reuters.com web signal

UK Puts Microsoft, Google, AWS, Oracle Under Bank Oversight

TL;DR

  • From July 13, Microsoft, Google Cloud, AWS and Oracle become formally supervised as critical third parties to the UK financial sector.
  • The Bank of England, PRA and FCA can now gather information, assess resilience and set rules on each of the four cloud providers.
  • Rachel Blake, Economic Secretary to the Treasury, tied the designation to maintaining trust in the UK's financial system.

The UK just made the four biggest cloud providers something new, supervised entities. From July 13, according to Reuters, Microsoft, Google Cloud, Amazon Web Services and Oracle are formally designated "critical third parties" to Britain's financial system, and their services to UK banks, insurers and financial market infrastructures fall under direct oversight from the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority.

The named entities are specific. Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL and Oracle Corporation UK Limited are the first companies ever named under the UK's Critical Third Parties regime. Regulators will be able to gather information, assess resilience, and set rules on each provider where they touch critical financial services. Rachel Blake, Economic Secretary to the Treasury, framed it plainly, telling reporters via Lynn News that "we are a world-leading financial centre and maintaining trust in our financial system is essential."

The interesting part is less the announcement itself and more the model it locks in. The working assumption at boards for years has been that the hyperscalers were, by default, more reliable and better defended than any single bank could be on its own. UK regulators have just written the counter-view into their rulebook. Concentration risk in the cloud is now treated as a matter of financial stability, not a procurement problem, on the government's own reasoning that disruption at a major supplier could affect multiple firms at the same time. That reframes every future cloud contract negotiation between a UK financial firm and its hyperscaler.

The honest caveat is that a lot of the interesting detail is not in the reporting yet. What has been announced is the perimeter, not the mechanics. The public coverage I've read does not spell out precisely which services fall in scope, what enforcement teeth the three regulators actually carry in practice, or how this meshes with parallel regimes the same four firms are already navigating in other jurisdictions. Take the framework as directional, not finalised.

The forward-looking read is that UK banks, insurers and market infrastructure just gained real regulatory leverage over their cloud contracts, and specialist resilience and alternative-provider vendors have a wedge argument they didn't have a week ago. Microsoft's public response called the designation "a new chapter" in its relationship with the UK, which is the polite version of accepting that the hyperscaler-as-untouchable-supplier era in regulated finance is over.