The U.K. Treasury released a policy paper on Wednesday (June 8) proposing a new regulatory framework that would provide the Bank of England (BoE) and the Financial Conduct Authority (FCA) with new powers to oversee tech firms that provide critical services to the financial industry.
The government is concerned about the growing dependence of banks on cloud computing, as these services are mostly provided by a handful of players. As of 2020, over 65% of U.K. firms used the same four cloud providers for cloud infrastructure services, according to the Treasury statement.
If many firms rely on the same third party for material services and this company fails, it could have a systemic impact across the financial system, the paper argues.
The government doesn’t cite by name which non-financial companies may be “critical” for the industry, but Amazon and Microsoft are two of the companies that may be affected by this regulation. The financial regulators’ current powers are not sufficient to tackle the systemic risks that disruption at a third party providing key services to multiple firms could cause, so the Treasury is proposing new legislation to address this concern.
First, the Treasury, in consultation with the BoE and the FCA, will designate certain third parties as “critical.” The policy paper doesn’t offer information about the criteria that regulators will use to designate a company as “critical,” only that it will take into account “the number and type of services and the materiality of these services.”
These criteria will be set out in primary legislation, and it is expected that the third parties affected could also make representations to the Treasury about this designation.
Second, once a company has been designated as “critical,” the financial regulators will be able to make rules relating to the provision of these material services, gather relevant information from critical third parties and take formal action (including enforcement) where needed. More information about these powers is expected via primary legislation, but the Treasury advances that the regulators will be able to enter companies’ premises as part of an investigation, request information and require the production of documents.
The paper doesn’t include all the potential penalties for the companies if they don’t comply with the regulator’s requests, but as a last resort, the government is considering granting regulators the power to prohibit a critical third party from providing future services or continuing to provide services to firms.
The government’s next steps are to propose new legislation and publish a discussion paper on this topic shortly after such legislation is introduced. Legislation could be passed within this parliamentary session that started in May as the government included this plan in the Queen’s speech, which usually determines the laws that will be discussed in a parliamentary session.
U.K. DORA Equivalent
The U.K.’s plan to provide regulators with additional powers to supervise cloud providers in financial services mimics the European Union’s legislative proposal on the Digital Operational Resilience Act (DORA).
DORA is a new law proposed by the European Commission that aims to establish uniform requirements for the security of networks and information systems in the financial sector.
While most of the proposed law addresses banks and other financial institutions in Europe, there is a chapter devoted to information and communications technology (ICT) third-party risk, which includes cloud providers of critical or important functions.
DORA will enable the European Supervisory Authorities to access critical ICT third-party service providers directly — and sanction them if necessary. First, as in the U.K. proposal, cloud providers will need to be designated as critical ICT third-party service providers. Then, the companies will be subject to a new set of rules.
But unlike the U.K. policy paper, which sets out the initial plan, the EU institutions reached an agreement in May and DORA is expected to be formally approved in the coming weeks or months. This means that Microsoft, Amazon and other cloud providers may be subject to more regulatory oversight in Europe in 2023.