John Gulliver, Hillel Nadler & Hal S. Scott, Cloud Adoption in the Financial Sector and Concentration Risk (Wayne State Univ. L. Sch. Rsch. Paper No. 2023, Dec. 5, 2023).
Abstract: Cloud services have become an important part of the information technology toolkit in the global financial sector. As cloud adoption by financial institutions has increased, financial regulators have raised concerns about potential concentration risk resulting from cloud migration.2 This report aims to provide clarity around the discussion of cloud adoption and concentration risk in the financial sector. Section I of the report provides background on cloud adoption in the financial sector. Section II clarifies the potential risks associated with the use of third-party technology service providers by financial institutions, and examines those risks in the context of cloud adoption and traditional information technology (IT) infrastructure. Section III outlines the regulatory frameworks in different jurisdictions for addressing potential concentration risks associated with cloud adoption. Section IV concludes by setting out policy recommendations for mitigating potential concentration risks associated with cloud adoption in the financial sector. The report has several key takeaways: • Concentration risk is not new to the financial sector, nor is it unique to the cloud. Indeed, it is not obvious that such risks could be avoided if financial institutions were to rely on traditional IT infrastructure instead of the cloud. The critical question is how to manage or mitigate concentration risk. • In order to assess the landscape of concentration risk in the financial sector, regulators should develop a clear and consistent definition of concentration risk and the underlying scenarios to which that definition applies. • Regulators should also focus on gathering information about technology outsourcing by financial institutions, including the use of cloud-based services. Concentration risk can be addressed through information sharing and coordination among FIs, cloud providers, and supervisory authorities. • Cloud adoption in the financial sector is still in its early stages. As cloud adoption increases, regulators should weigh the risks of concentration against the benefits of scale and quality of services provided by major cloud providers. • In developing regulatory and supervisory approaches, regulators should engage directly with cloud providers in order to understand the tools available to financial institutions and the security and resiliency practice of cloud providers. • Regulatory requirements and supervisory practices for cloud adoption should be tailored to specific risks and a one-size-fits-all approach should not be adopted for all financial institutions.