Courtesy of David Fratto and Lee Reiners
Last week’s announcement that a hacker accessed the personal information of approximately 106 million Capital One card customers and applicants has cast fresh light on financial institutions increasing reliance on the cloud. The hacker, a former employee of Amazon Web Services Inc., allegedly breached Capital One’s firewalls to access “the credentials needed to find and read Capital One’s cloud-stored data from a system on the Amazon cloud.”
While an FBI affidavit claimed an error by Capital One enabled the breach, policymakers are rightfully focusing on the steps being taken by the biggest cloud service providers to protect the integrity of the data stored on their servers. In a letter addressed to Amazon CEO Jeff Bezos, Senator Ron Wyden (D., Ore) noted: “If Amazon’s cloud computing services are found to be the common element in a series of high-profile hacks targeting large corporations, it would raise serious questions about whether other corporations and government entities that use Amazon’s cloud computing products are also vulnerable.”
The rapid adoption of cloud computing by banks and other financial institutions creates new risks and poses new challenges for regulators charged with maintaining the safety and soundness of regulated entities and the stability of the financial system. Unfortunately, traditional bank examiners lack the technical knowledge and experience to adequately monitor the risks associated with cloud adoption. Around the same time Capital One’s data was stolen, examiners from Capital One’s primary regulator, the Federal Reserve Bank of Richmond, conducted a formal exam of an Amazon cloud facility in Virginia. According to the Wall Street Journal, examiners were chaperoned by an Amazon employee and “allowed to review certain documents on Amazon laptops.” However, examiners were not allowed to take anything with them.
This type of supervision is simply not going to cut it in the age of cloud computing. As financial institutions continue their march to the cloud, the role of cloud service providers in our financial system grows. We have now reached the point where a disruption at Amazon Web Services (AWS) could prove fatal to one or more financial institutions and send shockwaves throughout our financial system. Large cloud service providers are a new source of system risk.
Thankfully, the Dodd-Frank Act created the Financial Stability Oversight Council (FSOC) to address the systemic risk posed by non-bank financial companies and financial market utilities. Large cloud service providers probably do not meet the definition of “financial company,” but a credible claim can be made that they are a new kind of financial market utility.
This post highlights the rise of the cloud in financial services and the new risks it poses to financial stability. We argue that FSOC should utilize the powers granted to it by Congress to classify the largest cloud service providers as systemically important financial market utilities (SIFMUs) subject to enhanced supervision by the Federal Reserve.
The Business Case for Cloud
Cloud computing turns the outdated enterprise data center model on its head by creating advantages in scale, resource elasticity, organizational agility, and operational resiliency. Cloud servicers provision computing resources in demand-driven increments, matching needs to costs. On an appropriate cloud infrastructure, the capacity available to an organization can be effectively unlimited.
Outsourcing computing activity to dedicated support organizations (cloud service providers) allows the provider to develop robust resiliency characteristics and back-up processes for data storage and processing. From a business strategy perspective, updated applications and platform transformations are significantly simpler on a cloud system. This allows cloud-enabled businesses to respond more quickly to consumer demands and rapidly deliver new or updated products to market.
These advantages drive cloud adoption in the financial services sector. The cost savings, while helpful in inducing financial institutions to undertake the financial investment of switching from enterprise to cloud computing, are a secondary consideration to three other factors. By providing scaled resources with minimal marginal cost, the cloud facilitates disruptive innovation by lowering barriers to entry. Additionally, the time-to-market advantage of cloud computing allows organizations to quickly launch new products and integrate newly acquired capabilities. Customer expectations also drive cloud computing adoption. Because cloud-enabled organizations benefit from better infrastructure and computing platforms, applications can be more quickly refined to meet rapidly shifting consumer demands.
The financial sector has been quick to embrace the cloud. A McKinsey survey in 2016 found that financial services had nearly 100% cloud adoption in some capacity, versus a median adoption rate of 19% across all industries. In addition to adopting the cloud for ancillary functions, analysts predict that almost 40% of financial service firms will process half of their transactions on the cloud by 2020. According to one survey, 72% of U.S. finance executives see cloud-based solutions as key tools to empowering their organizations in an increasingly competitive market.
Market share data for cloud service providers is difficult to aggregate for two reasons: little information is available in public disclosures, and any published data quickly becomes outdated. In a February 2018 estimate, AWS comprised 34% of the global cloud market, Microsoft Azure held 13% market share, IBM Cloud had 8%, Google’s cloud platform had 6%, and Alibaba’s cloud had 4%. Other data suggests AWS holds an even more dominant position in the market, with 41.5% of all public cloud application workloads, compared to Azure’s 28.4% and Google Cloud’s 3%.
A New Kind of Systemic Risk
The rapid and widespread adoption of cloud computing by financial services firms introduces multiple sources of systemic risk: (1) the operational centrality of computing services to financial institutions, (2) the lack of cloud computing provider substitutability for institutional clients, (3) the vulnerability of institutions to decreases in public and co-participant confidence in computing infrastructure, (4) the damaging effects of failures in data integrity, and (5) the supplier power wielded by a few dominant service providers in a less concentrated market of buyers. The first factor frames the issue, the following three identify systemic risk transmission channels, and the fifth factor highlights the impact of business strategy on systemic risk.
First, the operational centrality of computing services to financial institutions presents the clearest risk. For example, Bank of America is migrating 80% of their technology workloads to virtual platforms, utilizing computing infrastructure on the public cloud. Given the modern reality of highly interconnected and tightly coupled market processes, any service disruption, such as a network connectivity breakdown, cybersecurity breach, or data storage failure will grind Bank of America’s – or any other large bank’s – operations to a halt. This risk can be mitigated somewhat by diversifying cloud service providers. and most financial institutions do work with more than one cloud service provider. However, the lion’s share of a firm’s cloud outsourcing will be with one primary vendor – like Capital One with AWS.
The second source of systemic risk is the lack of cloud computing provider substitutability, especially for the largest institutional clients. In 2017, the Office of Financial Research (OFR) highlighted how a lack of substitutability for services provided by a handful of firms (central banks; custodian banks; and payment, clearing, settlement, and messaging systems) creates systemic risks because a cyber incident at one of these firms would disrupt the entire financial system.
The product offerings of cloud service providers are meant to maximize customer lock-in. Software tools are built on top of cloud products, creating immense switching costs. As the financial institution’s customer-facing applications (also hosted on the cloud) develop in line with evolving business strategies, entrenchment of the computing infrastructure and other supporting services is enhanced. In addition, the advantages of bundling all services under one provider are unavoidable. The complex interplays of hardware, software, servers, and related processes are best synced through a single cloud provider. This leaves financial firms vulnerable to disruptions at their cloud provider. Take Bank of America’s massive migration to the Microsoft Azure cloud. Even a short-term disruption in the network connection between Bank of America and Azure leaves Bank of America vulnerable. Because of the technical nature of computing services, Bank of America cannot seamlessly switch to AWS for its data storage, especially in the short-term.
The third source of systemic risk is the vulnerability of institutions to decreases in public and co-participant confidence in computing infrastructure. This public confidence relates to multiple aspects of cloud computing in the financial markets, such as: transaction execution, data storage, and customer interface reliability. A lack of confidence that transactions are being executed efficiently in the cloud will diminish accurate price discovery for financial products. Alternatively, a decline in public confidence in the security of personally identifiable financial information shared with financial institutions through products supported by cloud service providers will at best decrease consumer interaction with the financial industry and, at worst, create the 2019 computing version of a depression-era bank run.
Date integrity is the fourth source of systemic risk. Financial markets require the public’s confidence to work effectively, and that confidence cannot be secured without data integrity.
The offsite and shared nature of cloud service environments, particularly multi-tenant community or public cloud models, heightens the risk that the underlying data on which financial institutions rely is vulnerable to loss or manipulation. Additionally, many financial market activities occur on a just-in-time basis, raising the stakes of data integrity because of the difficulty of rewinding executed transactions. When multiple clients share a common server, significant security technology is deployed to partition the cloud and create secure areas of access for each client that eliminates the risk of each contaminating the other’s data facilities. Many current cloud service and cybersecurity regulatory guidelines encourage a variety of data backup processes. Still, tradeoffs exist between rapid data recovery after a crisis and confidence in the completeness, accuracy, and safety of the restored dataset.
The fifth factor contributing to systemic risk is the supplier power wielded by a few dominant cloud service providers. In most cloud consumer-provider relationships, data centers; networking; data storage processes; servers; and virtualization occur under the control of the service provider. This creates a risk that customers may not have the appropriate controls to ensure provider-managed components of the cloud service consistently conform to regulatory requirements. In addition, should cloud-service providers disengage from smaller, less lucrative, financial institutions, a large part of the financial system would be vulnerable.
Consider the case of small community banks. Like other financial institutions, they are increasingly incorporating cloud services into their core business operations of accounting systems, loan origination, and regulatory reporting. When a few cloud service providers dominate the industry, any individual community bank will struggle to contractually ensure that their cloud service provider, AWS for instance, will rapidly respond to a cybersecurity or data network issue. AWS will be primarily concerned with isolating the vulnerability in their cloud system and protecting other customers (especially more valuable customers) before dedicating valuable resources to a relatively low-dollar problem
Current Regulatory Oversight of the Cloud
The most directly applicable regulatory guidance for outsourced cloud computing services in the financial sector is outlined in the Federal Reserve’s SR Letter 13-19: “Guidance on Managing Outsourcing Risk.” This guidance details supervisory expectations for appropriate service provider risk management programs. In 2018, the Federal Reserve Bank of Atlanta published an article that highlights how SR Letter 13-19 specifically applies to cloud service providers. When it comes to examining the relationship between regulated financial institutions and cloud service providers, the article notes that supervisors will focus on contracts; controls; cybersecurity; disaster recovery; and sound practices. The article emphasizes that a bank’s risk management program should involve scrutiny “commensurate with the level of risk presented by the outsourcing arrangements.”
FSOC Designation Authority
Even before the Capital One breach, it was clear that existing regulations governing financial institutions’ use of the cloud were inadequate. Cloud computing is a new source of systemic risk and it should be recognized as such by FSOC, who is charged with identifying risks to the financial stability of the United States, promoting market discipline, and responding to emerging risks to the stability of the United States’ financial system.
The FSOC has several tools for responding to new sources of systemic risk. First, they publish an annual report to Congress highlighting potential emerging threats. In their 2018 Annual Report, FSOC noted that: “Maintaining confidence in the security practices of third-party service providers has become increasingly important, particularly because different financial institutions are often serviced by the same providers.” In a nod to the inadequacy of existing regulations governing cloud services, the FSOC recommended that: “Congress pass legislation that ensures that the federal banking agencies, FHFA, and NCUA have adequate examination and enforcement powers to oversee third-party service providers.”
FSOC can also make recommendations to existing regulatory agencies to apply heightened standards and safeguards to risk-creating activities.
However, the most powerful tool at FSOC’s disposal is the authority to designate certain nonbank financial companies and financial market utilities for heightened supervision and prudential standards based on their systemic importance.
FSOC can designate a nonbank financial company as a systemically important financial institution (SIFI) if material distress at the company could cause a broader impairment of financial intermediation or financial market functioning. In making this determination, the Council considers, among other factors, the “nature, scope, size, scale, concentration, interconnectedness, or mix of the activities of the company.”
When FSOC designated American International Group a SIFI in 2013, they noted that while individual counterparty exposures to AIG may be relatively small, the aggregate exposures “are large enough that material financial distress at AIG, if it were to occur, could have a destabilizing effect on the financial markets.” Similar logic could apply to AWS, whose distress – financial or otherwise – would certainly have knock-on effects in the financial sector.
While the economic logic for classifying large cloud-service providers as SIFIs is sound, such a designation may not pass legal muster. This is because these firms likely do not meet the definition of “financial company.” An entity is a nonbank financial company if it is predominantly engaged in financial activities, subject to certain exceptions. For purposes of Title I of the Dodd-Frank Act, a company is “predominantly engaged in financial activities” if at least 85 percent of the company’s and its subsidiaries’ annual gross revenues are derived from, or at least 85 percent of the company’s and its subsidiaries’ consolidated assets are related to, “activities that are financial in nature” as defined in section 4(k) of the Bank Holding Company Act (BHC Act).
While it is difficult to ascertain the client base and revenue sources for large cloud service providers – all of whom are part of much larger technology conglomerates – it is unlikely that 85% of their revenues are derived from “activities that are financial in nature.”
Thankfully, there is another avenue available to FSOC – the designation of systemically important financial market utilities (SIFMUs). FSOC refers to these entities as the “plumbing of the financial system.” Conceptually, this description aligns closely with the services cloud firms provide to their financial clients, specifically, the provision of infrastructure and platform computing services.
In arguing for a SIFMU designation, the first legal hurdle that must be cleared is reconciling the operational differences between the eight current SIFMUs and cloud service providers. Dodd-Frank grants FSOC with regulatory powers over “any person that manages or operates a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions.” Under this mandate, FSOC designated eight companies operating as clearinghouses, exchange platforms, and custodians as SIFMUs in 2012.
Cloud service providers fulfill none of these roles. However, their services are necessary components of all these activities, both as a result of cloud outsourcing at current SIFMUs and in foundationally enabling the transactions undertaken by all other financial institutions. And, as with the currently designated SIFMUs, a disruptive event at a cloud-service provider would spread throughout the financial system, causing widespread harm.
Dodd-Frank proscribes five factors to evaluate when considering the systemic significance of a utility-like service to the financial markets: (1) the aggregate monetary value of the transactions processed by the organization; (2) the aggregate exposure of the financial market utility to counterparties; (3) the relationship, interdependencies, or other interactions with other financial market utilities or payment, clearing, or settlement activities; (4) the effect the financial market utility’s failure would have on critical markets, financial institutions, or the broader financial system; and (5) “any other factors that the Council deems appropriate.” By enabling transaction processing and providing network linkages between market participants, dominant cloud service providers satisfy each of the first four factors.
Impact of SIFMU Designation
A SIFMU designation would have a significant impact on each of the dominant cloud computing service providers. This impact occurs primarily in three areas: governance, risk management, and recovery planning.
In terms of governance, the board of directors and senior management at cloud service providers designated as SIFMUs would face intense regulatory scrutiny, which they have thus far avoided. The SIFMU designation empowers FSOC to evaluate the substantive qualifications of board members to oversee a cloud computing business and examine management’s execution of business strategy and risk management in line with the board’s policies.
The SIFMU designation would apply to the legal entity providing cloud services. Thus, Amazon Web Services Inc., a subsidiary of Amazon, would receive the SIFMU designation, not the parent company Amazon. Designating Amazon Web Services Inc. a SIFMU would require the entity to overhaul existing corporate governance arrangements, including creating a new independent board (Amazon Web Services Inc. currently has its own CEO but not board of directors).
The SIFMU designation would also require cloud service providers to establish a Chief Risk Officer position and publish a comprehensive risk management framework. The risk management framework must be approved by the board and will look very different from the risk management frameworks of current SIFMUs, which are primarily focused on credit and liquidity risks. While these risks are still applicable to cloud service providers, the most relevant risk is operational. The risk management frameworks for designated cloud service providers should emphasize business continuity under a variety of circumstances, including natural disasters and cyber-attacks.
Finally, designated cloud service providers will have to file periodic recovery and wind-down plans with the relevant regulators. For current SIFMUs, these plans primarily focus on withstanding one or more member defaults. Cloud service providers have a different business model – current SIFMUs are either member-owned or run for the benefit of their members – therefore, their recovery plans will focus less on the possibility of financial difficulty at one or more of their customers, and more on how they will continue to serve their customers in the event of a financial or operational disruption at the cloud provider.
The reliance on cloud computing infrastructure in the financial industry has created a new source of systemic risk. Congress created FSOC for the express purpose of identifying and regulating systemic risk. Unfortunately, under the Trump administration, FSOC has willingly relinquished its authority to designate individual nonbank financial firms and financial market utilities. Not only has FSOC reversed all of its original nonbank SIFI designations, it has also proposed effectively replacing the current entity-based approach to systemic risk regulation with an activities-based approach. As others have pointed out, this would severely constrain FSOC’s ability to regulate systemic risk because the agency lacks the legal authority to regulate financial activities directly. Instead, it can only make non-binding recommendations to other federal agencies to regulate specific activities under existing authorities. In the case of cloud computing, no financial regulatory agency has direct supervisory authority. If FSOC’s activities-based proposal becomes final, it would ensure that cloud service providers continue to grow in systemic importance unperturbed by any meaningful oversight. In this case, the Capital One breach may end up being just the tip of the iceberg.
 See Global Business Services, Cloud for financial markets: Driving growth, gaining competitive advantage and improving efficiency, Int’l Bus. Machines Corp. (Nov. 2015), https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=GBE03715USEN [hereinafter IBM Cloud Report].
 See Economist Intelligence Unit, Mapping the cloud maturity curve, Int’l Bus. Machines Corp. (Mar. 2015), http://www.corporateleaders.com/sitescene/custom/userfiles/file/White_Papers/Mapping%20the%20cloud%20maturity%20curve.pdf. In an industry survey, banking and financial services executives listed the top three most impactful benefits of cloud computing services to be: (1) improved data access, analysis and utilization; (2) speedy delivery of new IT services and capabilities; and (3) improved internal business process efficiency.
 See id. at 2.
 Nagendra Bommadevara, Andrea Del Miglio & Steven Jansen, McKinsey Enterprise Cloud Infrastructure Survey, 2016, McKinsey&Company (Apr. 2018), https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/cloud-adoption-to-accelerate-it-modernization.
 Matt VanderZwaag, The Financial Services Industry Looks to the Cloud, Data Center Knowledge (Mar. 5, 2018), https://www.datacenterknowledge.com/industry-perspectives/financial-services-industry-looks-cloud.
 AWS vs Azure vs Google vs IBM Cloud, Which Is The Best For Me?, Nodericks Technologies (Feb. 21, 2018), https://www.nodericks.com/aws-vs-azure-vs-google-vs-ibm-cloud-best/.
 Custom Applications and IaaS Trends: 2017, Cloud Security Alliance 7 (Apr. 2018), http://info.skyhighnetworks.com/rs/274-AUP-214/images/wp-csa-survey-custom-apps-iaas-survey-report.pdf.
 See Office of Financial Research Cybersecurity and Financial Stability: Risks and Reliance, U.S. Dep’t Treasury 1 (Feb. 15, 2017), https://www.financialresearch.gov/viewpoint-papers/files/OFRvp_17-01_Cybersecurity.pdf [hereinafter OFR Viewpoint] (highlighting risks of disruptions to financial firm operations).
 See id. at 3 (identifying “lack of substitutability” as a potential disruption transmission channel).
 See id. (discussing examples of market disruptions due to lost public confidence in cloud security).
 See id. at 4 (noting the difficulty of a financial firm staying agile while also maintaining robust data backups).
 See Counting on the Cloud, supra note 29, at 9 (citing Bank of America chooses the Microsoft Cloud to support digital transformation, Microsoft News Center (Oct. 2, 2017) https://news.microsoft.com/2017/10/02/bank-of-america-chooses-the-microsoft-cloud-to-support-digital-transformation/).
 See Eugene Kim, Amazon’s cloud is sitting on at least $12.4 billion of future revenue, CNBC (May 9, 2018), https://www.cnbc.com/2018/05/09/amazon-aws-has-a-revenue-backlog-of-at-least-12-point-4-billion.html (highlighting the observation of Tom Roderick, an analyst at Stifel Nicalous, that AWS’s impressive current and projected financial performance results partly from the sticky nature of their service for enterprise clients).
 See Office of Financial Research Cybersecurity and Financial Stability: Risks and Reliance, U.S. Dep’t Treasury 1 (Feb. 15, 2017), https://www.financialresearch.gov/viewpoint-papers/files/OFRvp_17-01_Cybersecurity.pdf.
 See id. at 4.
 See Information Technology Subcommittee, Outsourced Cloud Computing, Federal Financial Institutions Examination Council (Jul. 10, 2012), https://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf [hereinafter Outsourced Cloud Computing] (discussing disengagement of cloud computing service providers).
 See Karen E. Hoffman, Storms ahead for cloud-based infrastructure?, Independent banker (Feb. 27, 2018) http://independentbanker.org/2018/02/storms-ahead-for-cloud-based-infrastructure/.
 See generally Div. of Banking Supervision and Regulation, Guidance on Managing Outsourcing Risk, Bd. of Governors of the Fed. Reserve (Dec. 5, 2013)
 Id. at 2 (“It should focus on outsourced activities that have a substantial impact on a financial institution’s financial condition; are critical to the institution’s ongoing operations; involve sensitive customer information or new bank products or services; or pose material compliance risk.”)
 E.g., Financial Stability Oversight Council, 2017 Annual Report, U.S. Dep’t Treasury (Dec. 14, 2017).
 Financial Stability Oversight Council, 2018 Annual Report, U.S. Dep’t Treasury
 Dodd-Frank Act § 112(a)(2)(K).
 Dodd-Frank Act §§ 113, 804.
 Dodd-Frank Act § 113.
 Dodd-Frank Act § 113(a)(2)(G).
 Financial Stability Oversight Council, Basis of the Financial Stability Oversight Council’s Final Determination Regarding American International Group, Inc., U.S. Dep’t Treasury 8 (Jul. 8, 2013).
 Dodd-Frank Act section 102(a)(4),12 U.S.C. § 5311(a)(4).
 Dodd-Frank Act section 102(a)(6), 12 U.S.C. § 5311(a)(6). The Board of Governors’ Regulation PP describes activities that are financial in nature as defined in section 4(k) of the BHC Act and establishes the requirements for determining if a company is predominantly engaged in financial activities for purposes of Title I of the Dodd-Frank Act. See 78 Fed. Reg. 20756 (April 5, 2013) (to be codified at 12 C.F.R. part 242).
 See Financial Stability Oversight Council Makes First Designations in Effort to Protect Against Future Financial Crises, U.S. Dep’t Treasury (Jul. 18, 2012), https://www.treasury.gov/press-center/press-releases/Pages/tg1645.aspx [hereinafter First SIFMU Designations].
 Dodd-Frank Act § 803(6)(A).
 See Financial Stability Oversight Council Makes First Designations in Effort to Protect Against Future Financial Crises, U.S. Dep’t Treasury (Jul. 18, 2012), https://www.treasury.gov/press-center/press-releases/Pages/tg1645.aspx
 Dodd-Frank Act § 804(a)(2).
 See Dan Ryan, Financial Market Utilities: Is the System Safer?, Harvard Law School Forum on Corporate Governance and Financial Regulation (Feb. 21, 2015)
 Three supervisory agencies are charged with regulating SIFMUs—the Federal Reserve Board (FRB), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC)—the FRB. Although the FRB is the primary regulator of only two of the eight designated SIFMUs, it has been authorized by the Dodd-Frank Act to also supervise the other six SIFMUs indirectly as their backup regulator.
 Prudential, AIG, MetLife, and GE Capital were originally designated as nonbank SIFIs but have since be de-designated.
 Financial Stability Oversight Council, Authority to Require Supervision and Regulation of Certain Nonbank Financial Companies, Proposed Guidance, 84 Fed. Reg. 9,028, 9,039 (March 13, 2019), available at https://www.govinfo.gov/content/pkg/FR-2019-03-13/pdf/2019-04488.pdf
 Kress, Jeremy C. and McCoy, Patricia Ann and Schwarcz, Daniel B., Regulating Entities and Activities: Complementary Approaches to Nonbank Systemic Risk (August 24, 2018). Southern California Law Review, Forthcoming.
 Dodd-Frank Act § 112(a)(2)(K), 12 U.S.C. § 5322(a)(2)(K) (2012).