Does the regulator think that banks are clouding the issues?

During the lockdown, banks moved rapidly to sign cloud contracts. Thing is they were signing with the likes of Amazon, Google and Microsoft, but these are all American firms. Where are the European ones?

I raised this issue two years ago, but it is now coming to a head as new rules require banks to know exactly what data is being stored where and how by their cloud service providers.

This was a concern for a while, but spring-boarded front and centre when Amazon Web Services had another failure late last year.

Amazon’s massive cloud-computing operation Wednesday suffered its third outage in a month, briefly shutting down a vast number of online services critical to everyday life and highlighting again the vulnerabilities of an increasingly interconnected Web.

The fact that banks are dependent on these third party services, whether American or not, is an exposure that could lead to bank failures if those services fail. This is what the Prudential Regulatory Authority (PRA) are focused upon, and it is all about the operational resilience of cloud service providers.

A particular concern is if one of the big cloud providers is hacked or subject to a cyberattack. The ripple effect cascades through the economy and can affect everything from Slack to Tinder to core banking services.

How do we protect ourselves against such things?

That’s why the PRA is introducing a stringent new regime where banks must prove their checks and balances with their cloud service provides for disaster recovery and operational resilience. The new rules come into effect on March 31 2022.

This is important, particularly as Amazon Web Services has struck high-profile deals with Barclays and HSBC, while Lloyds Banking Group has announced partnerships with both Google Cloud and Microsoft Azure. McKinsey has forecast that 40% to 90% of banks’ IT operations globally could move to the cloud within a decade, according to the FT.

Whatever your view, it sits firmly in my view in the risk management aspects of technology within a bank or FinTech. You have regulated processes, a promise of trust, security and stability, and an expectation of resilience and surety that can never be broken. However, the more banks use third party services, whether API or cloud services, the more banks need to assure that they have completed full due diligence on their third party providers.

More importantly, and this is what the PRA is trying to ensure, if there is a failure in the network, there needs to be blame. I’ve always struggled with this for a while. If a payment fails and it was taken by Stripe and sent via Braintree to be processed by a MasterCard from an account of ABC Bank, who is to blame for the failure?

We are moving to a world where Banking-as-a-Service (BaaS) is great, but the failure of one player in the ecosystem, even if just for minutes, might create a forensic process of reconstruction to work out who is to blame. The way in which it is moving though, is that the detectives who will have to lead such investigations are the banks who determined to use such external services with their sensitive customer data.

Beware and be aware. With great power comes great responsibility, and banks are being viewed as having the power. Therefore, if they use cloud services and such services fail, they also have the responsibility.