FSB reports on financial stability implications of BigTech and cloud services

December 13, 2019

The Financial Stability Board, the international body that monitors and makes recommendations about the global financial system, has published two reports examining the financial stability implications from the growth of financial services offered by BigTech firms, and the adoption of cloud computing and data services at financial institutions. 

The first of the reports covers market developments and the second report deals with third party dependencies in cloud services.

Market developments

The report says that the involvement of BigTech firms with the finance sector offers many benefits, including the potential for greater innovation, diversification and efficiency when providing financial services. The benefits also include contributions to financial inclusion, especially in emerging markets and developing economies, and may help with access to financial markets for small and medium-sized enterprises.

However, the report highlights that BigTech firms may also pose risks to financial stability. Some risks are similar to those more broadly seen in financial firms, stemming from leverage, maturity transformation and liquidity mismatches, as well as operational risks.

Some potential risks stem from how BigTech firms could use their network and infrastructure to achieve scale in financial services very quickly. Competition from BigTech firms might reduce the resilience of financial institutions, either by affecting their profitability or by reducing the stability of their funding. 

A further overarching consideration is that a small number of BigTech firms may in the future come to dominate, rather than diversify, the provision of certain financial services in some jurisdictions. If this were to take place, the failure of these firms could lead to widespread disruption. In particular, this might be a risk if BigTech firms’ activities in financial services were not accompanied by appropriate risk management and regulatory monitoring, or if BigTech firms’ customers were not able to readily switch to other providers of financial services. 

These developments raise a range of issues for policymakers. The activities of BigTech firms in financial services may be subject to regulation in most jurisdictions. However, there is a question about whether additional regulation and/or financial oversight may be advisable. Regulators and supervisors might also consider the degree to which the resilience of incumbent financial institutions and the viability of their business models might be affected by their synergies and links with, and competition from, BigTech firms. Finally, BigTech firms’ ability to leverage wide-ranging customer data raises considerations for authorities regarding policies governing data ownership, access and portability. 

Third-party dependencies in cloud services

Financial institutions have used a range of third-party services for decades, and many jurisdictions have in place supervisory policies around such services. However, the recent adoption of cloud computing and data services across a range of functions at financial institutions raises new financial stability implications.

Cloud services may present a number of benefits over previous technology, such as on-premises data centres. By creating geographically dispersed infrastructures, and investing heavily in security, cloud service providers may offer significant improvements in resilience for individual institutions. They may allow institutions to scale more quickly, to deliver improved automation, and to operate more flexibly by reducing initial investment costs and freeing institutions from the replacement cycles of their own infrastructure. Cloud service providers should also benefit from economies of scale, which may result in lower costs to clients. 

However, there could be problems for financial institutions using third-party service providers due to operational, governance and oversight considerations, especially in a cross-border context and linked to the potential concentration of those providers. This may result in a reduction in the ability of financial institutions and authorities to assess whether a service is being delivered in line with legal and regulatory obligations. Operational incidents at third-party service providers may result in temporary outages affecting financial institutions, and misconfigurations of new tools could result in data breaches. Financial institutions and authorities’ ability to assess whether the service is being delivered in line with legal and regulatory obligations and the firm’s risk tolerance due to contractual limitations on financial institutions’ and authorities’ rights of access, audit and information, may be reduced. 

According to the report, these legal limitations may also restrict the ability of authorities to effectively access critical data held by third parties if necessary. For instance, bank resolution authorities may have difficulties when exercising step-in rights in resolution if critical bank data systems are held in third-party systems. The shared tasks, if not well articulated and understood, could lead financial institutions to collectively underinvest in risk mitigation and oversight. In addition, potential concentration in third-party provision could result in systemic effects in the case of a large-scale operational failure or insolvency if financial institutions do not appropriately manage third-party risks at the firm level. Global cloud services could cause financial stability risks similar to other significant third-party service providers.

Finally, there are various cross-border issues in the oversight of providers and management of systemic risks. As the use of cloud services does not reduce the responsibility of financial institutions, authorities and financial institutions should ensure that they understand the characteristics of cloud services offered by third parties before any significant migration, and maintain good governance in using them. In addition, the cross-border implications of data localisation rules may need to be considered, including the importance of access to regulatory and supervisory data.

The report concludes that there do not appear to be immediate financial stability risks stemming from the use of cloud services by financial institutions. However, there may be merit in further discussion among authorities to assess three aspects:

  • the adequacy of regulatory standards and supervisory practices for outsourcing arrangements;
  • the ability to coordinate and cooperate, and possibly share information among them when considering cloud services used by financial institutions; and 
  • the current standardisation efforts to ensure interoperability and data portability in cloud environments.