Few doubt the vulnerability of the troves of banking data stored on the cloud. Man-made threats range from ransomware to systems failures. Nature could atomise information in a single solar storm such as the Carrington event of 1859.
The UK’s Prudential Regulation Authority, which oversees financial stability, is right to take steps to bolster banks on the cloud. Data storage is a systemic vulnerability just like financial risk.
Banks have been decanting customer data from clunky mainframes to third-party data managers for a decade and more. These groups, led by Amazon Web Services, Microsoft’s Azure and Google, are typically better skilled and resourced than in-house IT departments. One lawyer likens it to leaving your passport in the hotel safe, rather than carrying it out and about.
The counter argument is that there are only a few big cloud businesses. That means they concentrate risk. This is one reason many financial institutions have already adopted multi-cloud strategies. Rules on onshoring sensitive information also encourage this. HSBC, for example, uses Google and AWS.
The PRA’s operational resilience framework already covers banks’ use of cloud computing. A step further into the world of data storage takes the PRA a step further out of its financial wheelhouse.
The risk of a heavy-handed approach is already evident in Europe. There, regulators’ desire to coalesce fragmented legislation and level the playing field have resulted in a demanding road map that financial institutions must follow.
The European Commission’s proposed Digital Operational Resilience Act, (Dora) aims to bolster financial institutions’ defences against cyber attacks and other risks. Banks have to create a whole new risk management framework. European nations have also banded together over Gaia-X, a software framework for control and governance that sits on top of existing cloud platforms.
UK banks and financial services companies would chafe at provisions as onerous as Dora. That explains why the PRA is proposing a less prescriptive cloud charter.
It is via such small differences that the UK will define post-Brexit financial standards, with all the opportunities for competitive advantage and extra risk that brings.
If you are a subscriber and would like to receive alerts when Lex articles are published, just click the button ‘Add to myFT’, which appears at the top of this page above the headline