kafai - Fotolia
Tech giants come under watch of UK finance regulators
IT suppliers critical to the UK finance sector are now within the remit of the UK’s financial services regulators
UK financial services regulators now oversee IT suppliers that the finance sector relies on to operate.
Four suppliers – the local operations of Amazon Web Services, Google Cloud, Microsoft and Oracle – are initially being regulated, labelled critical third parties (CTPs).
The financial services sector is heavily dependent on cloud services from a few large tech companies. Furthermore, as artificial intelligence (AI) use accelerates, more suppliers will become critical to the sector.
Earlier this year, The Treasury select committee of MPs called on the government to designate AI and cloud providers in its CTPs Regime (CTPR) scheme, which gives the FCA and the Bank of England powers of investigation and enforcement over non-financial firms that provide critical services to the UK financial services sector.
Slow to act
At the time, Treasury Committee chair Meg Hillier MP said that although the Bank of England was “grasping the nettle to some extent”, she was “perplexed at the apparent inertia shown by the Treasury” over placing IT suppliers to the finance sector within the CTPR.
But as of today (13 July 2026) the four firms – which provide critical infrastructure that underpins the UK finance sector, such as cloud services – will be regulated by the Bank of England and the Financial Conduct Authority (FCA). More could eventually fall under the same regulation.
The Bank of England said: “The regulators will work together with the CTPs to address system‑level risks and reduce the risk of disruption to the services they provide spreading across the UK financial system.
“CTPs must identify and manage risks to their critical services effectively, and maintain open, timely communication with regulators and the firms that rely on them, particularly during major incidents.
“As many firms rely on these services, disruption or failure could affect multiple firms or markets at the same time, potentially impacting UK financial stability and services used by millions of consumers and businesses,” added the UK central bank.
This is a significant development and follows demands from MPs for IT suppliers to be included in the CTPR.
Sarah Breeden, deputy governor for financial stability at the Bank of England, said: “As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.”
Nikhil Rathi, chief executive at the FCA, said: “…a single failure can reverberate across the financial system. Operationalising this regime strengthens our ability to tackle those risks and improve overall resilience, ensuring the UK remains a safe and attractive place to do business.”
Welcomed idea
Chris Skinner, fintech industry expert and CEO at The Finanser, said the development “makes absolute sense”, adding: “After all, 60% of Google cloud clients are financial institutions. If there is ever an outage among any of these tech giants, then you will see a disaster in the making.
“So many financial institutions rely on AWS, Microsoft Azure and Google that they have become systemically important to the financial system. This is the reason why the UK regulators have to step in and give oversight and control over those operations.”
One IT professional in the UK finance sector, who wished to remain anonymous, said it's a very good idea but questioned whether “it has teeth”, adding: “Because they’re global firms and financial service is just one of the many things they do, and the UK is just one of hundreds of countries they operate in, we are a tiny slice of a tiny slice of what we do.
“I’m not sure that the regulators are going to have much power over them. And I don’t think the banks have much choice to move away from them. They can’t ban critical suppliers because the banks have nowhere else to go.
“This is obviously the first four firms, but over time, I imagine the’'re going to expand it into specific other companies and pieces of software. There’s a hell of a lot of shared software behind the scenes that these companies don’t provide, like CrowdStrike, which is a good example.”
Read more about financial services regulation
- After MPs said public and finance systems are ‘exposed to potential serious harm’ from AI because regulators are ‘not doing enough, regulators said they will take action.
- MPs warn that action is needed to ensure artificial intelligence is adopted safely in the finance sector as companies capitalise on its opportunities.
- Government face questions about why a multi-hour outage originating in an Amazon Web Services US-based cloud region caused service disruption to UK bank.
