By Carlos León
One of the key lessons of the 2007-2008 global financial crisis is the importance of financial market infrastructures (FMIs) as a pillar of financial stability. Before, the role of financial market infrastructures, namely the provision of trading, clearing, settling, recording, and compressing services for transactions between financial institutions (FIs) was often taken for granted. This was reflected in FMIs having often been referred to as the financial system’s plumbing, including by the Federal Reserve’s 14th chairman (Bernanke, 2011)—a clear reference to the critical yet concealed importance of FMIs in the safe and efficient functioning of financial markets.
Today, it is clear that the failure of an important FMI will almost certainly lead to systemic instability in financial markets. Given this, it is evident that FMIs are critical infrastructures; that is, based on a definition by the European Commission (2008), FMIs can be considered systems that are essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people.
In light of this importance, it’s perhaps surprising that the literature about financial networks has addressed the importance of FMIs rather recently and sparingly. The archetypical financial network, composed of FIs as elements (the nodes) that are interlinked through different types of relations (e.g., exposures, payments, ownership, common holdings), has been complemented by the introduction of FMIs as an additional layer that provides a medium for FIs to interact. As highlighted in Berndsen, et al. (2018), a network of FIs that does not include FMIs is a logical network—one that displays bilateral relations despite those requiring the intervention of an FMI to exist. And that’s why the plumbing reference is particularly illustrative: when looking at the floor plan of a house, the plumbing is a critical additional layer hidden beneath the first—immediately visible—layer; in a building, carelessly knocking down a wall could have a disastrous effect on the supply of water, electricity, gas, communications within the apartment and even to others above and below–not to mention the effect on the structural integrity of the building.
However, there are further layers beneath those containing FIs and FMIs. In fact, a financial network composed of FIs and FMIs is still a logical network, as the connections between FIs and FMIs also require the intervention of other elements to exist. Those elements provide the physical connection that enables the interlinkages among FIs and FMIs, in the form of wired (e.g., cable) or wireless (e.g., radio waves) connections. That is, as stated by Berndsen, et al. (2018), the interdependence of financial markets with physical networks, such as power and communication networks, make those networks critical infrastructures and obvious candidates for examining the stability of financial systems from an operational perspective.
The Digital Operational Resilience Act, hereafter DORA, is part of the European answer to the risks posed by information and communication technologies (ICT) to the operational resilience, performance and stability of the financial system. It acknowledges that ICT supports the safe and efficient functioning of the financial sector and the economy as a whole, with increased digitalization and interconnectedness amplifying ICT risk and augmenting the vulnerability of society and the financial system.
DORA aims to understand and manage ICT risks and their potential impact on the financial system, especially in times of stress; that is, to make financial institutions’ operational resilience as important as their safety, soundness, and market conduct. All in all, DORA is a much-needed and long-awaited move to strengthen the European Union financial system by acknowledging and addressing the extreme dependence of financial stability on the safe and efficient functioning of ICT.
Interestingly, DORA applies to a rather broad range of institutions, so-called financial entities. It applies to credit institutions–the mainstay of financial systems and a primary focus of prudential regulation and supervision. But it also applies to other types of non-credit FIs, including payment institutions, electronic money institutions, investment firms, insurance, and insurance intermediaries. Further, it applies to FMIs, such as central securities depositories, central counterparties, and trade repositories. Other financial entities are diverse, including credit rating agencies, crowdfunding service providers, data reporting service providers, and crypto-asset service providers. Finally, outside the financial entities definition, DORA applies to ICT third-party service providers, which include providers of cloud computing services, software, data analytics services, and providers of data centre services.
Indeed, it is uncommon to see such a broad range of entities under the same regulatory umbrella. It includes some entities that have been questioned for their poor performance and lack of accountability (e.g., credit rating agencies) and some that are rather new to the regulatory framework (e.g., crypto-asset service providers). Also, the elephant in the room has been included: the high concentration among a few cloud service providers.
The Elephant in the Room: The Cloud as a Critical ICT
What is the cloud? The cloud refers to the virtual delivery of computing services. According to IBM, there are three main types of cloud services: software as a service (SaaS, on-demand access to ready-to-use application software), platforms as a service (PaaS, on-demand access to a platform for developing, running, maintaining and managing applications), and infrastructure as a service (IaaS, on-demand access to physical and virtual servers, storage and networking).
The cloud concentration risk is an obvious pain point for financial stability. Reports in Bank of England’s July 2021 Financial Stability Report, U.S. Department of the Treasury’s The Financial Services Sector’s Adoption of Cloud Services report, International Monetary Fund’s Fintech Notes No. 2022/002, and Bank for International Settlements’ FSI Insights No.44 have highlighted the importance of cloud services for financial stability and the perils of their concentration. Some numbers give a better perspective on cloud concentration risk related to the financial system, in different dimensions (e.g., ownership, geographical):
- Gartner reports that in 2021 the top five cloud service providers (i.e., Amazon, Microsoft, Alibaba, Google, Huawei) accounted for over 80 per cent of the total market, with Amazon and Microsoft accounting for about 60 per cent, 38.9 and 21.1 per cent, respectively.
- The Bank for International Settlements, in FSI Insights No.44, documents that Amazon is reported to hold a 32% share of the cloud service market, which comprises computing services, associated data analytics, artificial intelligence, and machine learning analytical tools.
- As of 2018, 70 per cent of all Internet traffic in the world was routed through Loudoun County, Virginia, US; thus, Ashburn, a city in Loudoun Country, is known as the data centre capital of the world. Northern Virginia has been reported to be the home to about 275 data centres, handling approximately a third of the world’s online use.
- The Bank of England, based on a 2020 survey, reports that more than 70 per cent of banks rely on just two cloud service providers for infrastructure as a service.
- As reported by Eisenbach, et al. (2022), when stress-testing a service provider with multiple large and medium-sized bank clients in the United States, an average of 60% of banks by assets become impaired.
- According to Towning (2021), between 40-53% of globally systemically important banks could be immediately impacted by an operational or cyber incident at one of the three largest cloud system providers, i.e. Microsoft, IBM and AWS.
As highlighted in Ball (2021), despite “cloud” suggesting the Internet is something free and natural, beyond the control of people, the Internet is a network of physical cables and connections–each one of them owned by someone and located somewhere. Regarding ownership, the most important cloud service providers are large technology firms, the so-called big techs, such as Amazon, Microsoft, Google, and Alibaba. Regarding location, it is important to remind that “cloud” is an imprecise term; data centres and infrastructure that host the cloud are on land and under the ocean.
It is precisely the strong interdependence between the highly concentrated physical network provided by big techs and the logical network of FIs and FMIs that is one of the main concerns of DORA. Furthermore, as in most real-life networks, this interdependence and the concentration around a few big techs has increased and it is expected to keep increasing; in network parlance, this is the typical preferential attachment network formation process, in which already well-connected nodes tend to keep growing in connectedness because they are the fittest (e.g., efficient, affordable, convenient, profitable) choice for both existing and new nodes in the network, and because they tend to acquire or merge with their peers. That is why big techs are a good case of what DORA considers critical ICT third-party service providers.
Under DORA, a cloud service provider is designated as a critical ICT third-party service provider when the safe and efficient provision of financial services depends clearly on those cloud services. The criteria that determine such designation comprises several angles, including the systemic impact on the stability, continuity and quality of the provision of financial services, measured by the number of financial entities that rely on the ICT third-party service provider and the total value of their assets; the systemic character or importance of the financial entities that rely on the ICT third-party provider; and the degree of substitutability of the ICT third-party service provider, considering the complexity, cost, time, and resources required to effectively migrate to another ICT third-party service provider. It is rather evident that the most well-known big techs should be designated as critical ICT third-party service providers; Towning’s (2021) work on visualizing the network of cloud service providers and a set of global systemically important banks (see Figure 1) is particularly illustrative–and suggests further work to come. However, there are many other ICT third-party service providers whose criticality for the safe and efficient provision of financial services should be properly measured, both on a global basis and with respect to stability in individual markets.
In the aftermath of the 2007-2008, it was clear that too-big-to-fail was not the only factor to determine the systemic importance of FIs; this was another key lesson of the global financial crisis. Today, it is clear that size, interconnectedness and substitutability are key factors in determining the systemic importance of FIs, FMIs and ICT third-party service providers. Interconnectedness and substitutability are factors that correspond to a network view of the system. Therefore, it is important to work from a network perspective to better understand and manage ICT risks and their potential impact on the financial system.
It is an “Old New” Network Problem
Yes, in the end, this is a network problem. It is an old problem because it surfaced during the 2007-2008 global financial crisis. It is new because it is about introducing ICT third-party service providers and other types of entities to a network that typically accommodates FIs and FMIs only.
This problem is about mapping the interdependencies among nodes (i.e., FIs, FMIs and ICT third-party service providers), assessing their intensity, identifying critical nodes and interdependencies, and simulating stress scenarios to better and comprehensively understand the system. With an enhanced understanding of the system, the weaknesses and challenges can be better addressed by the authorities–in an orderly and efficient manner. Also, with an enhanced understanding of their interdependencies with the system, financial entities can better mitigate risks–financial and operational.
Finally, it is worth remembering that including FMIs in the traditional FIs-only network revealed that the ability to isolate feedback effects and limit cascades–by means of a modular network architecture–depends critically on the well-functioning of FMIs (see Berndsen, et al., 2018). Most likely, introducing ICT third-party service providers into the FIs and FMIs network will have a similar result–-strengthening the argument for proper oversight and regulation of the financial system’s plumbing.
For more than a decade, FNA has been committed to uncovering hidden connections and anomalies in large, complex datasets, predicting the impact of stress events, and optimally configuring financial systems and infrastructures. As DORA and other related efforts introduce ICTs into FIs and FMIs networks, FNA stands ready to aid financial authorities to achieve an enhanced understanding of the financial system and financial entities to manage risks better.
Disclaimer: under DORA, FNA is a software and data analytics services undertaking, thus an ICT third-party service provider. To the best of our knowledge, FNA is not yet a critical ICT third-party service provider—but we are working on it.
(1) “Digital operational resilience” is defined in DORA as “… the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring […] the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;”. DORA is available here: https://eur-lex.europa.eu/eli/reg/2022/2554/oj (retrieved June 22, 2023). Third-party introductions to DORA are available online (all retrieved June 26, 2023): https://www.pwc.com/mt/en/publications/technology/dora.html, https://www2.deloitte.com/nl/nl/pages/risk/articles/digital-operational-resilience-act.html, https://www.dlapiper.com/en-us/insights/publications/2023/01/dora-a-harmonized-framework-to-strengthen-the-digital-operational-resilience.
(2) After the 2007-2008 global financial crisis, the role of credit rating agencies was severely questioned. Efforts by the European Commission to strengthen credit rating agencies’ regulatory and supervisory framework are available here: https://finance.ec.europa.eu/capital-markets-union-and-financial-markets/financial-markets/regulating-credit-rating-agencies_en (retrieved June 26, 2023).
(3) https://www.ibm.com/topics/iaas-paas-saas [retrieved on June 24, 2023]
(4) That is, the systemic importance of the FIs and FMIs that rely on the ICT third-party service provider, along with their interdependence with other financial entities.
(5) Such as the creation of the Cloud Executive Steering Group (CESG) by the U.S. Department of the Treasury; see the announcement here: https://home.treasury.gov/news/press-releases/jy1503 [retrieved on June 26, 2023]
Bains, P., Sugimoto, N., Wilson, C. (2022). BigTech in Financial Services: Regulatory Approaches and Architecture. FinTech Notes, 2022/002, International Monetary Fund. [https://www.imf.org/-/media/Files/Publications/FTN063/2022/English/FTNEA2022002.ashx, retrieved on June 22, 2023]
Ball, J. (2021). The System. Bloomsbury, London.
Bank of England (2021). Financial Stability Report. July. [https://www.bankofengland.co.uk/financial-stability-report/2021/july-2021, retrieved on June 23, 2023]
Bernanke, B. (2011). Clearinghouses, financial stability, and financial reform. In: Remarks at the 2011 Financial Markets Conference. Federal Reserve Bank ofAtlanta, April 4, Stone Mountain, GA.
Berndsen, R., León, C., Renneboog, L. (2018). Financial stability in networks of financial institutions and market infrastructures. Journal of Financial Stability, 35, 120-135. [https://www.sciencedirect.com/science/article/abs/pii/S1572308916302340, retrieved on February 23, 2023]
Crisanto, J.C., Ehrentraud, J., Fabian, M., & Monteil, A. (2022). Big tech interdependencies – a key policy blind spot. FSI Insights, 44, Bank for International Settlements. [https://www.bis.org/fsi/publ/insights44.htm, retrieved on June 22, 2023]
Eisenbach, M., Kovner, A., Lee, M.J. (2022). Cyber risk and the U.S. financial system: A pre-mortem analysis. Journal of Financial Economics, 145 (3), 802-826. [https://www.sciencedirect.com/science/article/abs/pii/S0304405X21004578, retrieved on June 23, 2023]
Gartner (2022). Press release: Gartner Says Worldwide IaaS Public Cloud Services Market Grew 41.4% in 2021. June 2. [https://www.gartner.com/en/newsroom/press-releases/2022-06-02-gartner-says-worldwide-iaas-public-cloud-services-market-grew-41-percent-in-2021, retrieved on June 23, 2023]
Olivo, A. (2023). Northern Va. is the heart of the internet. Not everyone is happy about that. The Washington Post, February 10 [https://www.washingtonpost.com/dc-md-va/2023/02/10/data-centers-northern-virginia-internet/, retrieved on June 24, 2023]
Towning, W. (2021). Systemic threats of cloud computing in financial networks. Mimeo.
U.S. Department of the Treasury (2023). The Financial Services Sector’s Adoption of Cloud Services. March. [https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf, retrieved on June 22, 2023]