The Bank of England called a notice to the increasing usage of public cloud services in a report concentrating on financial stability in the UK over the past several months and expressed worries about those services being provided by only a few large corporations that dominate the market.
According to the Bank of England, outsourcing vital banking data and services to a limited number of cloud service providers (CSPs) gives those providers the power to demand their terms, possibly jeopardizing the financial system's stability.
"As regulators and individuals concerned with financial stability, we need to gain additional assurance that (CSPs) are providing the level of resilience that we need," Bank of England governor Andrew Bailey told reporters during a news conference.
Financial institutions have expedited their ambitions to increase their reliance on CSPs in recent years. Banks have used cloud outsourcing to run applications and obtain more processing capacity and support IT infrastructure, ranging from file sharing and collaboration to fraud detection, business management, and communications.
Cloud services were previously primarily utilized to run applications on the outskirts of banking operations, such as HR systems, with no direct impact on financial services. According to the Bank of England, this is changing, with CSPs being called in to process procedures that are more critical to the fundamental operations of banks.
"We've crossed a new threshold in terms of the types of systems and the volumes of systems and data that are being outsourced to the cloud," said Sam Woods, the Prudential Regulation Authority's chief executive officer (PRA). "As you can guess, we keep a tight eye on that."
The Bank of England invited bids for a cloud build partner last year, intending to develop a fit-for-purpose cloud environment that could better support operations in a digital-first world. The institution indicated at the time that it had already spoken with Microsoft's Azure, Google Cloud, and Amazon's AWS and that it would most likely start with Azure. It was also suggested that a multi-cloud strategy be implemented.
Moving financial services to the public cloud has numerous advantages. While employing traditional on-premises data centers incurs additional costs, a recent analysis by the Bank of England predicted that embracing hyperscalers' ready-made services could lower technology infrastructure expenditures by up to 50%.
Another benefit of public cloud services is their increased resiliency. Because of their size, CSPs can build infrastructure with numerous levels of redundancy, making them less sensitive to outages.
As a result, moving to the cloud is not inherently harmful to banking services - quite the contrary. But, according to regulators, the most significant stumbling block is the concentration of substantial businesses that control the cloud market. According to the latest data from Gartner, the top five cloud providers hold 80% of the market, with Amazon accounting for 41% and Azure accounting for roughly 20%.
"As a market becomes more concentrated around one supplier or a small number of providers, those suppliers can exercise market dominance over both cost and conditions," Bailey explained.
"That is where we have concerns and need to be cautious because concentrated power on terms can present itself in secrecy, opacity, and a failure to provide customers with the information they require to monitor the risk in the service. And we've seen some of it in action."
Part of the purpose for CSP secrecy, as Bailey pointed out, is to better safeguard customers by not disclosing sensitive information to potential hackers. However, the regulator stated that a careful balance must be maintained in terms of transparency to allow for an acceptable awareness of the system's risks and resilience without jeopardizing cybersecurity.
These challenges are not unprecedented, according to Leighton James, CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country. It is expected to see them trickle down to financial institutions.
"We're concerned that cloud providers will grow so large that their terms and conditions will become essentially 'take it or leave it.' We've already seen it happen in the public sector, and if we're not careful, we'll see it happen in the financial services industry as well, "James told ZDNet about it.
Part of the risk, according to James, comes from traditional banks attempting to compete against new disruptive companies in the industry. Financial institutions are scrambling to update their legacy infrastructure to keep up with the digital-native client experiences that were born in the cloud and are now broadly available thanks to fintech firms.
"It's apparent that the financial sector must adapt and embrace digital technologies," James added. "The question is how they can effectively do it while balancing the danger of digital change."
And, under this scenario, James argues, the risks of putting all of the banks' eggs in a handful of CSP's baskets are too significant.
Similarly, the Bank of England has urged financial firms to exercise prudence while establishing digital transformation programs and is currently in discussions with various authorities to determine the best way to address those risks.
Because other countries, particularly those in the EU, are concerned about the cloud, such conversations are likely to become worldwide. The Bank of England anticipates that global standards will be developed to produce a consistent approach to the issue.