New rules will be needed to deal with operational risks from banks relying on outsourced ‘cloud’ computing from Amazon, Google, Microsoft and others for providing services to customers, the Bank of England said.
“Regulated firms will continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies,” the BoE’s Financial Policy Committee said in a statement.
“However, additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services.”
Measures should include an ability to designate some third parties as ‘critical’, meaning they would be required to meet ‘resilience’ standards which would be regularly tested.
The BoE and the Financial Conduct Authority are due to publish a discussion paper on the subject next year, it said. The measures are similar to those in a European Union law now making its way through the approval process.
“These tests and sector exercises of critical third parties could potentially be carried out in collaboration with overseas financial regulators and other relevant UK authorities,” the BoE said.
The BoE had already sounded a note of caution about the cloud and is now checking banks for their “exit strategy”, or how quickly they could switch to an alternative cloud provider or in-house back up if there is a cloud outage to avoid disruption to customers, consultants KPMG said.
This has already led to banks thinking harder about the business case for the cloud in some services, and whether it would get the green light from regulators.
“Trying to replicate this service on premises or a different cloud actually doubles your cost,” said Mark Corns, a director for technology consulting at KPMG.
Banks who moved early into the cloud are having to “retrofit” resilience requirements, Corns said.
“What we are seeing is a much more tentative approach to what goes into the cloud. Now we’ve got this clearer guidance from the regulators, what it’s doing is challenging the banks to figure out what and how they gain the benefit,” Corns said.