Treasury moves to regulate cloud providers

Image: AVNSURESH/Pixabay

Pardon the Interruption

This article is just an example of the content available to mallowstreet members.

On average over 150 pieces of new content are published from across the industry per month on mallowstreet. Members get access to the latest developments, industry views and a range of in-depth research.

All the content on mallowstreet is accredited for CPD by the PMI and is available to trustees for free.

Four cloud computing providers will be brought into financial regulation through the Critical Third Parties regime from Monday, the Treasury has said. MPs had been calling for the government to make use of the regime earlier this year.  

The government has moved to follow calls for regulating providers the financial system increasingly relies on. From 13 July, Microsoft Ireland Operations, Google Cloud EMEA, Amazon Web Services EMEA, and Oracle Corporation UK will be designated as critical third parties to the UK’s financial system. Further providers may be designated over time, the government has said.  

The designation means the Bank of England, Prudential Regulation Authority and Financial Conduct Authority will jointly oversee the critical services they provide to the financial sector, aiming to reduce the risk of widespread disruption while potentially strengthening collaboration across the financial services ecosystem. 

Economic secretary to the Treasury and City minister Rachel Blake said: “We are a world-leading financial centre, and maintaining trust in our financial system is essential to its success. These designations will help ensure the critical services financial firms rely on remain resilient, protecting consumers and businesses while supporting growth across the economy.” 

Cloud providers say they will comply


Freddy Dezeure, deputy chief information security officer for Europe at Microsoft, said the designation of Microsoft Ireland Operations as a critical third party “marks a new chapter” in the firm’s relationship with the UK, adding: “Microsoft remains fully committed to complying with the relevant oversight requirements and the UK’s cybersecurity and resilience laws.” 

A spokesperson for Google Cloud said the firm is confident that, “with effective implementation and meaningful industry engagement”, the Critical Third Parties framework can enhance the long-term resilience of the UK’s financial ecosystem as well as increase understanding, transparency and trust between all parties. 

Amazon Web Services also provided a supportive statement. “AWS will comply with all applicable regulations, and we remain committed to helping customers to meet their business and operational resilience objectives,” said Michael Jefferson, head of financial services public policy EMEA at AWS. 

Kevin Kimber, senior vice president general manager UK&I at Oracle, said enhancing the operational resilience of the UK financial sector was an important objective, adding: “We are committed to working closely with the regulators and our financial services customers toward that objective, while also supporting the government in accelerating innovation and promoting long-term economic growth.”  

MPs recommended making cloud providers Critical Third Parties


In January, a report by the Treasury Committee warned that while AI can bring benefits to consumers, the UK is unprepared for AI-related shocks. 
 
Dame Meg Hillier, who chairs the committee, said the risks needed to be better managed. “Based on the evidence I've seen, I do not feel confident that our financial system is prepared if there was a major AI-related incident and that is worrying. I want to see our public financial institutions take a more proactive approach to protecting us against that risk,” she said. 
 
The committee recommended that the Treasury should designate major AI and cloud providers as critical third parties to the financial system. This would mean they will fall under the Critical Third Parties regime introduced in January 2025, but which the government had not made use of until now. 
 
The report published six months ago also recommended that the Bank of England and the FCA should conduct AI-specific stress-testing to boost businesses’ readiness for any future AI-driven market shock, and proposed the FCA should publish practical guidance for firms by the end of the year. The regulator said earlier this week that it will put out a guide on good and bad practice later this year, as well publishing the Mills Review into AI in financial services. 
    
The Pensions Regulator is also due to publish guidance on AI and has issued a call for industry input over the summer. 
 
   
   

Can financial regulation catch up with technology?

More from mallowstreet