Banks call for direct oversight of cloud providers by US regulators

Senior risk managers at three large global banks tell WatersTechnology’s sibling publication, Risk.net, they want US bank regulators to exercise direct oversight of cloud service providers, such as Amazon, Google and Microsoft.

“Those big cloud providers already pose systemic risk to the financial sector,” says the head of third-party risk management at a large European bank with operations in the US. “Regulators cannot shy away from regulating them directly.”

“I completely agree” that bank supervisors should “directly regulate cloud providers,” says an operational risk manager at an Asian bank active in the US.

A senior risk manager at a large US bank also supports “if not direct regulation, at least supervising at a high level.”

Prudential regulators have traditionally put the onus on banks to address cloud risks through due diligence, contract negotiation and ongoing monitoring of providers. However, over the past year, UK and European Union authorities have begun to move towards direct supervision of cloud providers.

In the UK, the Financial Services and Markets Bill, which passed into law in June 2023, would grant statutory powers to the Financial Conduct Authority, Prudential Regulation Authority and Bank of England to directly oversee critical third parties. A joint discussion paper issued by the three regulatory agencies in July 2022 suggests using this authority to introduce a minimum resilience standard for critical third parties, and to require them to participate in resilience tests and sector-wide exercises.

The EU’s Digital Operational Resilience Act, or Dora, which came into force at the beginning of this year, also provides financial regulators with authority to directly scrutinize critical third parties.

While UK and EU authorities haven’t yet published a specific list of vendors deemed “critical”, operational risk experts and lawyers say it is no secret that major cloud providers are among the primary focal points.

“When you think about what is considered ‘critical’, if Google’s, Amazon’s or Microsoft’s cloud services have a disruption, whether due to outage or potential attack, most of the financial services will be significantly impacted,” says Daniel Jones, partner at law firm Orrick, Herrington & Sutcliffe. 

The three largest cloud service providers—Amazon, Google and Microsoft—have all made public statements supporting the UK’s and EU’s regulatory push, suggesting it is a necessary and positive step for the industry.

David Stone, consultant in the chief information security office at Google Cloud, says the tech giant is not opposed to regulation, adding that the firm would like the regulations to be targeted instead of just creating compliance work.

“How we can get better as a community is always our intent when we engage with such regulations,” he says.

US authorities have taken a more hands-off approach. A February 2023 report by the US Treasury Department on the adoption of cloud services by financial firms identified a series of emerging risks, but stopped short of calling for increased regulation.

In their final interagency guidance on third-party risk management, dated June 6, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) maintained the status quo, reiterating that it remains the banks’ full responsibility to monitor all their third-party vendors, including cloud providers.

Clouded judgement

Banks had previously called on regulators to provide more detailed guidance on cloud risks, in their responses to the consultation on the guidance. However, the final report offers no specific guidance on cloud risks, and instead emphasises fintech risks.

“I was really hoping to see more assertiveness by regulators in terms of regulating cloud providers, but it is disappointing that the new guidance remains silent on this front,” says the senior risk manager at the Asian bank active in the US.

The Fed and FDIC declined to comment for this article. An OCC spokesperson says the agency uses a risk-based approach to determine if service providers need direct supervision and referred to the interagency guidance on third-party relationships. The Treasury Department did not respond to a request for comment.

Bank risk managers say they face significant challenges in managing cloud risks, including limited information that they can obtain from cloud providers to perform due diligence, particularly concerning subcontractors, supply chain risks, cyber-security measures and software dependencies. In addition, they have limited bargaining power with large cloud providers on negotiating audit rights and termination policy.

“Even for large banks, there’s little room for negotiation. The typical situation is this: major providers like Microsoft, Amazon and Google share a contract with you, and you can either accept it or walk away,” says the senior risk manager at the Asian bank.

I think direct regulatory oversight is not far away, at least from the Fed’s perspective … They have no choice but to regulate these monopolistic players

Head of third-party risk at a large European bank

The senior risk manager at the large US echoes that sentiment, “The market is so concentrated that we have limited negotiation power with key providers.”

Some believe US authorities may be underestimating the significance of cloud risks in the financial sector. The US Treasury report found that 80% of firms were in the “adoption” or “early adoption” phase with cloud services, with only 5% of banks describing their cloud use as mature.

“While cloud providers are important to banks, they haven’t presented the level of systemic risk like a bank core service provider. If a core service provider is going away tomorrow, the entire financial sector would come to a halt, whereas the impact of cloud service disruptions would be comparatively lesser,” says Aly Farooqui, chief risk officer at IBM Cloud for Financial Services.

“But that will change as material services move to the cloud in the next few years,” he adds. Core service providers are firms such as FIS, Fiserv and Jack Henry.

In the US, new legislation would not be needed for prudential regulators to directly supervise cloud service providers. The Bank Service Company Act of 1962 gives bank regulators the authority to regulate technology companies that provide services to banks. Risk.net understands that the Fed, the OCC and the FDIC jointly assign an examination and supervision team, known as Central Point of Contact, to regularly examine third-party vendors such as IBM, Fiserv and FIS. But the same level of rigor has not so far been extended to the largest cloud providers, known as hyperscalers.

Banks expect that to change. The head of third-party risk at the large European bank says it is an inevitable trend for regulators across jurisdictions to provide direct oversight of cloud providers, and he anticipates the US authorities could start making the move soon.

“I think direct regulatory oversight is not far away, at least from the Fed’s perspective. There are complexities to navigate at both federal and state levels that they should be careful about, but they have no choice but to regulate these monopolistic players,” he says.

A source who works closely with the US financial authorities on third-party risk management says he is not aware of any efforts by US regulators to directly supervise cloud providers, but would not be surprised to see it happen.

On the other hand, Brian Kostek, managing director of regulatory risk at Protiviti, and a former OCC bank examiner, says it is unlikely that regulators will introduce new enforcement measures in the short term, given the recent issuance of the final interagency guidance in June, along with the Federal Financial Institutions Examination Council’s statement on cloud risk management just three years ago.

Editing by Alex Krohn