Banks entrust a large part of their processes to technology platforms offered by a small number of providers. Are they exposed to over-dependence?
Technology has become an indispensable lever for financial institutions. And not only to continue growing, but even to ensure their survival. Technologies such as cloud computing or artificial intelligence are fundamental for large banks, which resort to big tech and a small group of technology providers to be able to enjoy all the power offered by their platforms.
This is the best, and perhaps almost the only, way to exploit all the possibilities offered by technology. After all, financial institutions cannot devote all their resources to the development of this type of technology; they have to focus on their core business. Nor can they compete with big tech in terms of resources and talent.
“This is mainly due to the significant costs involved in developing these technologies effectively and efficiently by banks,” says Francisco Cortés, director of the Master’s Degree in Financial and Banking Advice at the International University of La Rioja (UNIR).
“Collaboration with technology giants brings many benefits in terms of efficiency and access to innovation,” admits Ignacio Castillo, CEO of IMMUNE Technology Institute. However, it also has consequences. “Banks, and any organisation, must be aware of the risks associated with excessive dependence in any area, not just in technology,” he points out.
In fact, José Manuel Campa, chairman of the European Banking Authority (EBA), recently warned about the risk posed by banks’ over-reliance on services provided by a very limited number of technology giants, to which banks outsource essential services such as network infrastructure, data processing management or cloud computing, as reported by Expansión.
Risks of excessive dependence
The concentration of these services in a few providers entails different risks. The first relates to business continuity. “If an essential service is provided by a single provider and it faces an interruption – for technical, financial or legal reasons, among others – banks may find their operations severely affected without quick alternatives. This could trigger anything from operational inconveniences to serious liquidity or solvency problems, depending on the nature of the affected service,” warns Javier Horcajuelo, Director of Systems and IT Security at Sale Systems. “This is especially worrying in the banking sector, where trust and stability are fundamental,” he adds.
We are also facing a potential systemic risk. “When many banks rely on the same vendors, a failure might not affect a single institution, but trigger a systemic crisis. This scenario is particularly worrying for regulators, as a failure in a critical service could spread through the financial system and have wide-ranging economic consequences,” notes Sale Systems’ expert.
Marc Rufé, professor at EAE Business School, also stresses the systemic vulnerability that comes with concentration in the hands of a few providers. “A technical or security failure in a central provider can have a domino effect. For example, if a critical cloud service suffers an outage, banks that depend on that service could experience simultaneous disruptions to their operations, which could trigger a crisis of confidence among customers and disrupt the normal functioning of the financial market.
Richard Harmon, VP & global head of Financial Services at Red Hat, notes that “the result of increased cloud usage is a hyper-connected financial sector and a larger and potentially more vulnerable attack surface for banks”.
“Increasingly, organisations are accessing a wide range of third-party data and services through the same servers and data centres in the public cloud. If one organisation is vulnerable, it can affect others. In 2021, for example, the US Federal Reserve ran a simulation of how a cyberattack could affect the US financial system. It estimated that the impairment of one of the five most active US banks would likely cause significant spillover effects on other banks, with an average of 38% of the national financial network affected. If banks respond to the uncertainty by hoarding liquidity, the potential impact in terms of defaults is dramatic. It could reach more than 2.5 times daily GDP,” he explains.
In addition, we must take into account the sensitivity of the data held by financial institutions. “Banks handle sensitive financial data. While technology giants often have sophisticated security measures in place, the centralisation of a lot of information in a few companies creates potentially attractive attack points for cybercriminals. A single security breach could compromise a huge amount of data,” Horcajuelo adds.
In this sense, big tech could be targeted not only by cybercriminal groups, but also by governments and state actors, “which raises concerns about privacy and national security”, says the head of Sale System.
Concentration also shifts power from banks to big tech. “When there are few dominant providers, banks may find themselves in a disadvantaged position to negotiate contractual terms, pricing and service levels. This can lead to less favourable conditions and higher costs for banks,” Rufé notes.
In addition, it can lead to dependencies and hidden costs. “Once a bank deeply integrates the services of a particular provider into its operations, it can be extremely difficult and costly to disengage or migrate to a new provider. This dependency can lead to long-term hidden costs, such as incremental fees or the need for significant investments if the decision is made to switch to a new provider,” stresses the EAE Business School professor.
Similarly, Horcajuelo points out that “a high concentration of services reduces competition, giving dominant providers great market power”. “This can lead to higher prices, restricted innovation, and unfavourable conditions for banks. In addition, banks may find themselves in a situation of dependency, where switching providers is almost impracticable due to high costs or lack of viable alternatives,” he says.
Rufé further elaborates on the pernicious effect that concentration can have on innovation. “With less competition, there may be less incentive for providers to innovate and improve their services. This could result in banks not having access to the best and latest technologies or solutions available in the market,” he says.
Similarly, he believes it may leave banks with little room for manoeuvre in the face of possible regulatory changes. “If a regulator introduces new requirements or standards, adaptation may be slower or more costly when relying on a small group of vendors that dominate the market, as they may be less agile in adapting their systems to new demands.
A cross-border problem
Mr Cortés stresses that most of these technology providers “are companies based outside the European Union”, which “implies great vulnerability and high risk”.
“The control and supervision of these companies becomes more complex. And the laws and jurisdictions to which they are subject are different from those of reference for entities in the EU, which means that litigation processes can become extremely complex, requiring ever greater contractual and institutional guarantees,” he says.
Horcajuelo also focuses on political and stability risk. “Relations between countries can affect the stability and availability of certain services. For example, in situations of geopolitical tension, sanctions or even trade conflicts, the provision of critical technology services could be compromised. In addition, foreign companies may be subject to orders from their own government that conflict with European laws or the interests of European banks,” he says.
Another risk relates to the cross-border transfer of data. “When data moves across international borders, it is subject to different data protection and privacy regimes. In the case of the EU, the General Data Protection Regulation (GDPR) sets high standards for the protection of personal data. Non-European companies may not inherently comply with these standards, which would require additional structures and agreements to ensure compliance, such as Standard Contractual Clauses or Privacy Shield agreements,” stresses the EAE Business School professor.
In addition, he believes that “by relying on technological infrastructures located in territories outside EU jurisdiction, banks may find it difficult to ensure the necessary resilience and redundancy and to guarantee the integrity of data and systems in the event of catastrophes or disruptive events”.
In the same vein, the Sal Systems expert points out that “differences in disaster management, local regulation or even time zones can affect a provider’s ability to maintain service continuity”. In addition, he warns that “in the event of a legal or regulatory dispute, overseas assets and operations may be more difficult to access or control, affecting problem resolution and information recovery”.
Finally, Rufé focuses on potential currency exposure. “Fluctuations in exchange rates can affect service costs when services are billed in currencies other than the euro. This can introduce volatility in banks’ operating expenses.
What services do banks contract for?
Banks rely on technology providers for many services. “Banks frequently turn to technology giants for services such as cloud hosting, data analysis solutions, cybersecurity tools, customer relationship management (CRM) systems, payment infrastructures, and advanced solutions based on artificial intelligence,” says Rufé.
Similarly, Cortés notes that “the massive migration of financial services to the cloud, network infrastructures, as well as everything related to data management and processing, are the most critical services that are being outsourced to digital providers through different formulas of inter-company alliances”. He also points out that “the incorporation of artificial intelligence into this outsourcing process is also growing significantly”.
Horcajuelo also points out that banks contract data hosting, infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) services. “They use these services to run applications, store data and host trading platforms without having to maintain their own physical infrastructure.
They also look to these providers for predictive analytics, big data management and analytics, customer intelligence and regulatory reporting. “These services help banks to understand market trends and consumer behaviour and to comply with regulatory obligations,” says Sale Systems’ head.
They also demand cybersecurity: network protection, identity and access management, security monitoring and incident response. “Fundamental to protect sensitive customer information and the operational integrity of banks,” says Horcajuelo.
Who dominates the industry?
All these services are dominated by a handful of companies. “The increase in the potential demand for technology services has been accompanied by an increase in the number of companies offering them, the so-called third party providers (TPPs). However, in practice, the power and control of the market lies with a few companies that, a priori, can offer service guarantees due to their size and long track record,” adds Cortés.
These are the leading companies in each of the technological services outsourced by banks:
- Cloud computing. “Among the leading companies we find Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) dominating cloud hosting,” says Rufé. And Horcajuelo agrees with him.
- Big data and data analytics, “Firms such as Google, AWS and Microsoft, along with specialists such as Splunk or Tableau, are prominent,” says the EAE Business expert. The Sale Systems spokesperson also adds IBM, Oracle and SAS.
- Cybersecurity. Horcajuelo points to Cisco, Symantec and McAfee as dominant companies “and also more niche companies, such as FireEye and Palo Alto Networks”.
- CRM. “In the field of CRM, Salesforce is a dominant figure,” explains the EAE Business School professor.
- Payment infrastructures. Rufé states that “companies such as Adyen and Stripe are benchmarks”.
- Artificial intelligence. “Platforms such as IBM Watson and Google AI are leaders,” says the EAE Business School expert.
How to mitigate the risks of concentration?
The experts consulted emphasise the importance of supplier diversification to try to mitigate the risks posed by excessive concentration. “Banks should consider working with multiple suppliers for critical services. This not only reduces dependence on a single provider, but also provides a safety net in case of failures or interruptions,” Rufé notes.
To this end, he stresses the need to encourage competition. “Regulatory and competition authorities should work to ensure that there are no disproportionate barriers to new players entering the market for technology services for banks. Increased competition can lead to better prices, innovation and less dependence on a few technology giants”.
In the same vein, Horcajuelo advises “promoting investment in local technology companies to develop competence in critical areas such as cloud computing, cybersecurity and data analytics”. “This can be supported by government policies and EU funding, creating an ecosystem that favours innovation and the growth of technology companies within the EU,” he adds.
EU institutions can thus contribute to reducing the risk of banks’ dependence on big tech. “It is in the spirit of the EU to guarantee freedom, privacy and access to information for all its citizens. In fact, it is the most protective economic environment in the world and has the necessary tools to protect us and to constantly update itself in this area,” says Castillo.
In addition, financial authorities have various regulatory tools and instruments at their disposal. For example, Rufé stresses that “they have the ability to establish and modify regulations that dictate how banks should operate, especially in terms of risk management and the relationship with technology providers”. He recalls that “these regulations can address aspects such as minimum standards for cybersecurity, resilience and business continuity”.
“Authorities should consider establishing stricter regulations to ensure that banks have contingency plans in case of vendor failures and that they comply with rigorous cybersecurity standards. Such frameworks could include regular stress tests and risk assessments,” he notes.
Horcajuelo also stresses the importance of “developing common standards for interoperability can reduce dependency on any single vendor and facilitate switching between technology solutions”.
And not only creating these frameworks, but also enforcing requirements regarding data protection, cybersecurity standards and data sovereignty. “This includes requiring foreign providers to comply with local laws in order to operate in the region,” says Sale Systems’ Director of Systems and IT Security.
In addition, they can conduct regular inspections and audits to ensure that entities comply with current regulations. “These reviews can focus on the robustness of technology systems, risk management or contractual compliance,” notes the EAE Business School professor.
If these requirements are not met, they have the power to sanction and penalise institutions that fail to do so, even going as far as withdrawing banking licences in extreme cases.
Beyond regulation, the authorities can issue guidelines and recommendations to guide banks towards best practices in the selection and management of technology providers, as well as carry out stress tests and crisis simulation.
They can also promote transparency by requiring banks to disclose information on their relationships with technology providers. They also have the power to require contractual changes “in situations where substantial risks are identified that could compromise financial stability”, Rufé specifies.
In addition, authorities can set minimum training requirements in relevant areas for bank staff, “ensuring that they are adequately prepared to manage the risks associated with technology providers”, Rufé notes.