Bank of England Raises Concerns Around “Cloud Risks”
Published by Ben Saunders - OpRes Founder
Roughly a 3-minute Read
On July 13th 2021, The Bank of England published its bi-annual Financial Stability Report (FSR), which you can find here. The document itself is a good 48-pages long! Covering The Financial Policy Committee's view on the stability of the UK financial system and what it is doing to remove or reduce any risks to it.
However, one key stand-out message certainly piqued our interest at OpRes HQ. Upon reading the report it is clear that the Bank of England has issued a warning that further policies and measures may be required to mitigate “financial stability risks” amidst the growing consumption of cloud hosted services that are often delivered by a trusted subset of providers. The paper points out that since 2020 “financial institutions have accelerated their plans to scale up their reliance on CSPs”.
In comparison, as recently as February 2021, the Financial Conduct Authority published a report regarding the implementation of technology change across financial services. One chart in particular stood-out to us, regarding the distribution of technology hosting across financial services.
Implementing Technology Change in Financial Services - The Proportion of Production Applications Hosted on Different Infrastructure Types
A whopping 78% of production services were said to still be hosted on-premise. Whilst the adoption of public cloud is increasing with around 11% of assets hosted in production. The report doesn’t go into detail about what this consumption is being driven by. Could it be that a large proportion of this surge has been driven by remote working needs and an increasing reliance on SaaS-based collaboration services? Who knows?
That said, the notion of concentration risks across financial services is not a new phenomenon. For many years, the same pool of auditors, main-frame providers, market data feeds, independent software vendors and global service integrators have provided products, consulting capabilities, and augmentation services to leading Banks, Building Societies and Insurers to underpin their IT infrastructure and important business services.
The report does not directly name any firms or suppliers in particular. However, it does state: “Although the PRA and FCA have recently strengthened the regulation of firms’ operational resilience and third-party risk management, the increasing reliance on a small number of CSPs and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide."
In a press conference, BofE governor Andrew Bailey covered his concerns around operational resilience. Stating that “as regulators, as people interested in financial stability, we have to get more assurance that they are meeting the levels of resilience that we need."
We believe this is a two-pronged requirement and it is just as important that the organisations who use the cloud, architect their systems sufficiently based on their level of importance to the firm, their customers and the market. Many cloud services are deployed through infrastructure as a service (IaaS) consumption patterns. This applies what is called a shared responsibility model. Whereby, the hosting provider looks after the tin, power, and physical infrastructure. Whilst the user is responsible for maintaining everything above that level. Namely, the operating system, the application configuration, the virtual networking, access control policies, identity management, data tenancy, security etc.
The big problem here that many firms face is not the concentration of services within a small subset of cloud service providers. But a lack of highly skilled engineers who can build modern, dynamic, and scalable applications that can unlock business value, whilst maintaining operational resilience. Indeed, if your engineers are good enough to get you into a specific hosting provider, then they should be good enough to get you out of a hosting provider!
In recent years there has been a lot of conjecture around application portability and a utopian state of multi-cloud. Whereby applications can be moved from one hosting provider to another ... at the flick of a switch! This can certainly be achieved at the application level by using virtual machines or containers. However, one of the biggest challenges is data gravity. Particularly if a firm holds terabytes or petabytes of data in the cloud.
In my opinion, multi-cloud portability only increases architectural complexity, drives up cost, and introduces more risk to the financial system. Interestingly, there is no mention of firms requiring a multi-cloud approach to placate these concerns from the regulators. Whilst there is a reference that the FPC recognises an absence of a “cross-sectoral regulatory framework, and cross-border co-operation where appropriate, there are limits to the extent to which financial regulators alone can mitigate these risks effectively."
As such, this is an area that we will watch closely. As we suspect efforts will be made to create cross-border policies and regulatory frameworks with overseas supervisors. Indeed, in a post-Brexit world, it will be interesting to see how the BofE and FCA approach this subject. If too much red tape and regulations are created, it could well stifle innovation and investment in FinTech propositions. Especially at a time when the U.K. has seen record-breaking levels of FinTech investment reaching $5.3BN over the first 6-months of 2021.
That said, the integrity of the market and protection of customers' financial savings is an absolute necessity. Ultimately, this is going to be a very fine balancing act for regulators, firms, hosting providers, and widely used third-party software vendors.
