US lawmakers urge FSOC to designate cloud-based storage systems used by major banks as systemically important financial market utilities.

By Alan W. Avery, Victoria McGrath, and Pia Naib

In an August 22, 2019, letter addressed to Treasury Secretary Steven Mnuchin, in his capacity as chair of the Financial Stability Oversight Council (FSOC), Congresswoman Katie Porter and Congresswoman Nydia Velazquez urged Secretary Mnuchin to designate the three leading cloud-based storage systems used by major banks — Amazon Web Services, Microsoft Azure, and Google Cloud — as systemically important financial market utilities (SIFMUs). This designation would subject such cloud-based storage systems to supervision and regulation by the Board of Governors of the Federal Reserve System (Federal Reserve). Citing Title VIII of the Dodd-Frank Act, which was enacted to promote stability in the financial system, the Congresswomen highlighted the dependence on cloud services by banks and financial institutions for their data needs and the subsequent risks such services pose to the safety and stability of the financial system.

FSOC considers four factors when analyzing the appropriateness of a SIFMU designation:

  • The aggregate monetary value of transactions processed by the financial market utility (FMU);
  • The aggregate exposure of the FMU to its counterparties;
  • The relationship, interdependencies, or other interactions of the FMU with other FMUs or payment, clearing, or settlement activities; and
  • The effect that the failure of or a disruption to the FMU would have on critical markets, financial institutions, or the broader financial system.

With respect to the first factor, the Congresswomen argued that despite the fact that cloud service providers do not directly process monetary transactions, “their operational stability still underpins a large portion of banks’ central functions.” Banks and other financial institutions use cloud-based service providers to connect to one another and to other market participants, which enables monetary and commercial transactions while also maintaining sensitive information regarding their clients. In addition, banks and financial institutions, like other firms, are becoming increasingly reliant on cloud-based service providers for their technological functions, which has resulted in large volumes of data held on the cloud. As more firms rely on servers or the cloud for their data storage, security breaches associated with such data can compromise the account information of millions of customers.

In connection with the second factor, the Congresswomen acknowledged the lack of financial exposure in the event of a cloud failure but argued that the operational losses stemming from such a cloud failure could be significant. As to the third factor, the Congresswomen addressed the need to develop and enforce appropriate safeguards to protect against the possibility of a bank run in the event that a data breach were to negatively impact the public’s confidence in cloud based services and subsequently deter use of cloud-reliant banks. Lastly, regarding the fourth factor, the Congresswomen highlighted the potentially catastrophic effects of a disruption to the cloud. In particular, given the dependence on cloud-based services not only by all financial institutions in some capacity but also by various government agencies, incidents results in access to or loss of data stored in the cloud could potentially debilitate not only the financial industry but also government functions and national security.

FSOC, however, is not required to consider all of these factors equally and instead can place greater importance on whether the failure or disruption of the FMU would create or increase the risk of credit and liquidity issues among financial institutions and markets, and whether such credit and liquidity issues would threaten the stability of the US financial system.

World financial market regulators share the concerns regarding the ramifications of a cloud-based disruption or failure on financial institutions and markets. In February 2019, the Financial Stability Board, an international body comprising the G-20’s central banks and supervisors, noted that technology could upend the stability of financial markets. Additionally, in response to the FinTech Action Plan published by the European Commission (EC) in March 2018, the Joint Committee of the European Supervisory Authorities issued a report to the EC in April 2019, which noted that cloud computing services are central to financial institutions and highlighted the vulnerabilities of the financial industry’s reliance on cloud services.

From the perspective of the Congresswomen, given the increasing reliance by participants in the financial services industry on cloud computing platforms, the lack of supervision and enforcement over cloud-based service providers, there is a substantial increase in the risk of widespread consequences and serious harm to the financial stability of the United States in the event of a disruption at any of the three major cloud computing platforms. In order to protect against the risk inherent in reliance by banks and other industry participants on a limited number of cloud-based service providers, the Congresswomen requested a response from FSOC by September 15, 2019, to their request to designate as SIFMUs the country’s largest cloud service providers, including, but not limited to, Amazon Web Services, Google Cloud, and Microsoft Azure.

To date, FSOC has designated eight FMUs as systemically important. It seems unlikely that FSOC would designate any of the cloud-based service providers as SIFMUs in the near term. Unless FSOC determines that emergency conditions exist, the designation process involves notice and consultation with the FMU, and an opportunity for a hearing and/or written submissions, as well as consultations with the Federal Reserve and other relevant supervisory agencies.