MPs urge UK to consider regulation of cloud providers

Out-Law News | 29 Oct 2019 | 9:54 am | 2 min. read

The regulation of cloud service providers should be considered by the UK government, an influential group of MPs has said.

The call from the Treasury Select Committee came in a new report published at the end of its inquiry into IT failures in financial services.

According to the report, operational incidents in the financial services sector are "increasing in frequency" and the Committee said regulators should "maintain a very low tolerance for disruption to the most important services". It further suggested regulators should look to hold individuals at firms personally responsible for IT failures under the Senior Managers and Certification Regime as part of a stronger approach to enforcement.

"We accept that completely uninterrupted access to banking services is not achievable, yet prolonged or regular IT failures are unacceptable," the report said.

The Committee warned in particular about the potential scale of disruption to online banking and payment services that could arise in cases where there is an outage at a third party provider relied upon by a number of different financial institutions.

"The cloud service provider market stood out as a source of concentration risk during the inquiry," the Committee said. "This market is already highly concentrated and there is probably nothing the government or regulators can do to reduce this concentration in the short or medium term."

"The consequences of a major operational incident at a large cloud service provider could be significant, and not just limited to the financial services sector. The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable. The government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary," it said.

The Committee said that concentration risk can be addressed in other ways, however. It called on industry and UK financial regulators to act on "establishing channels of communication with common suppliers to use during an incident, utilising the EBA process of leveraging pooled audit arrangements for cloud service providers, and potentially building applications able to substitute a critical supplier with another".

The MPs also used their report to recommend greater consistency and transparency from financial services companies in their reporting of operational incidents.

"The lack of consistent and accurate recording of data on operational incidents is concerning," the Committee said. "The regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. If necessary, the regulators should clarify standards, guidance and definitions for industry on what incidents firms should both record and report. They should also consider the need to expand current reporting requirements, to cover broader services provided by firms. Higher quality incident reporting will serve to improve the ability of both the regulators and industry to identify the biggest risks to the operational resilience of the sector."

"It is very difficult for customers to determine which financial services providers are operationally resilient, and to make clear comparisons across the industry. The regulators should require clearer and more prominent public reporting to empower customers to make informed decisions regarding which provider they use, and to increase firms’ focus on operational resilience. Where firms already publish incident information, this should be given greater prominence in information made available to prospective and existing customers, such as that given to wait times and complaints, which are visibly displayed in bank branches for all to see," it said.