Banks' dependence on cloud giants worries BIS

Banks are increasingly relying on the services of tech giants such as Google, Amazon, Microsoft, Alibaba and IBM. This growing dependence can be seen mainly in the cloud, which refers to all IT services enabling data to be stored on remote servers. Zoom in on BIS's concerns.

Three key players

Already dominant, Amazon subsidiary AWS, Microsoft Azure and Google Cloud have captured almost 80% of the growth in spending on Cloud infrastructure and development applications in France. These are the findings of a study published by French digital market analyst firm Markess by Exaegis.

In 2021, Microsoft Azure recorded the strongest growth (+53%), followed by Google Cloud (+48%) and AWS (+35%). This growth continued in Q1 2022: +32% for Microsoft, +44% for Google Cloud and +37% for Amazon Web Services. Other providers, notably OVHCloud, Kyndril, Oracle, Orange Business Services and Scaleway, are forced to focus on specific markets such as cybersecurity, application platforms or sovereign cloud.

Higher operational risks

The Bank for International Settlements (BIS), which notes that banks are making massive use of the services offered by the Web giants, is concerned about the consequences of this dependence.

"Operational incidents at third-party service providers, including other 'Big Techs', could lead to outages or data breaches," it says in its report published in early July 2022.

Generally speaking, excessive use of these services could "exacerbate operational risks" and generate "systemic vulnerabilities", warns the BIS.

Yet this foreign dependence seems inevitable. While growth in the cloud is estimated at 37% per year, the main players in the market leave little room for their European competitors. Indeed, their level of industrialization enables them to offer competitive prices and quality services that are difficult to replicate.

New regulations applicable in 2023

BIS encourages banks to better supervise their activities in partnership with suppliers. Banks will soon be able to rely on the European Digital Operational Resilience Act (DORA). DORA aims to strengthen and protect the EU financial sector against cyber-attacks and other potential risks, by establishing a specific governance and internal control framework. Due to come into force in January 2023, banks will be obliged to report any technological problems to the banking authorities.

In the meantime, financial institutions are multiplying their contacts. Most work with at least two major suppliers, and keep control of part of their system in-house in a private cloud. This is due to the constraints of foreign dependency and data protection.