Financial firms’ use of the cloud, including for their critical services, has been increasing over the years and is expected to continue to do so. Once a significant level of critical services has moved to the cloud, a major operational disruption at a cloud service provider (CSP) could interrupt the delivery of these services and hence have systemic implications.
This is exacerbated by the predominance of a few CSPs at the global level. The prevalent regulatory approach to the use of CSPs by financial firms may not be enough from a systemic perspective. The most common regulatory approach focuses on how financial firms manage their own risks arising from acquiring third-party services, including that of CSPs. Regulations typically require financial firms to assess the potential implications of such services for their own operational resilience. This includes performing due diligence in selecting service providers, as well as making sure that contractual agreements provide financial firms the right to inspect or audit their service providers (sometimes including their significant subcontractors).
This approach addresses microprudential concerns, but may not be sufficient from a macroprudential perspective considering the potential implications of an operational disruption of a CSP outlined above. In addition, the market power that the leading CSPs have raises the question of whether financial firms have the right competency, powers and means to perform thorough assessments of risks as envisaged in existing regulations. This led Prenio and Restoy (2022) to argue that there may be a case for subjecting CSPs, particularly those critical for the financial system, to an oversight framework.
This Financial Stability Institute (FSI) paper identifies some considerations for potential oversight frameworks for critical CSPs that take into account their potential systemic importance, as well as the cross-sectoral and cross-border nature of their operations.