IIF authors Brad Carr and Daniel Pujazon debrief our recent paper on Cloud Service Providers, and some of the potential regulatory treatments for the increasingly critical role they play in the financial system.
Brad and Daniel recount how following the IIF’s earlier 3-part series on cloud computing, several regulators posed questions to the IIF as to whether CSPs might be formally designated as “critical infrastructures,” and what such treatments might look like in practice. They discuss two possible models of such treatment, and how these might impact on the distinct (but sometimes conflated) concerns on concentration and resiliency. They also look at some of the new technological initiatives that are emerging in this space, particularly in portability and containering.
The IIF commends and encourages regulators and policymakers in taking a forward-looking view of emerging risks, while also being cognizant of the current early stage of adoption of cloud technology in the financial services industry. In order to pursue a data-driven and analytical approach, the IIF recommends beginning with the development of metrics for system-wide critical exposures and dependencies, with a workshop of financial institutions, CSPs, and regulators to identify such appropriate metrics.