FSI Paper Suggests Global Regime for Critical Service Providers
The Financial Stability Institute (FSI) of the Bank for International Settlements published a brief paper that examines the macro-prudential concerns of operational resilience with respect to cloud service providers and big tech firms and offers ideas on how to address these concerns. One of these ideas involves appointing a supervisory authority and establishing an international regulatory and supervisory regime for firms offering critical services beyond a minimum threshold.
The paper notes that the interconnected use of technologies within the financial ecosystem can affect operational resilience at the system level. Thus, it is not enough to assess and monitor the operational resilience of individual firms. Authorities need to adopt a macro-prudential perspective when addressing risks of operational disruptions in the provision of financial services. Assessment of operational resilience at the system level could, for example, involve objective metrics such as the number of technology firms providing critical services or number of systemically important financial institutions (SIFIs) or financial market infrastructures (FMIs) relying on the services of a big tech. The macro-prudential approach would be particularly appropriate in two different but related domains: one is the use of critical services, such as cloud computing services, and the other is the provision, by big tech firms, of both technological services (like cloud computing) to regulated entities and a diversity of financial services to the public. From a macro-prudential perspective, all firms—including SIFIs and FMIs—using the same cloud provider leads to systemic risk, which can result in severe consequences to the financial system in case of an operational disruption on the cloud provider. The paper then discusses a range of options to potentially address this issue:
- The first option is to require all financial firms, including SIFIs and FMIs, that acquire technology services, such as cloud computing services, from critical third-party providers to assess the potential implications for their operational resilience. This is the prevalent regulatory approach, whose main drawback is that system-wide operational resilience basically hinges on assessments of individual firms. It is uncertain whether firms would have the right incentives and the means to perform thorough assessments of the risks posed by their interactions with critical third-party providers, not to mention that all firms performing their own audit of the same providers could be vastly inefficient. It remains to be seen whether collaboration across financial firms (as in pooled audits) would address these issues.
- The second option is a variation of the first one but would require financial firms to use a multi-provider strategy. This strategy involves the use of two or more providers for each critical service, such as cloud computing services, and requires planning for business applications to be portable between multiple providers. This option has the same drawback as the first option, as assessment of the operational resilience of the third parties would be left to individual firms. It requires firms to take on additional costs to run the same services, could make the process of cloud configuration more challenging, may magnify the risk of misconfiguration if the providers use proprietary security standards and protocols, potentially leading to security and data breaches.
- The third, and extreme, option is to disallow SIFIS and FMIs from relying on third-party providers. However, this could just distract SIFIs and FMIs from their main functions, which could have implications for their operations. In addition, an operational disruption in an in-house SIFI/FMI ICT infrastructure would still have a systemic impact. While this option may be theoretically possible, it would negate the enhancements in operational resilience that individual firms have achieved with the help of third-party providers.
- The fourth option is to expand the reach of regulation to critical third-party providers in the financial system, such as cloud service providers. This is what DORA proposes and what the UK envisions in its policy statement and discussion paper on critical third parties. In practical terms, technology service providers should only be able to offer their services to any financial firm if they comply with regulatory requirements. A disadvantage of this approach is that having financial authorities put their “stamp of approval” on third-party service providers assumes that they are better than financial firms at making such assessments, though this may not necessarily be the case. This issue could be addressed by having joint assessments by different government bodies (for example, in addition to financial authorities, those in charge of ICT, cyber security, and data protection). More importantly, as seen in the case of DORA and depending on the regulatory regime, the adoption of this approach may require critical providers to establish in each jurisdiction a legal entity that would be responsible for ensuring compliance with the relevant regulation in that jurisdiction. That looks largely inefficient, not only for critical providers, which typically have a global and multi-sectoral scope of activities, but also for internationally active financial firms.
The paper notes the several ways in which authorities may address risks to operational resilience posed by third-party technology providers. It notes that there may be an argument for subjecting these technology providers, particularly the critical ones, to a new oversight framework. For big tech groups that conduct diverse activities and are subject to significant internal interdependencies, there is a rationale for also considering establishing group-wide requirements on operational resilience for those entities. Given that the provision of cloud services is largely concentrated in a few global technology companies, the aforementioned fourth option can be further tweaked to address the inefficiencies arising from having to comply with regulations in individual jurisdictions, which potentially could vary widely. A more effective line of action could be the establishment of an international regulatory and supervisory regime. The former could be achieved by developing specific international standards for firms offering critical services beyond a minimum threshold. The latter might require the appointment of a leading supervisory authority for each critical provider and the creation of multi-country supervisory colleges. Aside from addressing inefficiencies, cross-border oversight is also necessary given the potential global impact of a failure of some of these critical third-party providers.
Related Links
Keywords: International, Banking, Suptech, Regtech, Cloud Computing, Critical Service Providers, Bigtech, Systemic Risk, FMI, Third-Party Arrangements, Operational Resilience, BIS, FSI
Featured Experts

Blake Coules
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
Related Articles
EBA Proposes Standards for IRRBB Reporting Under Basel Framework
The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.
FED Issues Further Details on Pilot Climate Scenario Analysis Exercise
The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.
US Agencies Issue Several Regulatory and Reporting Updates
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
ECB Issues Multiple Reports and Regulatory Updates for Banks
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
HKMA Keeps List of D-SIBs Unchanged, Makes Other Announcements
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
EU Issues FAQs on Taxonomy Regulation, Rules Under CRD, FICOD and SFDR
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
CBIRC Revises Measures on Corporate Governance Supervision
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
HKMA Publications Address Sustainability Issues in Financial Sector
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
EBA Updates Address Basel and NPL Requirements for Banks
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
ESMA Publishes 2022 ESEF XBRL Taxonomy and Conformance Suite
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.