U.S. markets closed
  • S&P 500

    -4.87 (-0.12%)
  • Dow 30

    +34.87 (+0.10%)
  • Nasdaq

    -20.95 (-0.18%)
  • Russell 2000

    +11.16 (+0.59%)
  • Crude Oil

    -0.88 (-1.08%)
  • Gold

    -3.80 (-0.21%)
  • Silver

    +0.53 (+2.33%)

    +0.0002 (+0.02%)
  • 10-Yr Bond

    -0.0230 (-0.65%)

    +0.0040 (+0.33%)

    -1.0160 (-0.75%)

    -8.40 (-0.05%)
  • CMC Crypto 200

    +2.91 (+0.72%)
  • FTSE 100

    -2.26 (-0.03%)
  • Nikkei 225

    -448.18 (-1.59%)

City's reliance on Amazon and Google leaves regulators worried

Cloud Data Storage Amazon Web Services
Cloud Data Storage Amazon Web Services

A peculiar thing happened one afternoon last winter: at 2:30pm on December 7, robot vacuum cleaners across the US fell silent, online grocery carts were cancelled and Adele fans fumed at Ticketmaster as the presale of her concert tickets was postponed. Netflix went down. So, too, did Spotify. Duolingo. Tinder. Even some news websites.

All the issues had one thing at their root: an outage at an Amazon Web Services data centre in northern Virginia.

Adam Selipsky, chief executive of AWS, told the Financial Times the incident was “incredibly painful”. But what was simply an irritant for many could be much more serious for large swathes of the financial system.

A lasting legacy of the pandemic is the rapid migration of banks and other financial institutions to the cloud. With promises of greater speed and efficiency, many are increasingly running everything from file-sharing to fraud detection on a handful of Big Tech-controlled servers. In 2020, AWS struck a deal with HSBC, while Google has brokered similar partnerships with Goldman Sachs and Deutsche Bank.

Bank of England Governor Andrew Bailey has warned against the “secrecy and opacity” of these cloud arrangements, which make it difficult to assess the risks posed. He has admitted that regulation has failed to keep pace with innovation.

“This is no longer something happening around the periphery of banks' systems – for instance with HR systems,” said Sam Woods, deputy governor for prudential regulation at the BoE.

“What we now have moving [into the cloud] are things which are much more integral to the running of banks, which could go to safety and soundness.”

Gavin Goveia, a partner at Deloitte, who is helping a client move all of their financial applications to Google Cloud Platform in the next two years, said: “Everything is a candidate for being moved over to the cloud.”

Concentrated risks

Such eagerness marks a tectonic shift in attitude among chief executives.

Four years ago, most banks preferred to stick to antiquated systems designed in the 1980s than risk a repeat of TSB’s botched 2018 migration. The move from disparate legacy IT systems to a single new platform left around 1.9 million customers locked out of their accounts for up to a week, causing – by TSB’s own admission – “extensive service disruption and instability for customers”.

TSB lost 80,000 customers and posted £330m in losses, including provisions of £116m for consumer redress. Chief executive Paul Pester resigned five months later.

Now, however, migration to the cloud in financial services looks all but inevitable. A recent survey by EY found that 27pc of UK banks plan to move the majority of their business to the cloud by the end of this year.

The two largest cloud service providers – AWS and Microsoft Azure – account for over half the $200bn global market, according to Synergy Research Group. That concentration increases the risks.

“Imagine a customer has three different payment cards,” explained Clare Reynolds, a lawyer at Taylor Wessing. “If there’s an outage at one of those, normally they can just use one of the other bank cards to make that payment. That mightn’t be possible if those three banks were using the same cloud provider.”

As well as the risk of services going down, migrating to the cloud raises new concerns about data being stolen. Researchers at the London School of Economics have argued that the sheer size of cloud service providers – “whose failure would be catastrophic” – has made them attractive targets for hostile agents.

During the 2020 SolarWinds hack on Azure, Microsoft admitted the addition of “a few lines of benign-looking lines of code” into its operating system allowed hackers to “operate unfettered” in compromised networks.

In the “Cloud Hopper” attack, it took years before Hewlett Packard Enterprise discovered its server had been compromised by two suspected Chinese spies between 2010 and 2017.

None of this is to say the cloud is inherently less secure. In fact, it is far more secure than legacy IT systems, said Reynolds. But the risks are there.

“The focus in most cloud designs is on limiting the blast radius, in case an attack was launched on the system,” said Aarti Balakrishnan, a partner at Deloitte.

Amazon has built so-called “availability zones”, which are small groups of data centres that can be isolated from problems in other zones.

Banks' transition to the cloud deepens the power and reach of Amazon, Microsoft and Google. The Bank of International Settlements has said that tech companies are “likely to deepen their critical role in the financial system” as banks come to rely on “a small number of specialist providers”.

Two's company, three's a cloud

It takes decades of research to develop a competitive cloud, meaning that the current duopoly of Amazon and Microsoft will at best become a triumvirate, with Google in a distant third place for now.

Regulators are keen to get a handle on the issues. Both the EU and UK are looking to extend regulatory oversight to the cloud providers themselves, and not just banks which are responsible for encrypting and managing their own data. It is a recognition of the systemic risk the cloud now poses to financial stability.

“Reforms following the 2008 financial crisis have largely focused on financial resilience,” said Reynolds. “This decade looks set to focus on operational and digital resilience.”

Amazon and Microsoft were contacted for comment.