The UK has placed its four key cloud service providers under direct financial regulatory oversight to reduce the risk of disruption affecting millions of users.

The new framework designates Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations, and Oracle as critical third parties (CTPs), effective 13 July.

Access deeper industry intelligence

Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.

Find out more

The Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have joint oversight of the four providers.

In a statement on 10 July, the government said the framework is aimed at “strengthening” resilience in financial services.

Under the new setup, the designated providers will face scrutiny aimed at making sure they have effective controls to detect, handle and recover from operational incidents that could affect vital services relied on throughout the financial sector.

The authorities will be empowered to collect information, test resilience and engage directly with the companies to mitigate threats to the continuity of critical services.

Where required, they will also be able to introduce and enforce rules tailored specifically to CTPs.

BoE deputy governor for financial stability Sarah Breeden said: “As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.”

The BoE said that the CTPs will be expected to identify and control risks to their critical services “effectively”.

According to the central bank, the CTPs must keep “open, timely” communication with both regulators and the financial firms that depend on them, especially when major incidents occur.

It also stressed that the framework “complements, but does not replace” existing rules on outsourcing and operational resilience for regulated firms.

Those firms will continue to bear responsibility for overseeing their own third-party relationships, including due diligence, contingency planning, as well as risk management.

HM Treasury retains authority for adding or removing CTP designations in the future.

Regulators will carry out periodic assessments to determine whether designated companies still meet the required criteria, provide recommendations to HM Treasury and review how effective the oversight regime is in practice.