UK puts four cloud providers under financial regulator oversight
Amazon, Google, Microsoft and Oracle units have been designated Critical Third Parties as UK authorities target cloud concentration risk in finance.
By Ingrid Halvorsen · Staff Writer
· 3 min read
The UK government has designated four major cloud providers as Critical Third Parties, bringing services supplied by Amazon, Google, Microsoft and Oracle units under direct oversight by financial regulators. The move addresses the risk that an outage or operational failure at a major technology supplier could affect banks, insurers and market infrastructure providers at the same time.
The firms named are Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL and Oracle Corporation UK Limited. The government said the designation reflects their importance to the UK financial services sector as firms rely more heavily on cloud computing for core systems and customer-facing services.
The regime is due to take effect next week, according to the government. It said the framework is intended to strengthen resilience across the financial system and protect services used by households and businesses.
The Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will jointly supervise the critical services that the designated providers supply to financial firms. Their role will focus on the continuity of services judged significant to the sector rather than on every activity carried out by the technology companies.
Under the new framework, the regulators will be able to request information, assess operational resilience and work with the companies to address risks to service continuity. The watchdogs will also be able to make and enforce rules specific to Critical Third Parties where needed, according to the government.
The mechanism is designed to give financial authorities a direct view of key suppliers that sit outside the traditional perimeter of bank and insurer regulation. Financial firms remain responsible for their outsourcing and operational resilience, but the designation gives regulators tools to examine the providers whose services are used across multiple institutions.
Rachel Blake MP, Economic Secretary to the Treasury and City Minister, said trust in the UK financial system was central to the country’s position as a financial centre. She said the designations would help keep critical services used by financial firms resilient, while protecting consumers and businesses and supporting economic growth.
The government said its concern is that disruption at a large cloud provider could spread across the sector because many firms may depend on the same supplier. That concentration risk has drawn closer attention from regulators as banks, insurers and financial market infrastructures shift more technology workloads to external cloud platforms.
The providers expressed support for the aims of the framework, according to the report. A Google spokesperson said the Critical Third Party regime could improve the long-term resilience of the UK financial system if implemented effectively and supported by industry engagement, adding that it could increase understanding, transparency and trust among the parties involved.
The designations mark a further step in UK regulators’ efforts to monitor operational risk beyond regulated financial firms themselves. For cloud providers, the framework creates a formal supervisory relationship with the Bank of England, PRA and FCA for services deemed critical to finance.
This story draws on original reporting from Finextra Research.