Bank of England hints at new measures to deal with cloud computing risks in the financial sector
Written By
Over recent years, financial services have been increasingly moving to the cloud, with institutions slowly migrating away from existing legacy systems and on-premise software solutions. It is easy to see why this transition is taking place; as the Bank of England notes, cloud services offer “speed, security and flexibility,”[1] allowing institutions to access new digital technologies, gain customer insights through advanced data analytics and operate more efficiently by reducing initial investment cost. The recent shift towards remote working has also forced many banks to turn to cloud technology to keep internal operations running smoothly.
Despite these benefits, there are concerns that institutions may become over-reliant on cloud service providers to support key banking functions, particularly as the market for major cloud providers is dominated by a handful of tech firms that sit outside of the banking regulatory perimeter. As the Prudential Regulation Authority’s recent Supervisory Statement[2] (PRA SS) highlights, “the failure of, or a prolonged significant disruption at, a critical third party could have adverse consequences on the safety and soundness of multiple firms and, potentially, on financial stability.” Regulators are therefore keen to ensure appropriate oversight, measures and controls are in place to mitigate such concentration risk.
In light of these concerns, the Bank of England’s Financial Policy Committee (FPC) released a statement[3] earlier this month offering an insight into its potential future plans. Whilst it reiterated that “regulated firms will continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies," it also confirmed that additional policy measures will need to be introduced. These policy measures will include (i) an appropriate framework to designate certain third-party service providers as critical; (ii) resilience standards; and (iii) resilience testing, and will be in addition to the obligations already set out under the PRA SS and the EBA Guidelines on Outsourcing. It is also expected that these measures will closely align with those being proposed by the European Commission as part of the Digital Operational Resilience Act (DORA), which falls under its wider Digital Finance Package. The significance of DORA is that once launched, it will single out cloud providers and subject them to financial oversight from one of the three European Supervisory Authorities: the European Securities and Markets Authority, European Banking Authority, and European Insurance and Occupational Pensions Authority. See our article on this topic for further details.
How can we help?
Currently this is only an initial statement from the FPC. The next step will be for the Bank of England, PRA and Financial Conduct Authority to publish a joint Discussion Paper on these issues, which is due to be published next year.
We will monitor the developments and prepare client alerts – for updates, follow us on LinkedIn.
If you would like to read Bird & Bird’s previous alerts, please check out our FinTech In Focus webpage here.
[1] How reliant are banks and insurers on cloud outsourcing? | Bank of England
[2] SS2/21 Outsourcing and third party risk management | Bank of England
[3] Financial Stability in Focus: The corporate sector and UK financial stability | Bank of England
