Cloud Adoption in the Financial Sector and Concentration Risk

Gulliver, John; Nadler, Hillel; Scott, Hal S.

doi:10.2139/ssrn.4423902

Download This Paper

Open PDF in Browser

Add Paper to My Library

Cloud Adoption in the Financial Sector and Concentration Risk

32 Pages Posted: 31 May 2023

See all articles by John Gulliver

John Gulliver

Program on International Financial Systems

Hal S. Scott

Harvard Law School

Date Written: April 19, 2023

Abstract

Cloud services have become an important part of the information technology toolkit in the global financial sector. As cloud adoption by financial institutions has increased, financial regulators have raised concerns about potential concentration risk resulting from cloud migration.2 This report aims to provide clarity around the discussion of cloud adoption and concentration risk in the financial sector.
Section I of the report provides background on cloud adoption in the financial sector. Section II clarifies the potential risks associated with the use of third-party technology service providers by financial institutions, and examines those risks in the context of cloud adoption and traditional information technology (IT) infrastructure. Section III outlines the regulatory frameworks in different jurisdictions for addressing potential concentration risks associated with cloud adoption. Section IV concludes by setting out policy recom- mendations for mitigating potential concentration risks associated with cloud adoption in the financial sector.
The report has several key takeaways:
• Concentration risk is not new to the financial sector, nor is it unique to the cloud. Indeed, it is not obvious that such risks could be avoided if financial institutions were to rely on traditional IT infrastructure instead of the cloud. The critical question is how to manage or mitigate concentration risk.
• In order to assess the landscape of concentration risk in the financial sector, reg- ulators should develop a clear and consistent definition of concentration risk and the underlying scenarios to which that definition applies.
• Regulators should also focus on gathering information about technology outsourc- ing by financial institutions, including the use of cloud-based services. Concentra- tion risk can be addressed through information sharing and coordination among FIs, cloud providers, and supervisory authorities.
• Cloud adoption in the financial sector is still in its early stages. As cloud adoption increases, regulators should weigh the risks of concentration against the benefits of scale and quality of services provided by major cloud providers.
• In developing regulatory and supervisory approaches, regulators should engage directly with cloud providers in order to understand the tools available to financial institutions and the security and resiliency practice of cloud providers.
• Regulatory requirements and supervisory practices for cloud adoption should be tailored to specific risks and a one-size-fits-all approach should not be adopted for all financial institutions.

Keywords: Financial Technology, Financial Regulation, Banking, Cloud Service, Cloud Computing, Technology Outsourcing, Financial Supervision

Suggested Citation: Suggested Citation

Gulliver, John and Nadler, Hillel and Scott, Hal S., Cloud Adoption in the Financial Sector and Concentration Risk (April 19, 2023). Available at SSRN: https://ssrn.com/abstract=4423902 or http://dx.doi.org/10.2139/ssrn.4423902