City regulators will begin cracking down in the new year on tech firms providing “critical” services to UK banks amid concerns that cyber-attacks and outages at companies such as Google or Amazon could put the country’s financial stability at risk.
From 1 January, the Bank of England and the Financial Conduct Authority will be handed powers to regulate companies that are becoming a crucial part of the day-to-day operations of the increasingly digital banking and payments sector.
That includes companies that offer cloud storage, AI, and automated programmes that can help detect fraud.
It is hoped that extra oversight, which would involve compulsory reporting of major incidents and coordinated planning for emergencies, will help to avert banking blackouts.
The regulators are in the process of putting together a list of companies they think are crucial to regulate. It is likely to include firms such as Amazon Web Services, which counts HSBC, Starling Bank, Nationwide, and Monzo among its clients.
Google is also likely to be in the crosshairs, as it serves companies including Revolut, NatWest, GoCardless, and Atom Bank. Microsoft shares a number of those clients and lists Investec, Virgin Money and Standard Chartered as customers.
The final list is expected to be signed off by ministers by June. Once confirmed, it will mark the first time that web services arms of big tech firms come under City regulation.
However, the question of which companies should be regulated is likely to be a sensitive topic among Labour ministers, who are trying to attract investment into the UK, including from big US tech firms.
Rachel Reeves last month hailed an £8bn investment by Amazon Web Services to build datacentres in the UK. The company said it would create as many as 14,000 jobs at Amazon and in local businesses and contribute £14bn to the UK’s national income, or gross domestic product (GDP), from 2024 to 2028.
Once they come under FCA and Bank of England supervision, tech firms and other suppliers will have to undergo stress tests that check how they respond to imagined emergency scenario that puts their operations under severe strain. They will also be forced to report major incidents such as cyber-attacks, power outages, and the impacts of natural disasters to the Bank of England and FCA.
The FCA has previously said: “Financial firms and financial market infrastructures, such as payment systems, have become increasingly reliant on the services of a small number of third-party providers, known as critical third parties.
“While these third parties can enhance competitiveness for the sector, disruption or failure to one of them – such as a cyber-attack or power outage – could affect a large number of consumers and firms, and threaten the stability of the UK financial system.”
The Bank of England has been keeping a close eye on these critical third parties, and started monitoring cloud providers in 2018. The bank’s governor, Andrew Bailey, raised concerns about cloud service providers in 2021, saying: “As they become more integral to the system, we have to get more assurance that they are meeting the levels of resilience that we need.”
Commenting on the regulation, a Treasury spokesperson said: “Growth and driving investment is the government’s number one priority, and remit letters we issued at Mansion House to the regulators will reinforce this. This will hardwire growth into the mindset of the regulators, supporting businesses to invest and grow in the UK.
“We are working with the FCA, PRA [Prudential Regulation Authority] and Bank of England to regulate systemically critical third-party suppliers that support the UK financial sector. We will decide which companies will be regulated in 2025.”
