June 3, 2025
Banking

Banking on a single cloud platform? It’s time to rethink the risk


Cloud computing
As banking customers’ expectations for digital experiences rise and fintech competition grows, the cloud has become essential to staying relevant. But in the rush to modernize, many banks are overlooking a growing risk: cloud concentration, write Vikrant Rai and Graham Tasman.

Adobe Stock

Banking’s relationship with cloud computing has shifted dramatically. What started as cautious experimentation has evolved to full-scale dependence. Cloud platforms now support everything from customer onboarding to transaction processing. As banking customers’ expectations for digital experiences rise and fintech competition grows, the cloud has become essential to staying relevant.

But in the rush to modernize, many banks are overlooking a growing risk: cloud concentration. The vast majority of cloud services are controlled by just a few providers — also known as hyperscalers — such as Amazon, Microsoft and Google. And many banks have gone all-in — or largely associated critical services — with a single provider.

That’s a problem. It means that critical operations — from payments to lending to customer interactions — are now deeply tied to third-party platforms that banks don’t own, don’t fully control and can’t easily switch away from due to various reasons such as a vendor lock-in. In trying to solve the risks of outdated internal systems and the constant need for services, upgrades and maintenance, banks have largely traded them for a new kind of dependency that may be even more challenging to manage.

We’ve already seen how a cloud outage can ripple through the financial system. In December 2021, an AWS disruption impacted banking services nationwide. In 2023, Microsoft’s cloud failure affected institutions around the world. And in July 2024, the CrowdStrike update malfunction brought operations at some of the largest banks to a halt. These events weren’t just IT issues — they were business continuity failures and reminders of just how dependent banking-related services had become, having a direct impact on customers and even the economy.

While major cloud service providers offer better security than any single bank could achieve, the key risk here isn’t about IT or cybersecurity controls — it’s about concentration. When critical financial infrastructure is consolidated among just a few service providers, any disruption can cascade through the entire sector and the financial ecosystem.

Regulators have taken notice. In Europe, the emergence of these risks led to sweeping measures like the Digital Operational Resilience Act, or DORA, and the U.K.’s PRA/FCA supervisory oversight, including PRA SS 2/21 on Outsourcing and Third-Party Risk Management. In the U.S., regulators are taking more targeted steps. The U.S. Treasury has warned about the systemic risks of cloud adoption in banking, and the NIST Cybersecurity Framework 2.0 now emphasizes governance and infrastructure resilience, along with technology supply chains and cloud-related interdependencies.

To stay ahead of evolving regulations, and to protect their data, customers and business, banks need to integrate cloud governance with their enterprise risk strategy, which is a fundamentally different and a much-needed approach to cloud governance. This should include thoughtful diversification across multiple providers, regularly tested exit strategies and deep engagement with cloud partners on a shared responsibility model.

First, banks should consider diversifying across multiple cloud service providers. What percentage of critical operations run on a single platform? What would happen if access were lost for 24 hours? For a week? Managing multiple cloud service providers could get complex, but it allows institutions to be more resilient and to operate within a diversified environment in a way that is based on their operational needs. This allows them to achieve objectives and key results. 

Second, banks must develop exit strategies that are regularly tested. Most institutions dramatically overestimate their ability to migrate workloads rapidly between providers during a crisis. When was the last time your bank actually tested its ability to shift critical systems away from your primary cloud service provider?

Finally, transparent risk reporting is essential. Banks should quantify and disclose their cloud dependencies to boards, regulators and shareholders. 

The time for passive acceptance of this growing interdependence has passed. Bank leaders must act now to ensure that the technological transformation reshaping the industry doesn’t inadvertently create the next systemic crisis.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. View more
Accept
Decline