U.K. names AWS, Google Cloud, Microsoft and Oracle as first ‘Critical Third Parties’ for finance
The U.K. is activating a new systemic-risk regime for big technology suppliers to finance, after HM Treasury on Friday designated Amazon Web Services, Google Cloud, Microsoft and Oracle as the country’s first Critical Third Parties.
The move means the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will begin joint oversight of the four providers on Monday, July 13. The designated legal entities are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd. and Oracle Corporation UK Limited, according to an FCA statement.
The designation matters because the firms provide technology services that underpin large parts of the U.K. financial system. Regulators have said that when many banks, insurers and other financial companies depend on the same outside providers, a disruption or failure at one of them can hit multiple firms or markets at the same time, creating a potential financial-stability risk. Ofcom said in 2023 that AWS and Microsoft together accounted for roughly 70% to 80% of the U.K. public cloud infrastructure services market in 2022, illustrating the concentration that has concerned policymakers.
The new regime is narrow in scope. It is aimed at the resilience of critical services those companies provide to U.K. financial firms, not at broadly regulating or authorizing the companies themselves. The FCA said designation is not the same as authorization by financial regulators. Existing outsourcing and operational-resilience rules also remain in place for banks, insurers and other regulated firms, which still carry responsibility for their own third-party risk management, due diligence and contingency planning.
Under the framework, designated Critical Third Parties must identify and manage risks to the critical services they supply to the financial sector, and they must maintain open and timely communication with regulators and client firms, particularly during major incidents. The regime is designed to complement oversight of regulated firms rather than replace it.
This is the first time the Treasury has used its Critical Third Party designation power. The legal basis was created when the Financial Services and Markets Act 2023 amended the Financial Services and Markets Act 2000, giving the Treasury power to designate providers and giving the Bank of England, PRA and FCA authority to oversee them. The regulators published final rules and policy for the regime in November 2024, and those took effect on Jan. 1, 2025, but only apply once the Treasury has designated a provider.
The launch marks a shift in how U.K. authorities address operational concentration risk in finance: not by treating cloud providers like banks, but by directly supervising the resilience of services that have become embedded across the sector.
“As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk,” Sarah Breeden, deputy governor for financial stability at the Bank of England, said in the FCA statement. “Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.”
The Treasury will decide any future designations or de-designations. Regulators said they will periodically review whether designated providers continue to meet the criteria and will assess how well the oversight approach is working as the regime is put into practice.