BIS warns “Big Tech” a risk to financial stability as regulatory concentration risk fears linger
Hyperscalers may be tired of making the case for resilience, regulators are not done with fretting...
The arrival of “Big Tech” in financial services poses a potential risk to financial stability and needs new regulatory thinking. That’s according to a new paper from the Bank for International Settlements (BIS).
Its authors, including Fernando Restoy, Chairman of the BIS’s Financial Stability Institute – note that “Big Tech”’s business models create “complex interdependencies between commercial and financial activities.”
This, they argue, “can lead to an excessive concentration in the provision of both financial services to the public and technology services to financial institutions” adding that “intragroup dependencies in relation to data or critical technology functions (e.g. cloud services) are key sources of concern for operational resilience.”
ING CTO: We’re shifting applications aggressively to private cloud
The “central banks’ central bank” proposes two alternative new regulatory frameworks:
One it dubs “segregation” – a “structural approach that seeks to minimise risks arising from group interdependencies between financial and non-financial activities by imposing specific ring-fencing rules.”
The other it calls “inclusion” – under which a new regulatory category would be created “for big tech groups with significant financial activities. Regulatory requirements would be imposed for the group as a whole, including the big tech parent… [and would] introduce controls for intragroup dependencies across financial and non-financial subsidiaries” the BIS suggests, saying that whatever approach is taken, “there is a clear need for the international regulatory community to develop guidance” here in order to minimise growing risk.
BIS Big Tech regulation proposals explained
The BIS’s 46-page “occasional paper” refers both to the growing dominance of “Big Tech” payments and other financial services providers in China, as well as the fact that “financial firms rely heavily on cloud computing services” – suggesting that “financial institutions may offer their financial products through big tech platforms”.
Potential risks to financial stability can now originate not just from the traditional “direct provision” of financial services and commercial activities, but also from “extensive linkages [of Big Tech] with traditional financial institutions” the BIS says, saying that “excessive dependence by financial institutions on third-party providers generates operational risks. When those services are of a technological nature, the vulnerabilities become more pronounced, due to possible cyber incidents affecting the continuity of services and data protection.”
For all major cloud providers’ increasingly successful efforts to convince regulators that critical financial services applications and workloads moving from banks’ own data centers to the cloud is a safe and resilient option, persistent concerns about “concentration risk” and operational resilience have lingered with regulators.
The BIS’s paper comes as the Bank of England, PRA, FCA, and HM Treasury are developing measures to manage the systemic risks posed by critical third parties (CTP) to UK financial institutions “including but not limited to cloud service providers” and plan to publish a joint Discussion Paper in 2022 to inform future regulatory proposals relating to CTPs, “particularly on technically complex areas such as resilience testing” he added.
BoE makes firms test “severe” operational resilience scenarios
The BoE set out three new draft supervisory statements on April 14 that raised fresh concerns at the possibility of “systemic concentration risks” arising from the migration of financial market infrastructure (FMI) to the cloud, suggesting that a more robust set of demands to ensure IT resilience is coming soon. New operational resilience policies meanwhile came into force on 31 March 2022. Banks have until March 2025 to comply.
Critics of excessive cloud reliance say portability is often an issue. Clearly defined exit plans to allow for relocation of infrastructure, codebase, and data between cloud providers is critical, they argue, covering both stressed and unstressed scenarios – e.g. responding to a catastrophic CSP failure or when a commercial relationship ceases. As Capco puts it in one recent whitepaper: "It also needs predefined capacity for provisioning the infrastructure and increases vendor lock in and concentration risk levels. If for some reason the relationship with the CSP breaks down, your workloads would move back on-premises and you would lose the benefits of the public cloud."
David Walker, Field CTO, EMEA, open source distributed SQL company Yugabyte, told The Stack: “Cloud concentration risk combines the disadvantages of vendor lock-in with the risk of operational failure because you have all your eggs in one cloud services provider (CSP) basket. You lose negotiating leverage and you become vulnerable to failure in the services of that provider… A single Cloud Service Provider may [also] not be able to satisfactorily or competitively deliver data sovereignty in every geography where a bank operates.
“National and regional regulators routinely demand personal and other data relating to their citizens be stored only in stipulated geographies. This means that institutions need the capability to distribute the ‘data layer’ across providers and across geographies. Otherwise they must either adopt expensive and complex disjointed regional replicas - with a significant negative impact on operational costs and the pace of innovation.”
To most hyperscalers this will all seem like tired news. They believe that they have amply demonstrated the capability to support – and are already supporting – low-latency, highly resilient, mission-critical applications for financial services providers ranging from Bloomberg, CapitalOne, Standard Chartered and beyond and that rules governing operational resilience and outsourcing are already rightly tightening up requirements.
Yet as the BIS paper shows, regulators are not resting easy.
To its authors, current regulations are “piecemeal” and tackle risks “one by one without fully acknowledging them as they are all directly linked to the unique business model of big techs”.
One answer, the BIS suggests, could be a “consistent set of entity-based rules spanning different but related domains (governance, conduct of business, operational resilience, financial solvency). It’s detailed discussion, available here, spans a wide-ranging set of discussions around optimal supervisory principles for prudential regulation and is clearly aimed not just at cloud providers, but eyes a future in which “Big Tech” may also underpin the rails of stablecoins and potentially issue their own, as well as use their rich data sets to offer wealth management or any other financial services.
Regardless, the paper's authors are clear on their views: "[Big Tech operates under a] unique business model based on the exploitation of network externalities which leverage on the extensive use of customers’ data across business lines. That business model has the potential to lead to excessive market concentration, amplify operational risks and damage the integrity of the payment and the financial system."
“In principle”, its authors conclude, “for the sake of consistency, the oversight of all rules affecting big tech parents could be assigned to a single supervisory authority.” It’s clear, if unsaid, whom they have in mind.