Regulators treating financial services cloud technology as a single-bank outsourcing problem are failing to address the systemic risks it and other new technologies pose, such as a multi-firm catastrophic data loss. Regulators should examine what risks cloud use poses to their own organisations as well.
“We’re moving toward a world where the largest or most significantly regulated industry is running on unregulated infrastructure,” said Richard Harmon, U.S.-based Cloudera’s managing director for financial services.
Technological infrastructure and data have become systemic risks because firms are now risk information processors, producers and distributors. The data firms use to measure risk has itself become a critical asset. Firms’ and regulators’ use of cloud to process, measure and distribute data will only rise, accruing more systemic risk. Firms’ ability to manage data effectively, accurately and securely is intrinsic to its value and is linked to other actors, said PJ Di Giammarino, chief executive of regulatory think tank JWG. Essentially firms need to assure the integrity of the data and technology they use, otherwise their risk data will be meaningless and thus pose a systemic risk itself.
“In all-data businesses like financial services, technical infrastructure is as critical as your inventory. Not all systematic and systemic risk is payment-related. Risk is inherent in the infrastructure itself and there are two increased levels of risk in the system right now. One is all the technology — like cloud — that can solve business problems in exciting ways by introducing new infrastructure very quickly. The other is the regulators moving their controls to more digitally enabled and data-centric models. All of this means there is a lot more at stake when a firm and its regulators are thinking about what infrastructure data sits on. When you look holistically at new technologies banks use, you realise there is a difference between regulating connected infrastructure and regulating the idiosyncratic risk of a financial institution. The disconnect we spotted is [that] data and infrastructure pose a new kind of risk and it is systemic and unaccounted for on the balance sheet. It is something we ought to look at and ought to measure in a standardised way across the globe,” Di Giammarino told Thomson Reuters Regulatory Intelligence (TRRI).
Current regulatory approach focused on operational risk
Data and infrastructure risk should become a balance sheet item to be managed through firms’ environmental, social and governance (ESG) frameworks, Di Giammarino said. Regulators need to develop a way to measure what Di Giammarino calls systemic technology risk (STR) and idiosyncratic IT risk, then embed it in the governance element of ESG. Firms that measure and manage IT and data risks well could be rewarded with regulatory capital relief, he said.
Systemic technology risks will not be addressed by the European Securities and Markets Authority’s (ESMA) and the International Organisation of Securities Commissions’ (IOSCO) current work on cloud technologies, for example. Those consultations comprise guidelines for outsourcing arrangements, including some guidance on information security and data protection. It is an operational risk approach that does not address systemic risk problems.
This guidance does not, for example, contemplate a scenario where several cloud service providers fall over in a cyber attack, and many banks and potentially regulators too suffer catastrophic data loss. Regulators should take a closer look at the risks embedded in firms’ IT infrastructure such as IT obsolescence, legacy systems and data integrity, Di Giammarino said.
“The risk of data and the infrastructure which supports it is now too large to remain off-balance sheet. In volatile markets like we’ve seen in 2020, the rapidity of market prices going against positions crystallises the risk of data as an absolute risk,” Di Giammarino wrote in Risk Control for a Digitised Financial Sector.
Regulators concerned about cloud use and management
The importance of systemic risk attached to data and infrastructure does not mean that outsourcing and issues such as cloud concentration risk are unimportant. European and UK regulators in particular take a keen interest in financial services firms’ cloud use across a number of themes, with security, disaster recovery and privacy among the top concerns.
“Until 2018 and 2019 the [Dutch National Bank] was asking banks and financial institutions to inform them of every IP application that goes to cloud — where the data centre is, how it is being managed, what is the product used, what is the cloud platform? It clearly shows they want to have the insight to understand what’s happening in the cloud space. The regulatory bodies are interested in where your data and applications are because they want to ensure the security and integrity of the system and the information,” said Sonal Vaid, Synechron’s cloud practice lead in Amsterdam.
Financial services firms are very much alive to the concentration risks posed by some of the larger cloud providers. While there is no current regulatory restriction on firms’ use of cloud providers, many firms opt for a hybrid approach (public/private cloud) and use multiple providers to mitigate the risk, Vaid said.
This article originally appeared in Thomson Reuters Accelus Regulatory Intelligence on 16 September 2020