Third-party dependencies in cloud services: Considerations on financial stability implications
With the adoption of cloud computing and data services across a range of functions at financial institutions, there are new financial stability implications for authorities to consider. Financial institutions have used a range of third-party services for decades, and many jurisdictions have in place supervisory policies around such services. Yet recently, the adoption of cloud computing and data services across a range of functions at financial institutions raises new financial stability implications.
Cloud services may present a number of benefits over existing technology. By creating geographically dispersed infrastructure and investing heavily in security, cloud service providers may offer significant improvements in resilience for individual institutions and allow them to scale more quickly and to operate more flexibly. Economies of scale may also result in lower costs to clients.
However, there could be issues for financial institutions that use third-party service providers due to operational, governance and oversight considerations, particularly in a cross-border context and linked to the potential concentration of those providers. This may result in a reduction in the ability of financial institutions and authorities to assess whether a service is being delivered in line with legal and regulatory obligations.
This report concludes that there do not appear to be immediate financial stability risks stemming from the use of cloud services by financial institutions. However, there may be merit in further discussion among authorities to assess: (i) the adequacy of regulatory standards and supervisory practices for outsourcing arrangements; (ii) the ability to coordinate and cooperate, and possibly share information among them when considering cloud services used by financial institutions; and (iii) the current standardisation efforts to ensure interoperability and data portability in cloud environments.