New regulation forces UK banks to scrutinize cloud

No one likes the auditor. But under new rules banks in the UK will eventually have to become auditors of their vendors, and be able to demand deep insight into the books, records, and premises of their third parties and cloud service providers (CSPs)—including heavyweights like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure.

UK banks are facing a raft of regulations that will come into force on March 31 that will require them to map their third parties, identify their impact tolerances and identify vulnerabilities that could significantly disrupt their clients. Firms will be expected to develop and show these self-assessments of their third-party risks to the regulators by the March deadline. 

“There’s a huge body of work to do because most organizations have thousands of third-party providers. There is a sifting and tiering that organizations need to do to set the framework now so that they meet those regulatory standards,” says one senior executive responsible for tech resiliency at a tier-one bank. “You might have had an outsourcing arrangement in place, but if it’s not at the standard expected, then that will need to be updated.”

The rules on outsourcing and operational resilience, jointly published by the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (BoE), will require banks to update their contract permissions to allow them to test their cloud providers’ performance levels, permit their compliance teams and regulators to inspect the CSPs’ relevant business premises, and to access to data related to their outsourced activities.  

On January 27, the supervisory authorities clarified during a webinar hosted by FCA that firms will have a grace period of three years to develop impact tolerances, remediate their third-party mapping, and comply with the rules. Within that timeframe, firms will also be expected to update their contractual agreements with their “material” third parties to include permissions to ask probing questions about their operational resilience.

Financial institutions operating across the EU will also have to review and amend their cloud outsourcing arrangements by the end of this year, in accordance with guidelines set out by the European Securities and Markets Authority (Esma).

Under these incoming regimes, the buck stops with banks and insurers. While banks have always been responsible for complying with the outsourcing and operational resiliency rules, for managing their third-party risk, and are accountable to the regulators in the event of an outage or security breach, the new regulations create additional scrutiny. This means banks are viewed as the driving force in ensuring that their third parties are following the regulations, says Valérie Höß, vice president of government, regulatory affairs, and digital policy at Deutsche Bank.

“At the moment, we need to ensure compliance of our IT providers, and align that with the expectations that the supervisory authorities have toward us, which can be challenging,” Höß says.

Negotiating for access to what is often highly sensitive information about a cloud provider’s resiliency and data can be difficult.

James Fox, director of technology consulting at Protiviti, has seen this firsthand in his work with banks on tech transformation and third-party risk management programs. “We’ve seen firms go through 12 to 24 months of negotiating with CSPs to get this information out of them, which then has a knock-on effect on their cloud migrations, delaying them. And then the value that banks are delivering to customers is delayed as well,” he says.

Smaller banks might not have the clout to negotiate with the providers that their large counterparts do, Fox adds. Regulators may find, he says, that tier-one banks can tell them more about their third parties than a tier-two or -three bank can.

Part of the reason is that they have less negotiating heft and smaller banks tend to spend less with the cloud providers. In other words, the more valuable a client is, the more influence it will have at the negotiation table.

Adrian Poole, head of financial services UK and Ireland at Google Cloud, says the provider supports its customers’ compliance needs in areas such as incident reporting and operational resilience testing. He says that “while there’s a process for clients to conduct their due diligence, we work to make this as efficient as possible.”

Microsoft Azure declined to comment for this article. AWS declined to comment on the record.

‘Lay down the law’

Nonetheless, sources at even large banks say it is a struggle to extract the relevant information from the CSPs. Many, including the executive at the tier-one bank, are lobbying the regulators to exert pressure on the CSPs to make it easier for firms to negotiate their contracts.

“My request of the regulators is to help us do the right thing, help us by setting the minimum standards,” they say. “[Regulators should] bring the cloud providers to the discussion table and lay down the law to them. Although they’re not regulated, they are a major part of the financial services sector, and the regulators have clout.”

They say regulators should compel CSPs that want to operate in financial services to offer a minimum level of transparency and cooperation.

“Rather than putting the pressure on firms and asking us to manage the CSPs, one way of trying to address it would be for regulators to say, ‘If you are a provider to the financial services, this is the minimum standard that we expect to be delivered,’” the bank executive says. “This becomes a much more productive, and sensible conversation rather than us individually trying to lay down the law.” 

However, the CSPs have shown they are willing to work with regulators, says Gordon Mackechnie, CTO at Deutsche Bank.

“There is a recognition and a maturity on behalf of the cloud providers that if they want to be part of heavily regulated industries in financial services, then they have to engage with our regulators as well,” Mackechnie says. “Certainly, there are elements that are very sensitive, and so they are careful with that information. But finding ways to make that work is definitely something we’ve seen.”

How the new regulations apply will differ depending on factors like the size of the bank, its systemic importance, or the function being outsourced. The new rules will expect banks to identify whether the functions hosted on the cloud are deemed either critical, important, or material to the continuation of the financial firm’s business or operations.

The bank will then need to hash out and put in place contingency plans, proportionate to the risk of a technical issue or failure, with the CSP. For example, a firm might decide to rent backup datacenters located in different cloud availability zones, or retain alternate on-premises sites to prevent service disruption in the event of an outage.

Large cloud and IT providers typically have a standard term of reference within a service level agreement (SLA) that clients can sign up to. This can fast-track the process of onboarding multiple clients, but under the new rules, these will need to be revised to account for the outsourcing variables and their different requirements.

“The terms of reference are not individualized in the service provision. So while it may be sufficient for generic stuff, where you’ve got real critical stuff, you want that updated. That is why you have difficulties and tension in having those discussions,” the senior bank executive says.

In some cases, banks must rework bespoke SLAs they have with their CSPs.

The regulators have clarified that firms will need to fully comply with the rules by March 2025 and if they are unable to meet their outlined impact tolerances by the deadline they will need to inform the regulator. 

“There are no two ways about it: You must meet the standards, and if you’re not able to meet the standards, you must notify the regulators. And clearly, that conversation comes with issues for you to consider, like if it is material to your organization and you are a significant organization in the sector, then you should ask yourself should you really be contracting with that provider?” the senior bank executive says.

Readjusting the lines of accountability

In the EU, attempts to regulate CSPs directly are in the works. The European Commission (EC) has a draft proposal on Digital Operational Resilience Act for the Financial Sector (Dora), which aims to create a digital operational resilience framework across all regulated financial institutions in the EU27. Dora is still making its way through the European legislative process and is currently being debated by the European Council.

Ian Waterworth, director of technology and operations at trade body Association for Financial Markets in Europe (Afme), says Dora applies to critical third parties, which will likely drag into its scope some of the major cloud providers.

Dora makes “critical information and communication technologies (ICT)” subject to a streamlined union oversight framework, coordinated across the three European supervisory authorities. Each authority is responsible for the relevant critical ICT providers as “lead overseer” and can assess whether each ICT is adequately managing risks to the financial firms that are its customers.

What constitutes a critical ICT still needs to be clarified, Waterworth says, before the rules are rolled out later this year. One possibility is that firms might have to formulate their own definition and identify which third parties and parts of their outsourcing are deemed “critical” to their businesses.

Banks already do a lot of this work. Waterworth says most banks have their own internal rating systems that they use to calculate the criticality of their applications. For instance, the business and IT teams within a firm might answer questionnaires and rate the criticality of an application on a scale of one to five.

“For example, a payment system would be a business-critical system or a front-office trading system,” he says. “It can be anything that provides a real critical infrastructure to the bank and the users that it responds to.”

Google Cloud’s Poole says the incoming UK guidelines impose new requirements on its customers to achieve higher operational resiliency, but this does require more technical work and advisory services from them as a third party. In the case of Dora, he says, he expects that the full extent to which ICTs and cloud providers will be supervised and held accountable will become clearer later this year.

“Google Cloud is following the processes closely and working to contribute to the collaborative dialogues around them,” he says.

Sharing is caring

Some firms already conduct audits of their CSPs, by testing and risk assessing their infrastructure on an annual basis. Financial firms have found that pooling their audits of the CSPs can offload some of the work involved. The Collaborative Cloud Audit Group, a syndicate of 39 financial institutions and insurance companies, that leverage cloud infrastructure, has carried out several collective audits, including with Google Cloud in 2020 and Microsoft Azure, in partnership with Deutsche Börse, in 2018.

According to the current draft of Dora, financial entities will be expected to verify that pooled auditors or audit-like services possess the appropriate “skills and knowledge” to effectively perform relevant audits and assessments.

In September, Protiviti and Afme published a joint report warning capital market firms of the barriers to cloud adoption. As part of that research, Protiviti’s Fox says, they looked at the benefits of having a regulated financial services portal developed for each cloud provider. A CSP would publish standardized information about its resiliency and performance via the portal, and customers could gain access to the information through secure individual accounts.

“If they’re all asking the same questions, surely making that portal available could help. It doesn’t have to be public; maybe each customer, through their account, could sign a non-disclosure agreement to get access to that information, and they can use that to accelerate their adoption of cloud,” Fox says.

Banks will need to agree on contract clauses that will permit them to audit their cloud providers and their relevant outsourced functions whenever they see fit. But even the highest-grossing Big Tech firms on the planet have their limits.

The senior bank executive says no organization would realistically have the bandwidth to do individual audits with every one of its financial services clients annually.  

“Imagine ringing up AWS and saying, ‘I’ve got to do my audit, this is my timeframe, can you accommodate us?’ Now, imagine Goldman Sachs [and all the other banks] do the same. It wouldn’t make sense; it needs to be done as a sector,” the executive says.

This article has been updated to reflect clarification provided on January 27 from the UK supervisory authorities regarding the deadlines for compliance with the new outsourcing and operational resilience rules.