Financial institutions – banks, insurance companies and asset managers – have traditionally carried out most of their information technology (IT) operations in-house by running their own data centres with their own staff.
In-house IT is expensive, inefficient and relatively insecure, and the advantages of outsourcing IT to cloud providers, such as Amazon AWS, Google Cloud and Microsoft Azure, are considerable. Financial institutions benefit from a specialist provider that pays the fixed cost of first-class security, with better staff and facilities, all at a much lower cost than the in-house alternative.
Not surprisingly, outsourcing to the cloud is growing rapidly, generally with the support of the financial authorities (Petralia et al. 2019).
While there are benefits to be had, what are the consequences for systemic risk?
Systemic risk is the likelihood of the eventuality that we suffer a serious financial crisis that can culminate in an economic recession. Systemic crises are not frequent – a typical OECD country can be expected to suffer one in only one year out of 43. However, when they happen, the consequences are severe – witness 1929 and 2008.
When we discuss the systemic consequences of outsourcing to the cloud, we are not talking about major IT systems failures. These can be costly, even in the range of tens or hundreds of billions of dollars, but systemic crises are much costlier still – in the trillions of dollars for the largest economies.
In order for outsourcing to the cloud to impact systemic risk, we must focus on how the likelihood of these infrequent and costly events will be affected.
IT failures with potential systemic consequences
The largest systemic crisis that we have ever experienced – in 1914 – happened because of the failure of the payment system, which was shut down by governments in anticipation of a pending world war. That created a global systemic crisis a month before the actual war broke out.
However, even the loss of such critical infrastructure, such as the payment system or clearinghouse – whether it is by accident or deliberate – is not by itself enough to cause a systemic collapse under most circumstances.
The financial system is very resilient, with multiple mechanisms to help it recover and several powerful economic agents that are incentivised to act in a stabilising way. Any critical system has backups and off-site standby facilities. The financial authorities and the government have contingencies for stepping in with liquidity support, temporary forbearance and other techniques. Systems failures are anticipated and war-gamed, which increases resilience.
All of this means that all but the very largest and most severe disruptions will be resolved – at a high cost, perhaps, but they will not meet the threshold for a systemic event.
To reach the threshold for a systemic crisis, it helps to have double coincidence: two or more separate critical problems at the same time.
For example, the financial system was under high stress in the autumn of 2008, with the disappearance of trust, even panic, and everyone seeking safe assets. If a critical infrastructure had failed, the consequences might have been much more severe than in normal times. This was nearly tested, as demand for printed notes was such that the Bank of England and the ECB came within a few hours of running out.
The double coincidence of systems failure and heightened financial market stress will culminate in a substantially worse crisis than either alone would.
However, such double coincidences are rare. Neither heightened stress nor major idiosyncratic systems failure is common, so the probability of the two happening at the same time is very low.
The cloud lowers volatility and fattens tails
Outsourcing to the cloud reduces cost, as well as microprudential and idiosyncratic risk. Unfortunately, this does not make the cloud system more robust to a systemic crisis for several reasons:
- When IT is done in-house, financial institutions will adopt different solutions and architectures. While this is individually more fragile, it also creates heterogeneity, which provides some herd immunity.
- Outsourcing to the cloud creates a single point of failure, so the failure of a cloud provider will take down the operations of many financial institutions at the same time, as well as other bits of critical infrastructure. Not only will the failure be very damaging, but the cloud vendor will also become a much richer target for those who are intent on damage. Experience suggests that it is impossible to prevent an attack by disgruntled employees or a sufficiently resourced and determined external adversary, even for the most security-conscious organisations.
- In-house IT means that financial institutions retain a pool of experts who can adapt to changing circumstances and improvise as required. The more that IT functions migrate to the cloud, the more financial institutions' IT expertise is hollowed out and the less able they are to respond to a crisis. Cloud experts are not by definition business experts; nor, because their systems are efficient and reliable, are their firefighting skills kept in constant training.
- In a crisis, all clients (in the financial sector and elsewhere) will demand rapid responses from the cloud provider, so resources for recovery will be stretched thin. Finance is unlikely to be given priority, as defence, government operations, and physical infrastructure are likely to come first.
- The international nature of most cloud vendors poses additional challenges due to conflicting political priorities and legal frameworks. Will the establishment in the cloud vendors' home countries compel them to prioritise home interests first in a crisis?
The cloud is systemically important infrastructure
The foreign operations of banks are extensively regulated following the lessons of the 2008 crisis, and a similar regulatory model could be applied to the cloud.
There are several specific steps that the financial authorities could take to mitigate the systemic risk arising from outsourcing to the cloud by improving the resilience of the regulators' ability to intervene should problems arise:
- Regulate cloud provision similarly to other critical infrastructures, such as power and communications, at both national and international levels
- Encourage financial institutions to outsource to regulated cloud providers that specialise in finance, which will then prioritise it and understand it better in times of crisis
- Require such cloud providers to retain substantial redundant facilities
- Wargame recovery with financial institutions and cloud providers, and place legal obligations on cloud providers to participate
- Encourage competition to keep the inevitable oligopolies from becoming too dominant;
- Encourage financial institutions that provide similar essential services to seek different vendors.
However, while national interests clearly need to be considered, it seems desirable to avoid economic nationalism or create industrial policy for the cloud.
Within Europe and not least within the Commission, there is increasing pressure for a European cloud so that Europe achieves digital sovereignty (Euractiv 2019). Such initiatives are not surprising, because Europe has few computer technology companies of note, which is a concern for those with mercantilist tendencies.
Unfortunately, the precedent of Quaero, which was intended to be a European competitor to Google, is not encouraging.
A government-led initiative for the cloud is likely to be less efficient than private provision. It could place European financial institutions at a competitive disadvantage, and, unless it were implemented with great care, the resulting restrictions on competition could be expected to make the market more rather than less concentrated. It seems entirely likely that such a scheme will achieve fewer benefits while failing to reduce risks.
Outsourcing to the cloud is set to improve the efficiency, reliability and security of financial institutions' IT facilities significantly, and hence grow at a rapid pace. However, there is a downside.
The cloud is a critical infrastructure that is controlled by a handful of companies whose failure would be catastrophic. Their very size makes them an attractive target for hostile agents that are intent on causing damage. Additionally, banks' in-house technical expertise is diminished and their facilities heterogeneity reduced, which affects their crisis management capability.
That means that the cloud vendors are SII providers, and they should be designated and regulated accordingly. There are precedents for regulating critical international financial infrastructure (Löber 2019), and the model used for banks' foreign subsidiaries is also useful.
Outsourcing to the cloud lowers volatility and fattens the tails, reducing the likelihood of small events and making major failures rarer but even more damaging.
Euractiv (2019), “Altmaier’s cloud initiative and the pursuit of European digital sovereignty”, 12 September.
Löber, K (2019), "Extraterritorial Application or Regulation in the Area of Financial Market Infrastructure: The Case for Cross-Border Cooperative Oversight", European Financial Infrastructure in the Face of New Challenges, European University Institute (EUI).
Petralia, K, T Philippon, T Rice and N Véron (2019), "Banking, FinTech, Big Tech: Emerging challenges for financial policymakers", VoxEU.org, 24 September.