Tech Giants Face More BOE Scrutiny Under Supplier Risk Rules
Major technology companies working with U.K. finance firms will face closer scrutiny, regulators said on Tuesday, as they set out long-awaited new rules to tackle potential risks posed by critical third-party suppliers.
Under regulations coming into force starting Jan. 1, watchdogs will have greater power to take action against some service providers if they see a risk to the financial system. The Financial Conduct Authority and Prudential Regulation Authority could ask tech companies to organize so-called section 166 reports, to collect information from inside a firm — similar to the reviews they already get from the finance industry.
Critical third parties will also be required to co-operate with regulators during operational incidents, and to document how they are managing risks and security relating to their work with U.K. firms.
With many of the world’s biggest banks trimming expenses by downsizing their own IT infrastructure and renting computing power and storage from tech giants, the perils of potential technical glitches have risen manifold. The disruption to markets during the CrowdStrike Holdings Inc. outage in July drew further attention to such concentration risks.
“While these third parties can enhance competitiveness for the sector, disruption or failure to one of them — such as a cyber-attack or power outage — could affect a large number of consumers and firms, and threaten the stability of the UK financial system,” the FCA said in a statement Tuesday.
Roughly 70% of banks and 80% of insurers using the cloud for infrastructure relied on just two providers, the Bank of England found in a survey published in 2020. Cloud providers such as Microsoft Corp., Alphabet Inc.’s Google Cloud and Amazon.com Inc.’s AWS are now under increasing scrutiny globally for their central role in the financial system. Representatives for the three tech giants didn’t immediately respond to a request seeking comment.
Under the latest UK rules, the Treasury will now decide which suppliers are critical third parties, informed by advice from regulators. The previous government said the list of companies “will represent only a small number of the overall number of third parties to the financial services sector.”
The European Central Bank and the Bank for International Settlements are also considering how best to manage such risks.