The UK proposes regulating critical third-party tech providers in the financial system

The news: The UK Treasury proposed to regulate “critical” third-party tech providers in the UK financial sector, per Bloomberg.

What can regulators do? The proposal would let regulators designate certain third-party service providers, like cloud technology providers, as critical to the UK financial system.

That designation would give regulators the authority to:

  • Request information related to the firm’s resiliency and contingency plans in the event of an emergency
  • Appoint an independent “skilled” party to analyze the services the firm provides
  • Investigate potential requirements breaches
  • Interview key individuals from the firm and require them to produce requested documentation
  • And enter the premise under warrant in the event of an investigation

The risk: Many financial service providers digitize their infrastructure by partnering with third-party tech companies that specialize in things like cloud computing and APIs. But those partnerships are increasingly concentrated among a handful of firms like Amazon and Microsoft.

  • Up to 82% of banks plan to move more than half of their mainframe workload to the cloud, according to an Accenture study.
  • And as of 2020, more than 65% of UK firms used the same four providers for cloud infrastructure services, according to a Treasury statement.

With that level of concentration, an emergency or outage at one of these companies could have consequences that ripple across the entire financial services sector. The proposal is designed to mitigate or prevent such a mass disruption, which would undermine consumer trust in the UK financial sector.

Why is this important? Ensuring financial technology is sound, resilient, and diverse is vital as risks heighten globally.

  • The average number of cyberattacks and data breaches increased by 15.1% year over year in 2021, per ThoughtLab.
  • And 41% of breaches caused by cloud misconfiguration occurred at tech companies in 2020, per a Divvycloud study.
  • The financial industry spends on average $5.72 million per data breach—the second-highest amount of any industry—to fight off cyber attacks, per an IBM report.

The new UK proposal will hold these third-party tech firms accountable and should give some peace of mind to financial institutions and their customers.