Buried in the Bank of England’s Future of Finance report, released in June, there is a short paragraph that, to me, seems to show that the regulators are worried about how systemically important the major cloud providers are becoming.

The report, chaired by BoE adviser Huw van Steenis, is a review on the outlook of the UK financial system and what it means for the central bank, and it touches on a number of topics and priorities, from payment systems to climate change to cloud adoption.

It shows the BoE to be thrilled by the possibilities of cloud technologies for cost savings and efficiency across financial enterprises, and solicitous about the caution banks have apparently shown in adopting cloud. The report pledges to help firms move forward with cloud by clarifying regulatory expectations, for instance.

But the report also expresses concerns that almost half of services are concentrated with Amazon and Microsoft, forming a single potential point of failure—or at least very few of them.

The problem is also that, as the report acknowledges, this oligopoly of tech giants is precisely what makes these firms so good at what they do, as their size and revenues enable them to deliver scale and efficiency. So what to do? 

This brings me to that paragraph. On page 51, the report says: “Regulators may have to engage with service providers directly to ensure they meet supervisory expectations. Alternatively, cloud providers could become regulated public utilities, creating a ‘certified cloud.’” 

Surely this has not been the regulatory approach hitherto. Regulators, by and large, have placed the onus for responsible cloud usage on the user, relying on customers of platform- and software-as-a-service (SaaS) providers to look through to their underlying fourth parties and understand the full supply chain.

As the report itself says, “Concentration risk raises the question of whether regulation of cloud providers should go beyond reliance on guidance for firms’ risk management of outsourcing arrangements. Supervisory powers might have to be extended if supervising ‘through’ regulated firms is no longer deemed sufficient.” 

The actual concentration risk is probably not yet very high, as financial firms have been relatively slow to adopt cloud and still do many activities internally that could be outsourced, and are not using cloud for critical services. But cloud usage is growing: The report quotes stats from McKinsey that 40% to 90% of banks’ workloads globally could be hosted on public cloud or delivered via a SaaS model in a decade. And as the BoE report says, this is entirely desirable. It does mean, however, that the risks will need addressing in the future—and the tech giants are already being scrutinized. 

The report draws parallels with central counterparties (CCPs), the venues that in the wake of the crisis are now mandated to clear some over-the-counter derivatives. Generally, these are considered one of the most successful of the post-crisis reforms in the US and Europe—they have provided not only visibility, but also efficiency and most clearing members (big banks) have come around to them. 

But among academics and policy types, there has been a worry that these CCPs now function as highly concentrated nodes of risk. What happens if a CCP, exposed to so many different counterparties, many of which are systemically important banks, defaults? The idea is that the clearing members all pitch in to suffer some losses after such an event—but unsurprisingly clearing members have expressed great reluctance to do that. Financial interests will always trump safety considerations—to continue the analogy with CCPs, what will the equivalent battles be among the cloud providers?  

Whatever their feelings on the matter might be, authorities are clearly intending to be involved. The bank’s report says the UK’s Prudential Regulation Authority “must ensure its information sources, supervisory skills and approach keeps pace. It should also consider whether it needs new powers, such as giving supervisors sufficient access to cloud providers to monitor risks appropriately.”

In other words, cloud providers, you have been warned.