Financial companies in Europe must now maintain a register of all their outsourcing arrangements under new regulatory guidelines, as regulators are worried that cloud services are concentrated among just a handful of companies.

“The regulators want to check that individual firms are capturing these relationships, but they also intended for the register to help regulators monitor any over-reliance of the industry on a small handful of service providers,” says Paul O’Hare, a partner in law firm Kemp Little’s commercial technology team, and leader of its outsourcing practice. “These guidelines show they are particularly worried about the concentration risk in relation to cloud—this is one of the key reasons behind introducing this outsourcing register.”

The European Banking Authority’s new guidelines on outsourcing came into force from the end of September, replacing the existing 2006 guidelines and some 2017 guidance on cloud outsourcing. They apply to a wider range of companies than before: any firm that falls within the EBA’s mandate, which means credit institutions and investment firms like banks and hedge funds, as well as payment and electronic money institutions, a category that will pull fintech companies into scope. The guidelines don’t apply to insurers.

O’Hare says firms were already required to maintain a register of cloud contracts; this requirement is now expanded to all their outsourcing arrangements. Outsourcing is widely defined as pretty much any service performed by third parties, with some exceptions for auditors and legal advisors, data vendors, and clearing and settlement.

Most of the information that goes into the register is pretty straightforward, O’Hare says. But it’s when the functions being outsourced are “critical or important” that maintaining the register gets more onerous.

“Critical or important functions” in the guidelines are those that have a strong impact on a firm’s risk profile or its internal control framework.

In the register, the firm may have to document its critical or important outsourcings and keep a record of the dates on which it carries out risk assessments, which must be conducted regularly. The firm must include a summary of the results of the risk assessment and the action it plans to take to manage those risks. Competent authorities—like the Financial Conduct Authority in the UK, for instance—can call and ask to see those registers on a regular basis, O’Hare says.

High Concentration

Governments are starting to worry that much of the technology that finance relies on is underpinned by the big three cloud service providers: Amazon Web Services, Microsoft Azure and Google Cloud Platform.

The EBA articulates these worries in its final report on the guidelines, saying that regulators need to be able to identify the concentrations of outsourcing arrangements at service providers, especially with regard to critical or important functions. These may, “if the provision of the service fails, lead to disruption of the provisions of financial services by multiple institutions. If service providers, for example in the area of IT or fintech, fail or are no longer able to provide their services, including in the case of severe business disruption caused by external events, this may cause systemic risks to the financial market,” the report says.

Cloud providers say they themselves program their software and architect their infrastructure to prevent or contain failures. Adrian Poole, head of financial services for Google Cloud Platform, says they meet with regulators around the world on a quarterly basis to listen to concerns and to explain what measures they are taking to mitigate risk.

The platform’s federated infrastructure helps contain failures, Poole says. “The way we provide our services, and the variety of what we call zones and regions, provides a lot more choice around where clients can put their data,” he tells WatersTechnology.

Regions are geographic areas where data is hosted; each region has one or more zones. Google has 60 regions globally. The idea is that federating data storage into these regions and zones isolates each from failures in the others.

“We would make sure that with the way we design our software and implement changes, we could lose one zone and the other two continue to work. And we often advise clients that if they really want that very-high availability, they could have data in two regions because then they also have that significant geographic separation as well,” he says. “We spent $47 billion in terms of three-year rolling capex on these types of data centers, heavily investing to give clients a choice of where they want their data to be.”