Does Amazon-Google-Microsoft hold on the cloud pose a risk to banking?
WASHINGTON — Policymakers concerned about banks' cyberdefenses are increasingly focused on technology giants that provide financial institutions with cloud computing services.
Federal regulators already have authority to monitor bank-vendor relationships, but some in Congress and elsewhere believe more must be done to combat what they deem a systemic threat from big tech firms storing so much financial-sector data.
Following the recent Capital One data breach, which affected over 100 million credit card applicants, House Democrats circulated a proposal to have the Financial Stability Oversight Council designate Amazon Web Services, Microsoft Azure and Google Cloud as "systemically important financial market utilities."
The label, which has already been applied to eight organizations that support financial infrastructure, would subject the tech giants to heightened prudential and supervisory standards.
“The level of supervision we’ve seen is not going to cut it,” said Lee Reiners, executive director of Duke University’s Global Financial Markets Center and formerly of the Federal Reserve Bank of New York. “The SIFMU designation is the only tool that is up to the task of managing the risk that these cloud service providers pose.”
Applying the "systemic" tag to the three companies would bring a sharp escalation in the government's scrutiny of big tech, one that those companies would likely challenge. But some observers say that while the FSOC is unlikely to weigh in under the Trump administration, the growing ties between cloud services and the nation's banks will heighten regulators' concerns over time.
“I think it’s coming,” said a former banker who now advises financial institutions and spoke on the condition of anonymity. “There’s been a lot of discussion around having more guidance over the use of the cloud, and as more banks move that way, I’d be surprised if regulators didn’t want more oversight.”
Reliance on cloud providers seen as a risk
In a letter last month to Treasury Secretary Steven Mnuchin, Reps. Katie Porter, D-Calif., and Nydia Velázquez, D-N.Y., responded to the Capital One breach by taking aim at Amazon Web Services, the cloud computing industry’s dominant player with a market share around 33% as of 2018.
Some have blamed the cyberintrusion on the fact that the data in question was in the Amazon cloud. The breach has been linked in part to an alleged hacker formerly employed in Amazon's cloud service who the authorities say was able to break into Capital One's system.
The lawmakers said the FSOC should consider designating major cloud providers as SIFMUs.
“The incident raises new and serious questions about banks’ and financial institutions’ dependence on cloud services for their data needs — and the risks these systems pose to the safety and stability of the financial system,” Porter and Velázquez said in the Aug. 22 letter to Mnuchin, who chairs the FSOC.
They said the concentration of bank-related cloud services in just a few tech firms amplifies the risk if any one tech provider encounters trouble.
“A lack of substitutability for the services provided by these very few firms creates systemic risk; a disruption at any major cloud computing platform would cause widespread and immediate harm and compromise the stability of the market,” they said.
The issue came up Wednesday at a House Financial Services Committee hearing where lawmakers cited banks' reliance on cloud computing services as a financial stability concern.
Rep. Bill Foster, D-Ill., asked a Federal Reserve Board governor at the hearing if the central bank had explored “requiring major financial firms to connect to more than one cloud provider so they can fail over to the second one” if one of the cloud providers were disrupted.
“Certainly there’s work internationally where we’re thinking about precisely this question that you raise about the ability to fail over,” said Gov. Lael Brainard said in response. She added that regulators recognize that "migrating to the cloud mitigates some risks, adds other risks, and so we need to hold our institutions accountable for making that risk assessment in a very well-informed way and taking that migration very seriously."
An extreme step
Yet giving the big tech firms the "systemic" tag could be seen as an extreme step.
The council's focus after its creation in the Dodd-Frank Act has been on nonbank financial firms. Four companies — American International Group, Prudential Financial, MetLife, and GE Capital — were all previously labeled as "systemically important financial institutions" but have since been de-designated. Eight other companies that supports payments, clearing and other financial infrastructure are still designated as SIFMUs.
FSOC-designated firms have to date not included technology-focused companies.
“Many people think" an FSOC "designation is a panacea that solves any problem,” said Thomas Vartanian, a professor at George Mason University's law school, where he directs the Financial Regulation and Technology Institute. “Given the enormous authority they already have, the last thing we want to do is engage in regulatory overkill."
Vartanian and other experts disputed the notion that regulators need an extra layer of authority to monitor cloud computing, pointing to the advent of data processing in the 20th century when tech-leery bankers eventually warmed to the idea of storing data electronically.
“You have to go back 50 or 60 years — regulators have long had substantial authority to examine and control the activities of entities that provide service to financial institutions,” Vartanian said. “It’s not as if regulators can’t look at or regulate the cloud right now.”
But others say the oversight council's mission to focus on emerging risks makes it a suitable fit to look at cloud computing issues.
“FSOC is a natural home for concerns that don’t otherwise have an obvious spot in pre-existing regulatory silos,” said David Portilla, a partner at Debevoise & Plimpton LLP and former policy adviser to the FSOC.
Reiners said an FSOC designation would have to be bolstered with a strong case that cloud computing giants meet the same systemic risk criteria as other firms that have been targeted by the council.
“Structurally, cloud providers are very different from past SIFMUs,” he said. “You’d have to explain why this was worth pursuing. You’d have to tie it to existing SIFIs — it’s about having a vital role in the existing infrastructure.”
General concentration-related concerns
The letter came as policymakers have sounded general alarms about the concentration of cloud-computing risks in just a handle of the largest tech firms. Amazon Web Services, Microsoft Azure and Google Cloud collectively make up nearly 60% of the cloud computing industry's market share.
An FSOC designation comes with a laundry list of requirements, including heftier capital standards and supervision by the Fed. Yet under the Trump administration, the oversight council has shifted away from targeting individual firms and focused more on an “activities-based” approach to managing systemic risk.
The FSOC has other avenues beyond a full-on SIFMU designation for risks that may be emerging in the financial system. “FSOC has a lot of different mandates,” Portilla said. “It can decide that agencies need some additional authority and request action from Congress. Or it can assemble a working group of federal agencies to address the issue.”
“It’s naturally inclined to explore all these routes,” he said.
Another consideration is the companies themselves. While Microsoft has slowly grown accustomed to managing compliance and regulation over its 44-year history, Amazon and Google have comparatively little experience with real financial regulation.
“Amazon and Google certainly have the resources to deal with compliance and some experience with it, but based on how they’ve been able to operate in the past — regulatory concerns have never been front and center,” Reiners said.
Amazon, Google and Microsoft did not respond to requests for comment.
Limits of current vendor supervision
Even while new FSOC designations appear unlikely in the the current political landscape, future administrations will likely need to grapple with the growing dominance of the industry’s major cloud providers.
Several policy experts have argued it's precisely their size and market dominance that raises the profile of systemic risk, and that the current regulatory framework offers little concrete guidance when it comes to cloud computing’s concentration.
“It’s one thing to say, ‘Bank A needs to make sure Cloud Provider B meets all these requirements,” said the former banker. “But if you’ve got Banks A through Z all using Cloud Provider B, eventually the cloud company isn't going to want answer every single questionnaire. ... It’s going to be better if a regulator can look at this all at once."
Reiners said supervision of the cloud providers separate from the monitoring of any particular bank would likely be more effective.
“If cloud providers reported directly to the Federal Reserve, rather than indirectly through their relationships with banks, you’d have a more complete and wholesale picture of risk and concentration,” he said.
Proponents of a designation say cloud computing infrastructure is currently a blind spot for regulators.
Each major provider has a unique proprietary architecture. Regulators would likely want to see and understand those inner workings, which will cause no small amount of bristling among the tech community.
“Regulators are largely flying in the dark here,” Reiners said.
In 2017, Microsoft announced an agreement with Bank of America for the bank to host about 80% of its technical functions through Azure. A Goldman Sachs tech executive was quoted in 2016 saying that, at that time, the company had 85% of its "distributed workloads running on the cloud.”