Financial firms' use of the cloud, including for their critical services, has been increasing over the years and is expected to continue to do so. Once a significant level of critical services has moved to the cloud, a major operational disruption at a cloud service provider (CSP) could interrupt the delivery of these services and hence have systemic implications. This is exacerbated by the predominance of a few CSPs at the global level. However, the prevalent regulatory approach, in which individual financial firms are expected to manage their third-party risks, does not take a systemic view. This paper identifies some considerations for potential oversight frameworks for critical CSPs that take into account their potential systemic importance, as well as the cross-sectoral and cross-border nature of their operations.

JEL classification: G20, G28, O38

Keywords: cloud service provider, critical CSP