The FSB is reviewing cloud provider concentration risk in the latest example of regulator concern over reliance on leading cloud providers by financial services institutions.
The Financial Stability Board (FSB), an international body of G-20 central banks and supervisors, continues to scrutinize the use of cloud services by financial services institutions. The FSB previously noted its concerns about the concentration risk of cloud services in the financial markets in a report of February this year. In that report, the FSB encouraged regulators worldwide to review their national regulatory frameworks to ensure appropriate oversight of cloud providers.
US Federal Reserve Governor and FSB member Lael Brainard spoke of the FSB’s disquiet about the concentration of cloud services provided by the major technology companies to the financial services market at a recent hearing of the US House Financial Services Committee. Brainard also stated that the Federal Reserve is looking specifically at whether major financial institutions should be forced to use multiple cloud providers in order to mitigate concentration risk. However, she also acknowledged that the majority of cloud services already have well-established redundancy protocols in place. Whether the FSB, and other regulators, would ultimately get comfortable with redundancy, failover, and other technical mitigations, rather than strict obligations for institutions to spread their risk across multiple providers, remains to be seen. In a further clear message to financial services institutions, Brainard set an expectation for institutions to be held accountable for performing robust risk assessments when engaging with cloud providers.
US lawmakers, as well as European supervisory authorities, share the FSB’s concerns around the risk of cloud disruption on the stability of financial institutions and markets, as noted in a previous post of 5 September. Latham & Watkins will continue to monitor the many expected developments in this area.