Financial Regulators Worldwide Are Getting the Legal Right to Regulate the Operational Resilience of Big Cloud Service Providers

Date Tuesday, 25 October, 2022 - 11:45–12:30
Presenter Andrew Ellam, Monzo Bank
URL https://www.usenix.org/conference/srecon22emea/presentation/ellam

Abstract

New legal powers are coming for financial regulators worldwide. New laws are being written and passed now. Financial regulators are being given powers to regulate the “critical” cloud service providers.

The things on which they will enforce standards are absolutely central to the SRE discipline (e.g. availability/uptime). Cloud service providers could face large fines or being barred from the market, if they fail to meet required standards.

We (the SRE discipline) will need to successfully collaborate with “risk and compliance” disciplines from the finance field. We need to represent to the regulators the SRE way of doing things and how effective it can be.

Notes

  • Stability of financial services/markets increasingly reliant on a few major cloud service providers
  • Cloud service providers could end up with large fines or even be banned from the market if they fail to meet standards (like uptime and reliability)
  • Personal perspective: worked for startups, big tech, now at Monzo (new to fintech). UK based, UK perspective for this talk.
  • All of the topics discussed talk about financial regulations (so not clinical, for example).
  • Powers are coming but most of the new laws aren’t actually implemented yet.
  • “We should expect global regulatory alignment”
  • Regulators are worried about central concentration (IE everything running on the well-known public cloud providers)
  • EU law: Digital Operational Resilience Act (DORA)
  • UK law: Financial services and markets bill
    • See 312N Power of direction (page 40?)
    • 312R Disciplinary measures
  • Personal predictions of what will happen:
    • Might result in services splitting off, “flavors of services specific to finance sector” to keep the rest out of scope
    • More audits/inspections
  • We have a lot to lose when we don’t involved in the conversation and shape of how these regulations will be applied in practice. For example, can end up with a lot of wasteful bureaucracy and useless checklists.
  • There are people in risk & compliance with the same goals are SREs, but they speak an entirely different language and have really different ways of achieving their goals (via laws and regulations). We would benefit by bringing these two groups closer together.
  • Monzo has had to explain to regulators why running workloads as multi-cloud is difficult and actually increases rather than decreases risk. Raises the interesting question as to whether regulation could make multi-cloud use easier by enforcing standards that make porting workloads across clouds more easy.
  • There is already existing law (to which full compliance is expected by April 2025) that requires banks to follow best practices around architecture to ensure their services don’t go down outside of the Cloud Service Provider’s fault - these laws are really to enforce fundamental reliability targets of CPS provided services.
  • In-house datacenters for banks are already regulated. These laws are a bit like treating CSPs more like in-house datacenters.

Chris Evans:

In case it’s interesting to anyone, we wrote a summary of the DORA act here. I used to work at Monzo, and I’ve always found the regulatory side of engineering pretty interesting (and often mildly terrifying).

https://incident.io/blog/dora