15 June, 2023 by Gillian Tett
Three weeks ago, the US Treasury announced the launch of a new oversight committee called the “Cloud Executive Steering Group.”
It received almost no public attention. No wonder: compared to the explosive controversies around cryptocurrencies, ChatGPT or Europe’s new drive to break up Google’s dominance of adtech, cloud computing — the public and private data storage and processing platforms run by Big Tech vendors — sounds achingly dull. So much so, that most Americans view Amazon as “just” an online retail giant, even though its cloud division now generates significant revenues.
But investors and financial services consumers alike should wake up. For as a report from the Treasury’s little-known Financial and Banking Information Infrastructure Committee declared earlier this year, regulators are getting nervous about the systemic financial risks emanating from the cloud. Indeed, the Bank for International Settlements suggested last year — echoing work by European central banks — that “big tech interdependencies” have become “a key policy blind spot”.
Thus the crucial question for the Treasury’s cloud committee — which includes both regulators and bankers such as Bill Demchak of PNC — is whether this “blind spot” can be corrected before a not-so-boring accident erupts.
There are at least three big issues to consider. The first is the speed of change in computing practices. The FBIIC report notes that more than 90 per cent of the members of the American Bankers Association are shifting activity on to the cloud, although more than 80 per cent say this is at an early stage. Since a separate survey suggests that two-thirds of banks expect at least 30 per cent of their activities to be cloud-based in the next three years, the FBIIC calculates that cloud usage will triple by then. The pattern in Europe seems similar.
Second, financial regulators are ill-equipped to handle this explosive growth. They have always struggled to track information technology, since they have historically hired economists, not techies. But when finance companies were running their own IT operations, regulators did at least have a mandate to watch them.
However, the dash into the cloud places more of that activity in the hands of Big Tech vendors who have never faced serious central bank scrutiny before. Some observers, such as Agustín Carstens, head of the BIS, think that an overhaul is overdue, in order to extend the “regulatory perimeter”. Maybe so.
But America’s tech giants will fiercely resist efforts to put them under the purview of central banks or other financial regulators — and the White House currently shows little stomach for that battle. That leaves the cloud in a financial regulatory grey zone. “Due to the different legal authorities for each agency, no single agency can see across the many use cases and the network of dependencies on cloud services within the financial sector”, the FBIIC report observed. In plain English: this is a fog.
Third, insofar as data is available, it seems that there are big, and growing, concentration risks. This might sound surprising. After all, one reason for financial groups to dash into the cloud is to reduce their reliance on costly, and potentially vulnerable, in-house data centres. A distributed model is supposed to be more resilient.
But one bitter irony of finance is that innovations which purport to reduce risk by distributing it can sometimes also concentrate it in new, surprising and half-hidden ways. Consider credit. Before 2008, it was assumed that innovations such as securitised mortgage products would promote resilience by spreading default risk beyond banks.
But when the 2008 crisis hit, it emerged that numerous players had quietly hedged their activities with the same entity — AIG Financial Products. That created a hidden “single point of failure”, to use an engineering term, and generated shocks when AIGFP wobbled.
Cloud computing echoes this so-called Spof issue, as Michael Hsu, acting Comptroller of the Currency, told the BIS earlier this year. Most notably — and as Brussels often complains — the cloud is dominated by an oligopoly of Amazon, Microsoft and Google. If one of those players suffered a big cyber attack, weather-linked disruption or simply went bankrupt, that would rock the system.
Big Tech executives insist this will not occur. You would hope so. And these huge companies are almost certainly better at handling cyber risks than banks’ in-house teams. But the 2020 SolarWinds hack on Microsoft’s cloud systems showed that nobody is infallible. So did the recent Ion saga and Capita data breach.
And even without cyber risks, the commercial power wielded by this oligopoly is unnerving, particularly for Europeans. Indeed, Britain’s Ofcom has launched an investigation.
So all eyes are now on the Treasury’s Cloud Committee. Sadly there are no easy solutions; or not unless the US government does something it seems unwilling or unable to contemplate — namely, break up Big Tech and/or impose tight government controls. But if nothing else, the issue shows that AI is not the only tech topic that matters now. Maybe that Cloud Committee should ask ChatGPT how to defuse the Spof threat. The answer would probably be easier for Big Tech to swallow than asking Brussels.
© The Financial Times Limited 2023. All Rights Reserved.
FT and Financial Times are trademarks of the Financial Times
Ltd. Not to be redistributed, copied or modified in any way.