Cloud Adoption in the Financial Sector and Concentration Risk

Financial institutions (FIs) have historically relied on their own IT infrastructure, which was typically managed internally and by third-party technology companies. To better manage increasing IT demands, such as those associated with digital delivery channels including mobile and internet services, FIs are transitioning from this on-premises IT infrastructure model to the use of cloud-based services offered by individual cloud service providers to many different customers at scale.

Cloud computing can refer to any use of computing resources over a network, such as the internet, in a manner that is scalable with demand. Cloud-based services can be divided into three basic types, based on the nature of computing resources that the cus-tomer uses: infrastructure, platform, and software services.

When a FI uses computational infrastructure, such as servers, storage capacity or net-working, cloud providers control the underlying infrastructure and orchestration while the FI defines and manages a significant part of the virtual infrastructure using these services, including the operating systems and the applications that run on that infrastructure. At the other end of the spectrum, FIs can run software developed and controlled by a cloud service provider on remote servers. A FI can also use platform services to develop and use software on hosting and development infrastructure offered by a cloud service pro-vider. Platform services offer more structure than more bare-bones infrastructure services but more flexibility than provider-developed and -controlled software services. Figure 1 illustrates the three types of cloud-based services.

These different types of cloud services can be layered on top of each other. For example, fintech startups that offer cloud-based software services often build those services using the infrastructure or platform services of a major cloud provider, rather than using their own computing infrastructure.

An FI’s choice of cloud services is shaped by its needs, technical capabilities and staff knowledge and skill. For example, FIs with more in-house technical expertise, whether large banks or small fintech startups, may use infrastructure resources to build entirely new applications. FIs with less technical expertise may choose to use the cloud to run software developed by third-party solutions providers, which is easier to deploy and operate.

The decision to move from traditional on-premises IT infrastructure to the cloud is often driven by the lower costs and increased efficiency of cloud services. Cloud services are also more agile than traditional IT infrastructure, an aspect highlighted by the COVID-19 pandemic. Still, FIs must evaluate potential technological and operational challenges when considering cloud adoption.

Reasons for cloud adoption

To ensure their smooth operation on traditional on-premises IT infrastructure, FIs often need to maintain IT resources—and the human and organizational resources necessary to manage them—at a level that exceeds their everyday needs. This excess capacity is necessary to support FIs’ highest projected volume requirements, even if that capacity is rarely used. Cloud technology can minimize the need for this kind of costly over-provisioning by allowing FIs to benefit from the economies of scale inherent in sharing a cloud provider’s computing resources across its many customers. FIs can quickly scale up in an automated manner when additional resources are needed and scale down when demand subsides.

By making computing resources available on demand to customers who pay only for what they actually use, the cloud turns large, up-front capital expenditures into variable operational costs that depend on actual usage. For FIs, this translates to lower costs for pur-chasing, support and maintenance of IT infrastructure. It also makes FIs more technologically agile: they can test new scenarios, software tools and alternative configurations without a lengthy purchasing and provisioning process. Deploying a server on the cloud can take as little as a few minutes, as opposed to the up to nine weeks it can take to deploy a server in a traditional proprietary data center.

The increased agility made possible by cloud services was on display during the Covid-19 pandemic. The pandemic caused an abrupt transition to a remote workplace environment for corporate employees. FIs were forced to rapidly expand their reliance on cloud-based services, especially collaboration tools, to support their remote workforce. The onset of the pandemic also forced FIs to offer remote services to clients, instead of in-person options like bank branches. Many FIs used cloud-based tools like virtual desktops to maintain service levels in a remote environment.

Other factors affecting cloud adoption

Other considerations have also affected cloud adoption in the financial sector. Some of these considerations are institutional: generally, FIs tend to be largely conservative organizations and can therefore be reluctant to deploy new technologies. Deployment-related challenges are another factor in impeding cloud adoption; FIs can have difficulty integrating their legacy infrastructure with newer cloud resources. As a result, many FIs initiate their cloud adoption with newer or novel workloads and applications, rather than moving older legacy applications to the cloud.

Regulatory considerations also factor into financial firms’ decisions regarding cloud adoption. As described in Part III, while some financial regulations and guidance have been updated—or are in the process of being updated to explicitly address cloud adoption, regulatory uncertainty persists. In addition, for FIs that operate across different jurisdic-tions, inconsistent cross-border requirements and data localization restrictions can limit the benefits of cloud adoption by making it more difficult to leverage the distributed nature of cloud services and enable greater operational resilience.

In addition to the efficiency and agility benefits that are driving the shift to cloud services, FIs that have made the move to the cloud find that it offers additional benefits. Cloud adoption also offers potential benefits for the broader financial sector. At the same time, cloud adoption also gives rise to potential risks.

Benefits of cloud adoption

Cloud services can be more secure than traditional IT platforms. While some FIs—especially larger, more sophisticated ones—are able to devote significant financial and per-sonnel resources to security, smaller FIs may not. The major cloud providers, by contrast, tend to be at the forefront of security research and implementation, enabling the faster discovery and mitigation of security vulnerabilities, which benefits FI customers of all sizes. Major cloud providers’ infrastructures are also generally built to support stringent security requirements and protocols—although it is ultimately up to individual FIs to make use of those tools.

Since the cloud infrastructure of major cloud providers is widely distributed, with hundreds of data centers located across the globe, the cloud can also enable greater resiliency in the financial sector. FIs can distribute processes and data across a cloud provider’s different data centers, allowing them to build applications that can be online even if a particular data center or region experiences a disruption. Likewise, the scalability of cloud services allows FIs to handle unexpected capacity requirements, whether due to an unanticipated surge in trading activity or a malicious cyberattack, in ways that they would not otherwise be able to if relying solely on their own IT infrastructure.2

Another benefit of the increased computing resources and scalability of the cloud is the ability to build analytic tools that can be leveraged by FIs and regulators to better understand and manage operational risks in the financial system. In addition, the cloud can benefit the financial sector by creating a more level playing field between FIs of different sizes. The lower up-front costs of cloud services allow small-and medium-sized FIs, as well as fintech startups, access to computing resources that previously would have been available only to larger FIs.

Risks related to cloud adoption

Many of the risks related to cloud adoption are also associated with traditional IT infrastructure. The use of cloud services, for example, does not entirely eliminate the need for capacity planning with respect to computing resources. It just delegates the underlying infrastructure-related capacity planning decisions to cloud providers, who must predict aggregated demand for resources across all of their customers to meet their needs.

Nor does cloud adoption eliminate the potential for unauthorized access to an FI’s data or processes. Most cloud service providers run on a shared responsibility model. The cloud service provider leaves certain customer environment specific configurations to the customers that, if poorly managed, can lead to security risks. In a cloud environment, customers remain at risk, for example, of overly permissive access controls or mismanagement of encryption keys. These risk would exist whether these credentials were stored on-premises or in the cloud.

Multi-tenancy—the ability of multiple customers to share the same infrastructure—is a critical feature of cloud services. However, it is not unique to the cloud; it has existed in hosted applications and other traditional IT configurations that predate cloud computing. Some cybersecurity analysts have raised concerns that customers using shared infrastructure resources in the cloud might expose their data or processes to unauthorized parties. Such exposure may result from the exploitation of vulnerabilities associated with the hypervisor (the software program which manages the virtual machines that make up the cloud). However, such risks may be mitigated in the cloud through the use of a dedicated host (a physical server that is dedicated for a customer use) instead of multi-tenant servers. 

The relationship between FIs and their cloud service providers can result in operational risks, which are also similar to those that arise in connection with traditional IT outsourcing. In any relationship with a third-party vendor, FIs must manage the risks associated with subcontracting by the vendor. Likewise, in any relationship with an IT service provider, FIs can be exposed to a degree of “lock-in” risk. Lock-in can arise out of an FI’s legal obligations, for example, where its agreement with a cloud services provider includes exclusivity terms. Even in the absence of any such exclusivity requirements, an FI can become excessively dependent on a particular service provider.

The on-demand nature and scale of cloud services allows them to be provided to more customers in a more automated manner than traditional technology platforms, potentially increasing the concentration of FIs using a particular cloud provider. Reliance by FIs on a small number of cloud providers or services could theoretically result in the emergence of new dependencies at both the firm level and in the financial system as a whole. The risks arising out of these potential dependencies, are addressed in more detail in Part III.

The move toward cloud services in the financial sector was already well underway prior to the onset of the COVID-19 pandemic. According to one industry survey, as of 2021 more than 90 percent of responding banks had adopted cloud for at least some work-loads. Another survey, taken during the first months of the pandemic, reported that a third of all IT spending at banks was allocated to public cloud, up from less than 20 percent in 2018. As noted above, the pandemic accelerated the demand for cloud services in the financial sector.

Nevertheless, cloud adoption in the financial sector is varied and, for many FIs, still in its early stages. Some FIs have retired their on-premises IT architecture and gone “all-in” on cloud adoption. Other FIs have moved certain operations, especially enterprise applications such as human resources and collaboration tools, to the cloud. However, critical operations—those involved in processing transactions, updating accounts, and reconciling ledgers—are still largely conducted using legacy IT systems. A post-pandemic sur-vey of over 100 global banks reported that North American banks had migrated just 12 percent—and European banks just five percent—of their total workloads to the cloud. For “core” workloads—defined as workloads related to core systems, such as back-end process and systems that manage customer interactions throughout the bank—the percent-age of workloads that had been migrated to the cloud by the responding banks stood at a paltry three percent.

Although there is no agreed-upon definition of concentration risk, it can be thought of as including any “probability of loss arising from a lack of diversification.” As a result, there is no single source of concentration risk in connection with the use of technology service providers. Rather, the lack of diversification that results from technology outsourcing can arise in a number of different ways and at several different levels. These different types of concentration risk are outlined below.

FI-specific concentration risk

Concentration risk can potentially arise at the “micro” level—at the level of an individual institution—if an FI becomes so dependent on a particular infrastructure or technology service provider that a disruption affecting that infrastructure or provider impairs the FI’s ongoing functioning (see Figure 2). This risk is exacerbated by “vendor lock-in”, where an FI must rely on an individual provider, even in the event of failure, because it has no reasonable alternatives or substitute.

Although it arises at the level of an individual FI, this kind of concentration risk can have consequences for the broader financial system. The financial system depends on a few key institutions and utilities. If one of those institutions or utilities becomes dependent on a particular vendor, a disruption that affects the availability or integrity of that provider could have negative consequences for the financial system.

Systemic concentration risk

Another type of concentration risk—“macro” concentration risk—could theoretically arise in connection with the use by many FIs of the same third-party technology service provider (see Figure 3). In this situation, the failure of that service provider may adversely impact a significant portion of the financial sector. That failure could result from a major technological disruption—for example, if a disruption at one technology service provider simultaneously affects data or systems at many FIs. It could also result from a large-scale non-technological disruption at the service provider, such as financial distress. 

Concentration risk without a single provider

Industry-wide concentration risk may also result when multiple FIs adopt similar techno-logical models, leaving them vulnerable to similar disruptions even if they do not all use the same provider. From approximately 2014 to 2018, for example, state-sponsored hackers embarked on a campaign of cyber theft from dozens of companies, including large FIs. They were able to compromise these companies by targeting their “managed service providers”: third-party providers that are responsible for the remote management of their customers’ IT infrastructure and the overlaying applications and tools. Notably, not all of the affected companies used the same managed service provider. Rather the hackers gained access to several of these providers’ systems by sending phishing emails that delivered malware to the providers, which then infiltrated their clients’ networks.

Moreover, the nature of concentration risk that results from technology outsourcing will be contextual, depending on factors such as the jurisdiction in which FIs and their service providers are located. FIs in one jurisdiction may face concentration risk in connection with their reliance on technology service providers in another jurisdiction—even if they do not depend exclusively on a single service provider in that jurisdiction. They may face the possibility, for example, that authorities in the service providers’ jurisdiction may sanction or restrict the provision of services to clients in their own jurisdiction.

Another important question is whether and how the concentration risks described above affect the financial system as a whole. The financial system has proven operationally resilient: disruptions resulting from the failure of a technology service provider can occur, even at great financial cost, without triggering a systemic crisis. In 2022, for example, a major outage shut down the business and consumer network services provided by a leading Canadian telecommunications company for almost an entire day. The outage, which cost the Canadian economy an estimated $142 million across all sectors, shut down ATMs and electronic payment services for several large banks. Once the outage was resolved, those banks suffered no lasting impact.

The potential impact of technological failure on the financial system

Historically, financial crises have been triggered by short-term creditors withdrawing their money from the financial system simultaneously, leading to a loss of liquidity and even failure of certain FIs. These short-term creditors are typically motivated by a loss of confidence in the solvency or liquidity of one or more FIs. Specifically, they fear that will not obtain the full value of their deposit unless they immediately withdraw from the FIs. The disruption of an FI’s data or systems would only contribute to such a run if it raised doubts about its underlying financial health or stability.

How would the impact of technological failure change because of increased con-centration risk?

In theory, concentration risk could increase the likelihood that a technological or operational failure has a systemic impact to an FI. The failure of a third-party provider could impair an FI’s operations, leaving it unable to meet its payment obligations. For example, the failure in 2012 of batch scheduling software at UK’s NatWest RBS banking group disrupted many of its basic banking operations, leaving millions of customers unable to access their accounts for several days. The failure of a bank to meet its payment obligations could potentially lead to liquidity scarcity in the financial system. Importantly, however, a failure of this sort will not necessarily have broader consequences to the financial sector: the NatWest outage was resolved without any larger systemwide fallout. 

The systemic risk posed by technological failure is potentially greater if multiple FIs rely on a single technology service provider. A failure at that provider might impair multiple FIs simultaneously, which under certain condition could cause a broader impact to the financial system. For example, the Federal Reserve suffered a widespread disruption in multiple payment services in February 2021, which included the Fedwire system that FIs rely on to transfer trillions of dollars each day. The disruption, which was attributed to operational error, lasted for several hours. Again, however, the disruption did not have any long-term systemic consequences.

The cloud’s model, which leverages the economies of scale associated with sharing computing resources, may also result in many FIs depending on a small number of providers. According to a Bank of England survey, for instance, most banks and insurers rely on just two providers for cloud-based infrastructure services. A disruption that compromises the security of data at a cloud-based service provider, or impairs the availability or integrity of data or systems at a cloud provider, could in theory affect the operations of many FIs at the same time. Periodic disruptions at major cloud providers, for example, have temporarily disrupted the operations of their clients, including FIs. In December 2021, a service disruption at a major cloud provider caused widespread but transient disruptions at many (mostly non-financial) companies.

Another potential source of concentration risk in the cloud relates to certain common linchpin technologies on which cloud deployments rely. These technologies are critical systems, like routing, identity access management and virtualization, that support the secure and continued operation of the cloud network. The failure or disruption of a linchpin technology can have significant consequences for cloud providers and the users that depend on them. In March 2021, a failed update to an authentication system relying on an identity and access management (IAM) component caused a nearly global outage at a major cloud provider.

Concentration risk – not unique to cloud

As the prior discussion illustrates, however, technology or operational failures—even those that arise in connection with dependency on particular technological infrastructure or an individual service provider—are not new to the financial system. Lock-in risk, for example, is not unique to the cloud. FIs that contract with third-party service providers to build and maintain on-premises data centers, for instance, tend to enter into long-term contracts that can make switching providers difficult and economically costly. And a failure at an FI’s managed, on-premises databases can knock out critical systems, like payments and other transactions.

Likewise, the reliance of many FIs on common technologies is not a novel feature of cloud adoption. Even when using traditional, bespoke IT infrastructures, FIs have historically become reliant on common products and services, ranging from semiconductors to soft-ware to managed databases, that were produced or provided by a small number of third-party providers. A vulnerability associated with one of these common products and services can give rise to the same sort of concentration risk that characterizes the common use of a cloud provider.

Moreover, while cloud adoption may give rise to concentration risks, it is not necessarily the case that such risks could be avoided if FIs were to rely or continue to rely on traditional IT infrastructure instead. The demands of FIs’ customers and employees place increased emphasis on interconnectivity as a defining feature of their technology infrastructure. As FIs provide more internet and mobile access to external clients, as well as more flexibility for their internal workforce, they will become increasingly reliant on tools that manage that interconnectivity, whether they use on-premises or cloud infrastructure. The use of common product and services to manage the technological interconnectivity can add to concentration risk. Thus, the critical question is not how to eliminate concentration risk, but how to manage or mitigate it. 

FIs and cloud providers currently take several measures to mitigate concentration risk that arises in connection with cloud adoption. This subsection outlines different steps that cloud providers and FIs can and do take to limit their exposure to concentration risk. In order to understand the different measures that can be taken by FIs and cloud providers to mitigate concentration risk, it is important to first explain the “shared responsibility” model developed by cloud providers to allocate responsibility for different aspects of cloud security and resiliency.

The “shared responsibility” model

Generally, large cloud providers rely on a “shared responsibility” model of cloud security and resiliency that defines the responsibilities of cloud providers and their customers for various aspects of the cloud environment. Although the particular shared responsibility models formulated by the major cloud providers have some differences, they share the same basic approach: cloud providers are responsible for the security and resiliency of the tools that they build (security and resiliency “of” the cloud), while users are responsible for how they use those tools (security and resiliency “in” the cloud).

In practice, that means that cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The FI customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the environment and security. The shared responsibility model enables FIs to decide where they put their data, as a way to mitigate determining their own political or regulatory or risk. This shared responsibility model for the IT environment also extends to IT controls and security.

Under the shared responsibility model, cloud providers and users never share responsibility for the same aspect of cloud security or resiliency. A user’s areas of responsibility are specific to their own environment and configuration, and cloud providers have little insight or control over how users operate in those areas. By the same token, users do not dictate how cloud providers secure their portion of the cloud. The shared responsibility model can help shed light on how cloud providers and FIs limit their exposure to concentration risk. 

Measures taken by cloud providers

The major cloud providers take several measures to mitigate the possibility of any single point of failure in their own infrastructure. Two key elements of their strategy are spread-ing infrastructure across different “availability zones” and regions.

Availability zones are physically separate locations within a specific region that are iso-lated from each other using redundant networking, connectivity, and power. By compartmentalizing their own infrastructure and services into redundant, isolated availability zones, major cloud providers reduce the impact that a failure at one location will have on the capacity and availability of their services. If one availability zone is affected, the cloud provider’s services, capacity and availability can be supported by remaining availability zones. FIs, or third parties that offer cloud-based services to FIs, can design and operate their cloud-based applications to run synchronously across availability zones without interruption.

In addition to the use of availability zones, which are located in the same region, major cloud providers also locate data centers in different regions, which provides even greater physical isolation from one region to another. This geographic diversity ensures that even major physical catastrophes, like flooding and earthquakes, can be weathered by cloud users without significant disruption. For critical functions that require high levels of avail-ability and resiliency, FIs can take advantage of a cloud provider’s distributed regional architecture to ensure that applications or data are consistently available by configuring those functions so that they are spread across the cloud provider’s different regions.

Measures taken by financial institutions

FIs also take different approaches to mitigating the risk of disruption and ensure business continuity. As noted above, FIs can distribute processes and data across a cloud provider’s different availability zones or regions, allowing them to build applications that can be online even if a particular data center or region experiences a disruption.

To protect themselves against lock-in, FIs should consider what impediments may exist which limit their ability to move applications and data off of a cloud provider’s infrastructure without unreasonable cost or difficulty. This needs to be considered at both the level of an individual application or workload, as well as the overall relationship with a cloud provider. In general, major cloud providers offer the functionality necessary to move applications and data from one cloud provider to another, or to an on-premises environment at the discretion of the FI. However, factors such as contractual terms, commercial commitments, or the lack of comparable services or features at an alternative provider, may increase the switching cost – expense, time, and effort – of moving between providers. Increasingly, FIs are developing “exit strategies,” which outline the different impediments that exist to seamlessly moving applications and data off of a particular cloud service provider, and the steps they will take – both proactive and reactive – to mitigate the impact of those impediments should the FI choose or need to migrate away from the cloud provider. One example of a proactive measure is mandating the use of open-source and open standards to avoid getting locked-in to a particular vendor’s proprietary format. The exit strategy also typically defines how the FI will monitor certain key risk indicators (e.g., performance against service level agreements, their commercial relationship with the cloud provider, reputational risks) and what might trigger the FI to initiate the exit plan for moving applications or data off of the cloud provider.

Another strategy that some FIs have employed to mitigate concentration risk is the use of hybrid cloud—migrating applications suited for the cloud while keeping other components in on-premises data centers—so that on-premises infrastructure is used for critical infrastructure or as backup in the event of disruption. Other FIs take a multi-cloud approach, using different cloud providers for different types of workloads, or architecting workloads to be portable between cloud platforms (e.g., through the use of containers). However, the use of a multi-cloud strategy is not without its challenges. To implement a multi-cloud configuration, an FI must build (or rely on another third party to build) a solution for managing applications and data in multiple clouds. This does not eliminate risk; it just transfers it from an individual cloud provider to the FI or a different third-party pro-vider. The use of multiple cloud providers also requires an FI to train staff and implement controls for different cloud environments. A multi-cloud strategy can also potentially introduce additional points of failure that need to be continuously managed and tested to ensure they work when needed (e.g., in the event of an outage). An unintended consequence of a multi-cloud strategy is the standardization on the “lowest common denominator” of capabilities across different clouds, resulting in less-than-optimal cloud usage.

Multi-cloud strategies have also been suggested as a way of increasing FIs’ operational resiliency, by enabling them to move processes and data from one cloud provider to another in the event of a disruption. While “multi-cloud failover” may be possible in theory, it is likely to be difficult to implement in practice given the level of complexity as well as factors such as contractual commitments, licensing, and data portability. As a result, leading analysts recommend against such an approach for increasing operational resiliency.

Regarding multi-cloud, the recent US Treasury report refers to the financial sector feed-back that multi-cloud (called ‘multi-vendor, single use-case deployment in the report), is too technically complex and resulting operational risk was too high. MAS also caution FIs about the added complexity of operating in a multi-cloud environment.

Cloud adoption is clearly at a nascent stage in the financial sector with only three percent of core systems, such as bank-end process and systems that manage customer interactions throughout the bank having been migrated to the cloud. Therefore, even if the provision of cloud service providers to FIs were concentrated, the potential impact of cloud service providers on the financial system as a whole may be limited, since only a very small share of core systems rely on cloud services.

As cloud adoption by FIs increases, and FIs and their regulators continue to develop their understanding of the risks associated with the use of cloud services, supervisory authorities should clarify their guidance with respect to potential concentration risks. Regulators should recognize that, from a financial stability perspective, concentration risk is not invariably problematic. The potential risks of concentration must be weighed against the benefits of enhanced security and resilience, scale and quality achieved by major cloud providers.

Moreover, regulatory requirements and supervisory guidance should be tailored to specific risks, and must not adopt a one-size-fits-all approach. For example, the complexity and operational risk associated with a multi-cloud approach may render it an inappropriate solution for most FIs.

Clarify respective responsibilities of financial institutions and cloud providers

Part of clarifying guidance involves delineating the division of responsibilities between regulated FIs and cloud providers. As described above, major cloud providers adhere to a “shared responsibility” model for security and resilience. The shared responsibility model has several implications for concentration risk. Unlike a traditional on-premises vendor, a cloud provider will not have visibility into what sorts of workloads are being deployed on its infrastructure and its usage that limits the information that cloud providers can directly provide to supervisory authorities.

A lack of consistent policies and regulations across jurisdictions makes it difficult for FIs and cloud providers to comply with concentration risk-related requirements and mitigation guidelines, and for supervisors in different jurisdictions to coordinate in the event of a disruption. In addition, direct oversight of cloud providers in each jurisdiction may be redundant. It is therefore important that regulators arrive at shared principles for monitoring and mitigating concentration risk resulting from cloud adoption in the financial sector, and work to coordinate responses to disruptions that affect FIs in different jurisdictions.

There are several existing forums and international bodies that can be leveraged to facilitate cross-border coordination and solutions, including the regular E.U.–U.S. Joint Finan-cial Regulatory Forum, which brings together European and U.S. financial regulators, as well as the FSB, IOSCO and CPMI.

Financial regulators should also recognize the important role of cloud providers’ global and regional diversity in ensuring the resiliency of cloud services—mitigating the potential for a single point of failure. Cloud providers’ multi-jurisdictional infrastructure forms a critical part of the resiliency and availability advantage offered by cloud services. Financial regulators should weigh that benefit when considering rules governing data residency.

Data localization requirements that interfere with the ability of FIs to make use of that out-of-jurisdiction infrastructure can potentially affect resiliency—especially in smaller jurisdictions, where there is less (if any) in-jurisdiction infrastructure. Such requirements result in decisions about where to store data and run applications being driven by the regulatory requirements of individual cloud customers, instead of security or resiliency considerations. Data localization requirements can arguably increase concentration risk by limiting competition from cloud providers that do not have in-jurisdiction infrastructure, increasing reliance on a smaller set of cloud providers.

Most importantly, financial regulators should ensure that the regulatory tools and prac-tices they utilize to monitor and mitigate potential concentration risks resulting from cloud adoption are fit for purpose. In the United States, for example, the possibility that cloud providers may become critical to the operations of the financial market has led to calls to designate certain major cloud providers as SIFMUs, or to designate them as “critical third-party providers” and hold them to similar standards.

However, the statutory criteria for SIFMU designation, as well as the regulatory require-ments applicable to SIFMUs, all focus on financial risk, such as liquidity and credit risk, posed by a SIFMU’s operations or failure. In contrast, the potential risks that cloud providers may pose to the financial sector are not financial in nature. Cloud service providers serve a technical, not financial, role in the financial services sector. Regulators should not use tools developed to address systemic financial risks to address the risks that a potential operational disruption at a cloud service provider may pose to the financial system.

Given financial regulators’ current mandate, resourcing levels and expertise, it is important that their priority remain FIs’ usage of cloud services, not the broader usage of cloud services outside of the financial sector. Working with FIs and cloud service provid-ers—and with one another— financial regulators can assess how cloud services are changing how FIs use technology and understand the benefits and risks of cloud adoption.