On 8 June 2022, the Treasury released a policy statement on new regulation to address the increasing reliance of the UK finance sector on a small pool third parties tech vendors for key functions and services, such as cloud-based computing services. Put simply, Treasury’s concern is if many firms rely on the same third party, the failure or disruption of this ‘critical’ third party could threaten the stability of, or confidence in, the financial system of the United Kingdom.
Back in 2020, the Bank of England surveyed the 30 largest banks and 27 largest insurance companies. The survey demonstrated just how quickly and extensively the UK financial sector has become cloud-based.
First, banks in particular had embraced the cloud with gusto, with an average of over 60 applications per surveyed bank - mostly as Software as a Service (SaaS) and some Infrastructure as a Service (IaaS).
Second, banks and insurance companies used cloud-based services right across their business activities, although interestingly banks mainly used cloud services in the ‘back office’ while insurance companies were more prepared to use cloud services in customer management.
Third, and most striking given the extent to which banks and insurance companies have become cloud-based businesses, the market for the provision of cloud based services is “is already highly concentrated.” Over 65% of UK firms used the same four providers for cloud infrastructure services. But even more striking, the top two providers dominate:
The UK Treasury considers that the current regulatory powers over the banks and insurance companies themselves are insufficient to tackle this ‘systemic risk’. The existing regulation was built in a world in which a financial firm owned and operated its own technology platforms or used traditional outsourcing arrangements, with such relationships also subject to stringent oversight. However, as the UK Treasury explained, in a cloud environment banks and insurers are in a ‘one to many’ relationship with the cloud provider, this creates a system-wide single point of failure in the cloud provider and even the most august and powerful financial institutions may not have much leverage:
“…no single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms – for example, if these services cannot be easily restored or substituted promptly and without undue costs and risks in the event of the third party’s failure or disruption. There may also be significant information and power asymmetries between certain third parties and firms, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience.”
The UK Treasury’s solution is to expand the authority of financial regulators ‘upstream’ so that they can set minimum performance and resilience standards. Accordingly, the UK Treasury proposes new powers to designate third party service providers as ‘critical’, in consultation with the financial regulators and other bodies. The regulators will then have a variety of powers at their disposal in respect of these critical third parties, including:
- making rules in relation to services provided: this includes setting minimum resilience standards in respect of any material services provided to the UK finance sector and requiring critical third parties to participate in a range of targeted resilience testing.
- gathering relevant information: this includes requesting information from critical third parties on the resilience of their material services or compliance with applicable requirements, commissioning an independent ‘skilled person’ to report on services provided, appointing an investigator to look into potential breaches, interviewing representatives of critical third parties and requiring the production of documents, and even raiding the offices of critical third parties.
- taking formal action (including enforcement): this includes directing critical third parties to take or refrain from specific actions, publicising their failings, and (as a last resort) prohibiting critical third parties from providing future services or continuing to provide current services.
No timeframe has been provided for introducing this new regime, however the policy paper says the Government intends to legislate when parliamentary time allows. Following the introduction of legislation, the UK financial regulators will publish a joint Discussion Paper, which will detail how the powers granted might be exercised. After this, the financial regulators will seek industry views on the ‘most effective and proportionate way’ to exercise these powers.
At least one of the targets of this regulation appears receptive, at least in principle. An Amazon spokesperson released a statement saying the company supports the objectives of increasing the financial stability and market confidence in the UK financial sector and it believes well-architected cloud environments have an important role to play in supporting the resiliency, security and stability of the financial system.
This approach has interesting parallels to the UK’s approach to competition law regulation of digital platforms. New legislation will enable designation of a powerful digital platform as having Strategic Market Status, which then opens up the potential for special regulation of the provider.