption at one technology service provider simultaneously affects data or systems at many FIs. It could also result from a large-scale non-technological disruption at the service provider, such as financial distress.
Concentration risk without a single provider
Industry-wide concentration risk may also result when multiple FIs adopt similar techno-logical models, leaving them vulnerable to similar disruptions even if they do not all use the same provider. From approximately 2014 to 2018, for example, state-sponsored hackers embarked on a campaign of cyber theft from dozens of companies, including large FIs. They were able to compromise these companies by targeting their “managed service providers”: third-party providers that are responsible for the remote management of their customers’ IT infrastructure and the overlaying applications and tools. Notably, not all of the affected companies used the same managed service provider. Rather the hackers gained access to several of these providers’ systems by sending phishing emails that delivered malware to the providers, which then infiltrated their clients’ networks.
Moreover, the nature of concentration risk that results from technology outsourcing will be contextual, depending on factors such as the jurisdiction in which FIs and their service providers are located. FIs in one jurisdiction may face concentration risk in connection with their reliance on technology service providers in another jurisdiction—even if they do not depend exclusively on a single service provider in that jurisdiction. They may face the possibility, for example, that authorities in the service providers’ jurisdiction may sanction or restrict the provision of services to clients in their own jurisdiction.
B. To what extent are concentration risks systemic?
Another important question is whether and how the concentration risks described above affect the financial system as a whole. The financial system has proven operationally resilient: disruptions resulting from the failure of a technology service provider can occur, even at great financial cost, without triggering a systemic crisis. In 2022, for example, a major outage shut down the business and consumer network services provided by a leading Canadian telecommunications company for almost an entire day. The outage, which cost the Canadian economy an estimated $142 million across all sectors, shut down ATMs and electronic payment services for several large banks. Once the outage was resolved, those banks suffered no lasting impact.
The potential impact of technological failure on the financial system
Historically, financial crises have been triggered by short-term creditors withdrawing their money from the financial system simultaneously, leading to a loss of liquidity and even failure of certain FIs. These short-term creditors are typically motivated by a loss of confidence in the solvency or liquidity of one or more FIs. Specifically, they fear that will not obtain the full value of their deposit unless they immediately withdraw from the FIs. The disruption of an FI’s data or systems would only contribute to such a run if it raised doubts about its underlying financial health or stability.
How would the impact of technological failure change because of increased con-centration risk?
In theory, concentration risk could increase the likelihood that a technological or operational failure has a systemic impact to an FI. The failure of a third-party provider could impair an FI’s operations, leaving it unable to meet its payment obligations. For example, the failure in 2012 of batch scheduling software at UK’s NatWest RBS banking group disrupted many of its basic banking operations, leaving millions of customers unable to access their accounts for several days. The failure of a bank to meet its payment obligations could potentially lead to liquidity scarcity in the financial system. Importantly, however, a failure of this sort will not necessarily have broader consequences to the financial sector: the NatWest outage was resolved without any larger systemwide fallout.
The systemic risk posed by technological failure is potentially greater if multiple FIs rely on a single technology service provider. A failure at that provider might impair multiple FIs simultaneously, which under certain condition could cause a broader impact to the financial system. For example, the Federal Reserve suffered a widespread disruption in multiple payment services in February 2021, which included the Fedwire system that FIs rely on to transfer trillions of dollars each day. The disruption, which was attributed to operational error, lasted for several hours. Again, however, the disruption did not have any long-term systemic consequences.
C. Concentration risks and cloud adoption
The cloud’s model, which leverages the economies of scale associated with sharing computing resources, may also result in many FIs depending on a small number of providers. According to a Bank of England survey, for instance, most banks and insurers rely on just two providers for cloud-based infrastructure services. A disruption that compromises the security of data at a cloud-based service provider, or impairs the availability or integrity of data or systems at a cloud provider, could in theory affect the operations of many FIs at the same time. Periodic disruptions at major cloud providers, for example, have temporarily disrupted the operations of their clients, including FIs. In December 2021, a service disruption at a major cloud provider caused widespread but transient disruptions at many (mostly non-financial) companies.
Another potential source of concentration risk in the cloud relates to certain common linchpin technologies on which cloud deployments rely. These technologies are critical systems, like routing, identity access management and virtualization, that support the secure and continued operation of the cloud network. The failure or disruption of a linchpin technology can have significant consequences for cloud providers and the users that depend on them. In March 2021, a failed update to an authentication system relying on an identity and access management (IAM) component caused a nearly global outage at a major cloud provider.
Concentration risk – not unique to cloud
As the prior discussion illustrates, however, technology or operational failures—even those that arise in connection with dependency on particular technological infrastructure or an individual service provider—are not new to the financial system. Lock-in risk, for example, is not unique to the cloud. FIs that contract with third-party service providers to build and maintain on-premises data centers, for instance, tend to enter into long-term contracts that can make switching providers difficult and economically costly. And a failure at an FI’s managed, on-premises databases can knock out critical systems, like payments and other transactions.
Likewise, the reliance of many FIs on common technologies is not a novel feature of cloud adoption. Even when using traditional, bespoke IT infrastructures, FIs have historically become reliant on common products and services, ranging from semiconductors to soft-ware to managed databases, that were produced or provided by a small number of third-party providers. A vulnerability associated with one of these common products and services can give rise to the same sort of concentration risk that characterizes the common use of a cloud provider.
Moreover, while cloud adoption may give rise to concentration risks, it is not necessarily the case that such risks could be avoided if FIs were to rely or continue to rely on traditional IT infrastructure instead. The demands of FIs’ customers and employees place increased emphasis on interconnectivity as a defining feature of their technology infrastructure. As FIs provide more internet and mobile access to external clients, as well as more flexibility for their internal workforce, they will become increasingly reliant on tools that manage that interconnectivity, whether they use on-premises or cloud infrastructure. The use of common product and services to manage the technological interconnectivity can add to concentration risk. Thus, the critical question is not how to eliminate concentration risk, but how to manage or mitigate it.
D. How do financial institutions and cloud providers mitigate concentration risk?
FIs and cloud providers currently take several measures to mitigate concentration risk that arises in connection with cloud adoption. This subsection outlines different steps that cloud providers and FIs can and do take to limit their exposure to concentration risk. In order to understand the different measures that can be taken by FIs and cloud providers to mitigate concentration risk, it is important to first explain the “shared responsibility” model developed by cloud providers to allocate responsibility for different aspects of cloud security and resiliency.
The “shared responsibility” model
Generally, large cloud providers rely on a “shared responsibility” model of cloud security and resiliency that defines the responsibilities of cloud providers and their customers for various aspects of the cloud environment. Although the particular shared responsibility models formulated by the major cloud providers have some differences, they share the same basic approach: cloud providers are responsible for the security and resiliency of the tools that they build (security and resiliency “of” the cloud), while users are responsible for how they use those tools (security and resiliency “in” the cloud).
In practice, that means that cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The FI customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the environment and security. The shared responsibility model enables FIs to decide where they put their data, as a way to mitigate determining their own political or regulatory or risk. This shared responsibility model for the IT environment also extends to IT controls and security.
Under the shared responsibility model, cloud providers and users never share responsibility for the same aspect of cloud security or resiliency. A user’s areas of responsibility are specific to their own environment and configuration, and cloud providers have little insight or control over how users operate in those areas. By the same token, users do not dictate how cloud providers secure their portion of the cloud. The shared responsibility model can help shed light on how cloud providers and FIs limit their exposure to concentration risk.
Measures taken by cloud providers
The major cloud providers take several measures to mitigate the possibility of any single point of failure in their own infrastructure. Two key elements of their strategy are spread-ing infrastructure across different “availability zones” and regions.
Availability zones are physically separate locations within a specific region that are iso-lated from each other using redundant networking, connectivity, and power. By compartmentalizing their own infrastructure and services into redundant, isolated availability zones, major cloud providers reduce the impact that a failure at one location will have on the capacity and availability of their services. If one availability zone is affected, the cloud provider’s services, capacity and availability can be supported by remaining availability zones. FIs, or third parties that offer cloud-based services to FIs, can design and operate their cloud-based applications to run synchronously across availability zones without interruption.
In addition to the use of availability zones, which are located in the same region, major cloud providers also locate data centers in different regions, which provides even greater physical isolation from one region to another. This geographic diversity ensures that even major physical catastrophes, like flooding and earthquakes, can be weathered by cloud users without significant disruption. For critical functions that require high levels of avail-ability and resiliency, FIs can take advantage of a cloud provider’s distributed regional architecture to ensure that applications or data are consistently available by configuring those functions so that they are spread across the cloud provider’s different regions.
Measures taken by financial institutions
FIs also take different approaches to mitigating the risk of disruption and ensure business continuity. As noted above, FIs can distribute processes and data across a cloud provider’s different availability zones or regions, allowing them to build applications that can be online even if a particular data center or region experiences a disruption.
To protect themselves against lock-in, FIs should consider what impediments may exist which limit their ability to move applications and data off of a cloud provider’s infrastructure without unreasonable cost or difficulty. This needs to be considered at both the level of an individual application or workload, as well as the overall relationship with a cloud provider. In general, major cloud providers offer the functionality necessary to move applications and data from one cloud provider to another, or to an on-premises environment at the discretion of the FI. However, factors such as contractual terms, commercial commitments, or the lack of comparable services or features at an alternative provider, may increase the switching cost – expense, time, and effort – of moving between providers. Increasingly, FIs are developing “exit strategies,” which outline the different impediments that exist to seamlessly moving applications and data off of a particular cloud service provider, and the steps they will take – both proactive and reactive – to mitigate the impact of those impediments should the FI choose or need to migrate away from the cloud provider. One example of a proactive measure is mandating the use of open-source and open standards to avoid getting locked-in to a particular vendor’s proprietary format. The exit strategy also typically defines how the FI will monitor certain key risk indicators (e.g., performance against service level agreements, their commercial relationship with the cloud provider, reputational risks) and what might trigger the FI to initiate the exit plan for moving applications or data off of the cloud provider.
Another strategy that some FIs have employed to mitigate concentration risk is the use of hybrid cloud—migrating applications suited for the cloud while keeping other components in on-premises data centers—so that on-premises infrastructure is used for critical infrastructure or as backup in the event of disruption. Other FIs take a multi-cloud approach, using different cloud providers for different types of workloads, or architecting workloads to be portable between cloud platforms (e.g., through the use of containers). However, the use of a multi-cloud strategy is not without its challenges. To implement a multi-cloud configuration, an FI must build (or rely on another third party to build) a solution for managing applications and data in multiple clouds. This does not eliminate risk; it just transfers it from an individual cloud provider to the FI or a different third-party pro-vider. The use of multiple cloud providers also requires an FI to train staff and implement controls for different cloud environments. A multi-cloud strategy can also potentially introduce additional points of failure that need to be continuously managed and tested to ensure they work when needed (e.g., in the event of an outage). An unintended consequence of a multi-cloud strategy is the standardization on the “lowest common denominator” of capabilities across different clouds, resulting in less-than-optimal cloud usage.
Multi-cloud strategies have also been suggested as a way of increasing FIs’ operational resiliency, by enabling them to move processes and data from one cloud provider to another in the event of a disruption. While “multi-cloud failover” may be possible in theory, it is likely to be difficult to implement in practice given the level of complexity as well as factors such as contractual commitments, licensing, and data portability. As a result, leading analysts recommend against such an approach for increasing operational resiliency.
Regarding multi-cloud, the recent US Treasury report refers to the financial sector feed-back that multi-cloud (called ‘multi-vendor, single use-case deployment in the report), is too technically complex and resulting operational risk was too high. MAS also caution FIs about the added complexity of operating in a multi-cloud environment.
PART III: REGULATORY FRAMEWORKS FOR MANAGING “CONCENTRATION RISK”
This section outlines the regulatory and supervisory frameworks intended to address potential concentration risks in the financial sector. The focus of this section is the U.S. regulatory framework; it then considers approaches taken outside the United States.
A. The U.S. regulatory framework
The regulatory and supervisory requirements governing the use of technology service providers by FIs in the United States differs based on the nature of the institution, its regulator, and the regulator’s statutory authority. U.S. banking institutions are regulated and supervised by the federal banking regulators—the Federal Reserve Board of Governors, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (the OCC). Participants in securities and derivatives markets are subject to the regulation and oversight of the Securities & Exchange Commission (the SEC) and the Commodity Futures Trading Commission (the CFTC).
All of these federal regulatory agencies, for example, require at least some FIs within their jurisdiction to notify them of changes to their relationships with third-party service providers. Banks are required by statute to notify the appropriate federal banking agency of the existence of the service relationship within thirty days of the start of the relationship. The federal banking agencies have implemented the notification requirement in different ways: the FDIC has developed a form for FDIC-supervised banks on which to report the information, while the OCC requires banks to maintain a current inventory of all outsourcing relationships that is available for examination upon OCC’s request.
Other financial regulators have implemented notification requirements through regulation. The SEC requires certain securities exchanges, trading platforms and self-regulatory organizations to report quarterly on completed, ongoing and planned material changes to their technological systems, including relationships with third-party services providers. And certain entities registered with the CFTC are required to inform the CFTC of planned changes to their automated systems that impact reliability, security, or capacity and risk analysis and oversight programs.
Direct oversight of technology outsourcing and third-party service providers
The federal banking agencies have statutory authority under the Bank Service Company Act (the BSCA) to subject services provided by technology services providers to regulation and examination to the same extent as if the services were performed by the bank itself. The federal banking agencies coordinate their supervision of banks and their technology service providers through the Federal Financial Institutions Examination Council (FFIEC), whose members include the three federal banking regulators as well as the National Credit Union Administration, Consumer Financial Protection Bureau and represent-atives from state regulatory agencies. The FFIEC has published guidance on technology outsourcing by banks and supervision of technology service providers. Among other issues, the FFIEC’s guidance addresses concentration risks: an FFIEC statement on cloud security, for example, encourages each FI that plans to use cloud services to de-termine their “comfort with its dependence on … the cloud service provider.”
The federal banking agencies have also issued their own guidance for FIs’ management of risk, including concentration risk, associated with outsourcing to technology service providers. The Federal Reserve’s guidance on outsourcing risk, for example, directs FIs to consider the concentration risks that arise “when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.”
The federal banking agencies have also issued proposed guidance to FIs on managing risk associated with third-party relationships. This guidance calls on FIs to monitor and control micro-level concentration risks, including by conducting independent reviews that assess the adequacy of their processes for monitoring concentration risks “that may arise from relying on a single third party for multiple activities or from geographic concentrations of business.”
In addition to its policy-setting role, the FFIEC coordinates the supervisory program for the largest, systemically important technology service providers: significant service providers (SSPs), formerly multi-regional data processing services (MDPS) firms. Since 2014, the federal banking agencies have increased their scrutiny of these third-party service providers. A technology service provider is considered for the SSP/MDPS program when it processes “mission-critical” applications for a large number of financial institutions (1) that are regulated by more than one agency, thereby posing a high degree of systemic risk or (2) from a number of data centers located in different geographic regions. Service companies in the /SSP/MDSP program are deemed to pose a significant risk to the banking system if one or more has operational or financial problems or fails.
According to a report from the Inspector General of the Federal Reserve Board of Governors, there were fifteen firms with the MDPS designation as of 2017. The report documented numerous deficiencies in the banking agencies’ administration of the MDPS program, including a lack of knowledge about the universe of potential MDPS firms due to the agencies’ lack of enforcement of the BSCA’s notification requirement. According to the report, this failure to enforce has limited supervisory agencies’ knowledge as to which service providers banks use for various applications, mission-critical or otherwise.
Potential designation of cloud providers as “systemically important” or “critical” providers
Certain policymakers and academics have suggested that cloud providers with a large number of financial institution clients could be subjected to enhanced supervision as financial market utilities or a form of critical third-party service provider.
For example, the Dodd-Frank Act authorizes the Financial Stability Oversight Council (FSOC) to designate any person that manages or operates a multilateral system for transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions as a “systemically important financial market utility” (SIFMU) if its failure or disruption could threaten the stability of the U.S. financial system by creating or increasing liquidity or credit risk. SIFMUs are subject to enhanced legal requirements and subjected to more exacting levels of supervision. Under this mandate, FSOC has designated eight companies operating as clearinghouses, exchange platforms, and custodians as SIFMUs. Advocates of designating major cloud providers as SIFMUs argue that they have “become an essential element of [the] modern banking system.”
Alternately, certain major cloud providers could be designated “critical third-party providers” subject to enhanced supervision by one or more financial market regulators to the extent they provide “critical” cloud services to FIs at sufficient scale that their failure or disruption could threaten the stability of the financial system. Such a regime would resemble the European Union’s Digital Operational Resilience Act discussed in the next section. The potential designation of major cloud providers as SIFMUs or critical third-party providers is analyzed in Part IV.
B. Regulatory frameworks in international jurisdictions
While the U.S. regulatory framework for managing and monitoring IT outsourcing risk in the financial sector largely predates the shift to cloud services, other jurisdictions have proposed or adopted updated frameworks that expressly contemplate the use of cloud services by financial institutions, including the concentration risks that such use might pose.
Financial institutions’ responsibility for managing concentration risk
Several jurisdictions have, like the United States, adopted regulatory frameworks that place the onus of assessing and managing the risk—including concentration risk—associated with an FI’s outsourcing on the FI. For example, outsourcing guidance published by the U.K.’s Prudential Regulation Authority directs regulated FIs to periodically assess and take reasonable steps to manage concentration and lock-in risks. This can be from multiple arrangements with the same service provider, supply chain dependencies that cause FIs to rely indirectly (through multiple service providers) on the same subcontractor, and concentration of dependencies in a single geographical location or jurisdiction.
Similarly, outsourcing guidance issued by the European Banking Authority (EBA) direct FIs to consider, as part of the pre-outsourcing risk assessment, concentration risks arising from outsourcing to a dominant service provider that is not easily substitutable or from multiple outsourcing arrangements with the same service provider. The European Securities and Markets Authority’s (ESMA) cloud-specific guidelines go even further: they direct regulated FIs to consider not just concentration risks within an individual FI, caused by multiple outsourcing arrangements with the same service provider, but also possible concentration within the broader European financial sector as a result of multiple FIs using the same service provider or a small group of service providers.
Outsourcing guidelines published by the Monetary Authority of Singapore (MAS) affirms that financial institutions that use cloud-based services are “ultimately responsible and accountable for maintaining oversight” and “managing the attendant risks” of adopting cloud services. This principle is echoed in detailed guidance on cloud adoption subsequently published by the MAS,103 which explicitly addresses “lock-in” and “concentration risk”. The cloud adoption guidance directs FIs to consider mitigating lock-in risks by adopting cloud portability or interoperability solutions and relying on open standards for data and software interfaces to facilitate redeployment of cloud workloads to on-premises or alternative cloud infrastructures. In the case of concentration risk mitigation, the cloud adoption guidance notes that FIs may consider implementing vendor diversity measures such as a “multi-cloud strategy”: the use of services from different cloud providers. However, it also cautions FIs about the added complexity of operating in a multi-cloud environment, such as having adequate resources and appropriate expertise in securing and managing the use of different public cloud services, especially in light of significant differences between cloud service providers.
Direct oversight of cloud providers – DORA
Until recently, most financial regulators lacked the authority to directly supervisory technology service providers—including to monitor potential concentration risk. To address that lack of authority, several jurisdictions have proposed or adopted frameworks that would establish mechanisms for direct oversight of critical technology providers including certain cloud providers by financial regulators. In December 2022, the European Union formally adopted the Digital Operational Resilience Act (DORA). DORA is a comprehensive framework for digital operational resilience for financial entities in the E.U., with a significant portion devoted to managing third-party risk associated with the outsourcing of information and communication technologies (ICT).
The third-party risk provisions have two components: a set of key principles governing financial entities’ management of third-party ICT risk and a framework for financial supervisory agencies’ oversight of third-party ICT service providers designated as “critical”. Critical third-party service providers (CTPPs) are designated as such based on the several criteria, including the potential systemic impact on the provision of financial services if the service provider were to experience a large-scale operational failure and the im-portance of the financial institutions that rely on the service provider. Although DORA’s CTPP provisions are not specifically limited to cloud service providers, they were intended to address potential risks—including concentration risks—arising from cloud adoption in the financial sector.
DORA establishes an E.U.-level oversight mechanism pursuant to which each CTPP would be subject to direct, ongoing oversight from one of the E.U. Supervisory Authorities (its “Lead Overseer”). This Lead Overseer is responsible for assessing the CTPP’s risk management framework with respect to its financial sector customers. To carry out these responsibilities, the Lead Overseer is vested with broad authority to request information and documents and to conduct investigations and inspections of the CTPP. DORA also empowers the Lead Overseer to issue specific, substantive recommendations to CTPPs. Of particular note, DORA gives the Lead Overseer the authority to make rec-ommendations regarding the conditions and terms under which a CTPP provides services to FIs which the Lead Overseer deems relevant for preventing potential single points of failure and for minimizing the possible systemic impact of concentration risk arising from the use of technology service providers.
In addition to these powers, the Lead Overseer is authorized to impose a penalty on the CTPP—equal to one percent of the CTPP’s average daily worldwide turnover—if it does not comply with the Lead Overseer’s requests for information, exercise of its investigation and inspection powers, or requests for follow-up reports on its substantive recommendations. Finally, DORA would restrict the use of non-E.U. third-party service providers that would be designated as critical if established in the E.U.
Direct oversight of cloud providers – other proposals
Other jurisdictions have also considered or are considering proposals that would give financial regulators direct regulatory and supervisory oversight over technology service providers, including cloud providers. In South Korea, a reform plan published by the Financial Services Commission has served as the basis of proposed legislation that would subject “major outsourcing companies”—third-party service providers, including cloud providers, whose services have a material impact on the stability and reliability of electronic financial transactions—to direct supervision by Korean financial regulators. Under the proposed legislation, financial regulators would be able to request information from and conduct investigations of those “major” third-party service providers. Financial regulators would also be empowered to issue corrective orders based on their supervisory activities and to take additional enforcement measures against service providers if they fail to comply with those orders.
The United Kingdom is actively considering legislation that would give the Treasury direct regulatory oversight of “critical” third-party service providers, such as cloud providers, the failure or disruption of which could threaten the stability of the U.K.’s financial system. The impetus for the legislation was, in part, the view that financial regulators’ current powers are insufficient to tackle the systemic risk originating from “a concentration in the provision of critical services by on third party to multiple firms.”
The legislation would authorize the Treasury to designate, in consultation with financial regulators and “other persons as the Treasury considers appropriate”, certain third-party service providers as “critical”, giving financial regulators a range of powers with respect to services those critical third parties provide to the financial sector. Those powers would include the regulatory authority to make rules setting minimum resilience standards for critical third parties with respect to any services they provide to the U.K. financial sector and the supervisory power to assess whether those minimum resilience standards are met. Financial regulators would also be granted the power to direct critical third parties to take (or refrain from taking) specific actions, and enforcement powers ranging from the ability to publicize failings to the authority to restrict the provision of services by critical third parties to financial institutions.
PART IV: POLICY RECOMMENDATIONS
This section outlines several recommendations for policymakers intended to mitigate po-tential concentration risks associated with FIs’ transition to the cloud.
A. Focus on information gathering and sharing to monitor concentration risks
To monitor concentration risk, supervisory authorities must be able to determine which regulated FIs rely on which cloud providers and for which functions. Supervisory authorities should therefore enforce existing notification requirements that mandate reporting by FIs of outsourcing arrangements, including the use of cloud-based services. Supervisory authorities should also consider how FIs’ notification requirements can be tailored to make the reports more useful—for example, authorities can develop a standardized reporting format, or even a central registry, to enhance consistency and comparability of FIs’ reported information. These reports would enable supervisory authorities to develop a view of dependencies in the financial system, assess potential concentration risks, and respond effectively to disruptions.
Concentration risk can also be addressed through specific information gathering, information sharing and coordination among FIs, cloud providers, and supervisory authorities. Requirements that FIs and cloud providers share information on risk assessments, contingency plans and best practices for security and resiliency can help mitigate systemic risk by reducing uncertainty and improving collective learning by FIs and their supervisors. However, these efforts should recognize that the cloud service providers do not have visibility of their FI customer workloads.
Likewise, supervisory authorities should leverage existing forums for coordination on cyber risk and financial system resilience. In the United States, for example, the financial regulators, including the federal banking agencies, the SEC and the CFTC, have established information sharing protocols. In addition, FIs and federal and state regulators have established information sharing platforms to address issues of cybersecurity in the financial sectors. And the U.S. Treasury Department has sponsored a series of exercises, developed in collaboration with FIs and other government agencies, to prepare financial sector participants and regulators for various cyber incidents.
At the international level, the International Organization of Securities Commissions (IOSCO), the international coordinating body for securities regulators, and the Committee on Payments and Market Infrastructures (CPMI), which sets international standards for payments, clearing and settlements, have worked together to release cyber risk guidelines for financial market utilities. In addition to these standard-setting bodies, financial regulators can collaborate through the Financial Stability Board.
B. Clarify and tailor concentration risk guidance
Cloud adoption is clearly at a nascent stage in the financial sector with only three percent of core systems, such as bank-end process and systems that manage customer interactions throughout the bank having been migrated to the cloud. Therefore, even if the provision of cloud service providers to FIs were concentrated, the potential impact of cloud service providers on the financial system as a whole may be limited, since only a very small share of core systems rely on cloud services.
As cloud adoption by FIs increases, and FIs and their regulators continue to develop their understanding of the risks associated with the use of cloud services, supervisory authorities should clarify their guidance with respect to potential concentration risks. Regulators should recognize that, from a financial stability perspective, concentration risk is not invariably problematic. The potential risks of concentration must be weighed against the benefits of enhanced security and resilience, scale and quality achieved by major cloud providers.
Moreover, regulatory requirements and supervisory guidance should be tailored to specific risks, and must not adopt a one-size-fits-all approach. For example, the complexity and operational risk associated with a multi-cloud approach may render it an inappropriate solution for most FIs.
Clarify respective responsibilities of financial institutions and cloud providers
Part of clarifying guidance involves delineating the division of responsibilities between regulated FIs and cloud providers. As described above, major cloud providers adhere to a “shared responsibility” model for security and resilience. The shared responsibility model has several implications for concentration risk. Unlike a traditional on-premises vendor, a cloud provider will not have visibility into what sorts of workloads are being deployed on its infrastructure and its usage that limits the information that cloud providers can directly provide to supervisory authorities.
C. The importance of cross-border coordination and solutions
A lack of consistent policies and regulations across jurisdictions makes it difficult for FIs and cloud providers to comply with concentration risk-related requirements and mitigation guidelines, and for supervisors in different jurisdictions to coordinate in the event of a disruption. In addition, direct oversight of cloud providers in each jurisdiction may be redundant. It is therefore important that regulators arrive at shared principles for monitoring and mitigating concentration risk resulting from cloud adoption in the financial sector, and work to coordinate responses to disruptions that affect FIs in different jurisdictions.
There are several existing forums and international bodies that can be leveraged to facilitate cross-border coordination and solutions, including the regular E.U.–U.S. Joint Finan-cial Regulatory Forum, which brings together European and U.S. financial regulators, as well as the FSB, IOSCO and CPMI.
Financial regulators should also recognize the important role of cloud providers’ global and regional diversity in ensuring the resiliency of cloud services—mitigating the potential for a single point of failure. Cloud providers’ multi-jurisdictional infrastructure forms a critical part of the resiliency and availability advantage offered by cloud services. Financial regulators should weigh that benefit when considering rules governing data residency.
Data localization requirements that interfere with the ability of FIs to make use of that out-of-jurisdiction infrastructure can potentially affect resiliency—especially in smaller jurisdictions, where there is less (if any) in-jurisdiction infrastructure. Such requirements result in decisions about where to store data and run applications being driven by the regulatory requirements of individual cloud customers, instead of security or resiliency considerations. Data localization requirements can arguably increase concentration risk by limiting competition from cloud providers that do not have in-jurisdiction infrastructure, increasing reliance on a smaller set of cloud providers.
D. Ensure that regulatory tools and practices are fit for purpose
Most importantly, financial regulators should ensure that the regulatory tools and prac-tices they utilize to monitor and mitigate potential concentration risks resulting from cloud adoption are fit for purpose. In the United States, for example, the possibility that cloud providers may become critical to the operations of the financial market has led to calls to designate certain major cloud providers as SIFMUs, or to designate them as “critical third-party providers” and hold them to similar standards.
However, the statutory criteria for SIFMU designation, as well as the regulatory require-ments applicable to SIFMUs, all focus on financial risk, such as liquidity and credit risk, posed by a SIFMU’s operations or failure. In contrast, the potential risks that cloud providers may pose to the financial sector are not financial in nature. Cloud service providers serve a technical, not financial, role in the financial services sector. Regulators should not use tools developed to address systemic financial risks to address the risks that a potential operational disruption at a cloud service provider may pose to the financial system.
Given financial regulators’ current mandate, resourcing levels and expertise, it is important that their priority remain FIs’ usage of cloud services, not the broader usage of cloud services outside of the financial sector. Working with FIs and cloud service provid-ers—and with one another— financial regulators can assess how cloud services are changing how FIs use technology and understand the benefits and risks of cloud adoption.