It has been well documented over recent years that operational resilience is high on the agenda of UK regulators, as financial services have been increasingly moving to the cloud.

The concern is that institutions are becoming potentially over-reliant on cloud service providers to support key banking functions, particularly as the market for major cloud providers is dominated by a handful of tech firms that sit outside of the banking regulatory perimeter. The concentration of cloud providers means that any outage or hack of one (or more) of these services could cause a severe and widescale impact on the banking system.

Regulators already have existing tools to help manage the above risk. The EBA Guidelines on Outsourcing Arrangements set out various internal governance arrangements, including business continuity and sound risk management measures, that financial institutions, payment institutions and e-money institutions should implement when outsourcing functions (particularly with regard to the outsourcing of critical or important functions). The PRA has also published a Supervisory Statement (PRA SST) which sets out the PRA’s expectations of how PRA authorised firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management. The PRA SST aims to implement the EBA Outsourcing Guidelines but also provides further clarity and requirements on how regulated firms ought to engage and contract with third parties.

However, with a number of outages occurring in recent months, UK Regulators appear to be stepping up their efforts to deal with this risk. Minutes of the Bank of England’s Financial Policy Committee (FPC) meeting in September last year highlighted that “the increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight”. This meeting was shortly followed by a statement from the FPC[1] setting out future policy measures that it intends to introduce. The Bank of England, Prudential Regulatory Authority (PRA) and Financial Conduct Authority are also set to publish a joint Discussion Paper on this issue later this year. See our article on this topic for further details.

The very latest reports now indicate that the PRA (according to the Financial Times[2]) is considering going even further with the introduction of more robust outage and disaster recover tests. In particular, it is exploring ways to access more data from the dominant cloud providers. At this stage, details are limited as the PRA is declining to comment on the reports. It is also unclear whether these plans will form part of the joint Discussion Paper noted above or if they will be published separately. Regardless, the reports once again highlight just how concerning regulators consider this issue to be.