Under A Cloud: US Warns Of Third-Party IT Concentration Risk

December 20, 2022
US regulators has warned that banks rely too heavily on a small number of cloud service providers in their new financial stability report, which also cautions against risks related to buy now, pay later (BNPL) and digital assets.

US regulators have warned that banks rely too heavily on a small number of cloud service providers in their new financial stability report, which also cautions against risks related to buy now, pay later (BNPL) and digital assets.

US financial institutions are increasingly relying on third-party service providers for a broad range of IT services, some of which may support critical functions within its businesses.

This is particularly the case with cloud services, where the financial services industry largely depends on a limited number of providers, according to the Financial Stability Oversight Council (FSOC), whose members include the main US federal financial regulators.

In 2021, 90 percent of banks surveyed by the American Bankers Association (ABA) stated that they maintain at least some minimal data, applications or operations in the cloud.

Although the cloud is currently used to support only a small part of businesses’ operations, a more recent survey (sponsored by Google Cloud) suggested that more than two-thirds of banks want to move at least 30 percent of their applications and data into the cloud in three years.

As financial institutions are looking to move more data and core services to the cloud, the “operational resilience of these large technology companies could soon have financial stability implications”, said Rohit Chopra, director of the Consumer Financial Protection Bureau (CFPB).

“A material disruption could one day freeze parts of the payments infrastructure or grind other critical services to a halt,” he warned.

This is the first time that regulators in the US have identified the financial sector’s concentrated dependency on a limited number of cloud service providers (for critical information technology services) as a potential risk to financial stability.

The report urged federal regulators to collaborate both among themselves and with state regulators to enhance supervision of cloud service providers.

Nonetheless, the CFPB director has hinted at the possibility for the FSOC to go even further in the future by designating some of the large cloud service providers as a systemically important financial market utility.

A similar concern around large cloud service providers has been raised in the UK recently, which prompted the government to propose a new "critical third-party regime" that gives UK financial watchdogs the oversight of a firm’s arrangements with cloud providers.

Same rules for the same activity

The report also notes that the growth of non-bank financial institutions in certain marketplaces may introduce new risks to the broader financial system.

Among these are BNPL providers whose popularity in the US has soared in recent years. According to the report, the total value of BNPL loans rose from $2bn in 2019 to $24bn in 2021. This is still well below credit card spending, which hit $4.28trn in 2020, according to Bank for International Settlement statistics.

The report recommends that regulators leverage existing authority to ensure that activity with the same risk has the same regulatory outcome.

It also urges the agencies to identify potential gaps in the regulatory framework and work on proposals to address them.

These recommendations are in line with the CFPB’s approach to BNPL providers. Earlier this year, Chopra stated that he sees BNPL as “a close substitute” for credit cards and his agency will be working to ensure that borrowers have similar protections regardless of whether they use a credit card or BNPL.

Call for comprehensive crypto regulations

The report also highlights risks related to digital assets and stresses that the lack of comprehensive regulations means that no single agency has visibility into the risks across the entire business.

The FSOC encourages agencies to continue to enforce existing rules and regulations applicable to the crypto-asset ecosystem, while recommending that Congress pass legislation to address existing gaps.

Agencies also point out that steps should be taken to address regulatory arbitrage and push regulators to continue to collect data to support the analysis, monitoring, supervision and regulation of digital asset activities.

“Through the stablecoin inquiry, it has become clear that non-bank peer-to-peer payments firms serving millions of American consumers could pose similar financial stability risks,” Chopra noted.

These firms issue “runnable deposit-like” liabilities and invest in riskier, less liquid assets. In addition, consumers often maintain balances and treat the account like a quasi-bank account, according to the CFPB head.

“The failure of such a firm could lead to millions of American consumers becoming unsecured creditors of the bankruptcy estate, similar to the experience with FTX. Our patchwork state money transmitter laws were not designed to ensure the long-term stability of these types of firms,” Chopra stressed.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.