Call us free (AU) 1800 462 388
«See all articles

Call for more oversight of big cloud providers

Major cloud providers under scrutiny‘Systemically important’ cloud providers lack oversight in financial markets…

The big guns of the cloud world are facing increased scrutiny in the United States with two congresswoman gunning for more Federal oversight into AWS, Microsoft Azure and Google Cloud in the wake of the Capital One data breach.

Democratic representatives Katie Porter and Nydia Velázquez have called on the head of the Financial Stability Oversight Council (FSOC), to consider designating the three cloud providers as ‘systemically important financial market utilities’.

Systemically important financial market utilities are defined as traditionally banks, insurance or other financial institutions providing essential infrastructure that US regulators deem would pose a serious risk to the economy in the event of a collapse.

“Their operational stability underpins an increasing share of banks’ central functions.”

The designation gives the Federal Reserve the power to prescribe risk management standards, examine and take enforcement action against organisations. However, only a handful of organisations have been declared systemically important financial market utilities.

Porter and Velázquez’s call for action follows July’s Capital One Financial data breach which exposed personal information from 106 million customers, hosted on Amazon Web Services.

The Capital One breach saw a former AWS employee exploit a misconfigured web application to gain entry into the system.

While an FBI affidavit claims a Capital One error enabled the breach, but Porter and Velázquez say the incident raises serious questions about banks’ and financial institutions’ dependence on cloud services for their data needs ‘and the risks these systems pose to the safety and stability of the financial system’.

In a letter to FSOC head Steven Mnuchin, the pair cite a 2016 McKinsey report which says 100 percent of financial institutions use cloud services in some capacity and say it’s appropriate that regulators consider whether cloud platforms used by banks should be considered systemically important alongside banks.

“Too often we are trying to solve yesterday’s problems tomorrow, instead of making policy that prevents tomorrow’s problems from happening in the first place,” says Porter. “As our financial system increasingly relies on cloud computing and other forms of technology, we need to ensure the proper 21st century safeguards are in place to prevent another financial crisis.”

“Though the cloud service providers at issue may not process monetary transactions directly, their operational stability underpins an increasing share of banks’ central functions,” Porter and Velazquez say.

Their calls extend beyond just AWS, with Microsoft Azure and Google Cloud also potentially impacted if any action was to go ahead.

Bank of America has a stated aim to deliver 80 percent of its technological functions on virtual platforms and with public cloud infrastructure ‘within the next several years’ – leaving it potentially unable to perform up to 80 percent of its technological functions if Azure failed, the congresswomen say.

Microsoft claims more than 80 percent of the world’s largest banks – and more than 75 percent of the globally systemically important financial institutions – are using Azure.

HBSC meanwhile, is among the banks using Google Cloud.

Synergy Research Group has Amazon, Microsoft and Google taking out 57 percent of the cloud infrastructure services share in Q2, with Amazon far and away the winner at 33 percent, followed by Microsoft on 16 percent share.

“An Amazon Web Services cloud failure in particular would debilitate major swaths of the financial industry, basic government functions and our national security,” Porter and Velázquez say.

Porter and Velázquez have asked Mnuchin to respond by September 15.

Porter and Velázquez aren’t the first to allude to tech companies as being systemically important. Back in 2017, the World Economic Forum noted that financial institutions increasingly resemble, and are dependent on, large technology.

The Davos report, Beyond Fintech: A Pragmatic Assessment of Disruptive Potential in Financial Services, which was prepared in collaboration with Deloitte, noted AWS ‘is forming the backbone of the financial services ecosystem’ with everyone from JPMorgan Chase to startups adopting the cloud giants offerings for data storage and processing.

That report, however, did not call for regulatory oversight – in fact, Jesse McWaters’ WEF project lead for disruptive innovation in financial services, went so far as to say in American Banker at the time that branding tech companies systemically important financial institutions would not be appropriate.

A recent post on Duke University’s Duke Law Global Financial Markets Center FinReg blog, also highlighted the rise of cloud in financial services and the risks posed and argued – at length – for the FSOC to classify the largest cloud service providers as systemically important financial market utilities.

“Even before the Capital One breach, it was clear that existing regulations governing financial institutions’ use of the cloud were inadequate,” guest bloggers David Fratto and Lee Reiners say in the Duke blog.

“Cloud computing is a new source of systemic risk and it should be recognised as such by FSOC.”

ERP Buyers Guide