UK regulators just put AWS, Microsoft, Google, and Oracle under direct financial oversight

UK regulators just put AWS, Microsoft, Google, and Oracle under direct financial oversight

HM Treasury designated four cloud giants as critical third parties, giving the Bank of England new powers over the infrastructure running most of Britain's financial system.

The UK government just did something no major economy has done before: it told the biggest cloud providers in the world that they now answer to financial regulators. Not because they’re banks. Because banks can’t function without them.

HM Treasury designated Amazon Web Services, Microsoft, Google, and Oracle as the first “Critical Third Parties” under the Financial Services and Markets Act 2023. The designations were announced on July 10 and take effect from July 13, bringing these four tech giants under the direct oversight of the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority.

The concentration problem nobody could ignore

More than 65% of UK organizations depend on these four companies for their cloud infrastructure. That’s not a technology stat. That’s a systemic risk stat.

Advertisement

What the new rules actually require

Regulators now have the authority to require resilience testing of these cloud providers. The Bank of England can stress-test AWS on whether the infrastructure can withstand shocks without taking down the financial system with it.

The designated providers must also submit self-assessments and report major incidents directly to regulators. Previously, if AWS had an outage affecting financial firms, those firms would report it. Now AWS itself has a reporting obligation to the very regulators overseeing the banks it serves.

Before this designation, cloud providers operated in a regulatory gap. They weren’t financial institutions, so financial regulators had no direct authority over them. The CTP framework closes that gap.

AWS has publicly indicated support for the regime’s goals and participated in consultations with regulators during the development process.

Why crypto investors should pay attention

The crypto industry runs on the same cloud infrastructure as traditional finance. Major exchanges, custodians, and blockchain analytics firms overwhelmingly rely on AWS, Google Cloud, and Microsoft Azure.

The flip side is cost. Compliance isn’t free. Cloud providers will likely pass through some portion of their regulatory compliance costs to customers, including crypto firms operating in the UK.

These four companies were designated because of their dominance. If the regulatory burden becomes significant enough, it could paradoxically entrench their positions further, since only the largest providers can absorb the compliance costs. Smaller cloud competitors might find the barrier to serving UK financial clients just got higher.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

UK regulators just put AWS, Microsoft, Google, and Oracle under direct financial oversight

UK regulators just put AWS, Microsoft, Google, and Oracle under direct financial oversight

HM Treasury designated four cloud giants as critical third parties, giving the Bank of England new powers over the infrastructure running most of Britain's financial system.

The UK government just did something no major economy has done before: it told the biggest cloud providers in the world that they now answer to financial regulators. Not because they’re banks. Because banks can’t function without them.

HM Treasury designated Amazon Web Services, Microsoft, Google, and Oracle as the first “Critical Third Parties” under the Financial Services and Markets Act 2023. The designations were announced on July 10 and take effect from July 13, bringing these four tech giants under the direct oversight of the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority.

The concentration problem nobody could ignore

More than 65% of UK organizations depend on these four companies for their cloud infrastructure. That’s not a technology stat. That’s a systemic risk stat.

Advertisement

What the new rules actually require

Regulators now have the authority to require resilience testing of these cloud providers. The Bank of England can stress-test AWS on whether the infrastructure can withstand shocks without taking down the financial system with it.

The designated providers must also submit self-assessments and report major incidents directly to regulators. Previously, if AWS had an outage affecting financial firms, those firms would report it. Now AWS itself has a reporting obligation to the very regulators overseeing the banks it serves.

Before this designation, cloud providers operated in a regulatory gap. They weren’t financial institutions, so financial regulators had no direct authority over them. The CTP framework closes that gap.

AWS has publicly indicated support for the regime’s goals and participated in consultations with regulators during the development process.

Why crypto investors should pay attention

The crypto industry runs on the same cloud infrastructure as traditional finance. Major exchanges, custodians, and blockchain analytics firms overwhelmingly rely on AWS, Google Cloud, and Microsoft Azure.

The flip side is cost. Compliance isn’t free. Cloud providers will likely pass through some portion of their regulatory compliance costs to customers, including crypto firms operating in the UK.

These four companies were designated because of their dominance. If the regulatory burden becomes significant enough, it could paradoxically entrench their positions further, since only the largest providers can absorb the compliance costs. Smaller cloud competitors might find the barrier to serving UK financial clients just got higher.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.