Risk factors of BigTech, cloud, and AI in financial services are among the key topics that have started to gain much attention among regulators and central banks worldwide.
For example, in the UK, Financial Conduct Authority (FCA) recently published Feedback Statement FS23/4 on Potential competition impacts of Big Tech entry and expansion in retail financial services. The Bank of England (BoE), meanwhile, published Consultation Paper CP 26/23 on Operational resilience Critical third parties to the UK financial sector, which covers the use of cloud service providers by financial institutions. The BoE and FCA are also working jointly on artificial intelligence (AI) regulation, publishing AI Update -further to the Government’s response to the AI White Paper which sets how their existing regulatory framework supports the following five OECD principles: (1) Safety, security, robustness; (2) Fairness; (3) Appropriate transparency and explainability; (4) Accountability and governance; (4) Contestability and redress.
While the issues of BigTech, cloud, and AI in financial services seem to be disconnected at first glance, upon a closer examination, there seems to be new synergistic risk factors arising from the provision of AI and cloud services to financial institutions by BigTech firms, which themselves are also starting to enter financial services.
BigTech vertical in financial services
The impact of BigTech entry into retail financial services has already been quite notable in Asia and Latin America, although the impact is still less clear in Europe and the US. Figure 1 presents a stylized BigTech vertical and its possible impact on financial services.
- At the bottom layer of the vertical is cloud services, which financial services providers increasingly rely on. Currently, there are only a handful of major firms that provide cloud services, and most are BigTech firms.
- Next up the layer would be BigTech firms’ core businesses which might include social media and e-commerce platforms, which means that it has network effects and have users in multiple hundreds of millions.
- These core businesses mean that BigTech firms can offer financial services add-ons to the users very easily and quickly at the next layer, provided they have the necessary licenses. BigTech can also leverage on data from their core businesses to provide financial services that meet customer needs at the time and place they need them most, in a tailored fashion.
- Furthermore, at the topmost layer, new generations of AI (e.g. generative AI) increasingly rely on large computational power and access to data for model training, which only BigTech firms can afford.
Some emerging risk factors
The resulting vertical imply the possibility of emerging risk factors that might need to be considered, including (1) walled gardens (as customers are obliged to use services within the BigTech vertical’s ecosystems), (2) monetary sovereignty (think of a BigTech firm like Meta introducing its own stablecoin), and (3) shadow banking (where different financial services can be combined to make bank-like services, without obtaining a banking license, as in the case of Alipay in the late 2010s).
Interestingly, a BigTech vertical such as that represented in Figure 1 can bring about two further risk factors: concentration of market power across different layers of the vertical and single point of failure with respect to cybersecurity.
A. Concentration of market power among BigTech verticals
Cloud infrastructures
It is known that there are only a handful of global cloud providers, and these are BigTech firms. Cloud infrastructures are used in financial services, as they can offer flexibility that legacy systems such as the mainframes cannot. Although many financial institutions and regulators might be quite cautious about putting their data and services onto the cloud (for data privacy and data localization concerns, for example), cloud services can provide flexibility and security that legacy systems cannot. Virtual banks that run their systems on cloud can introduce their products much more quickly than traditional banks, as cloud provides flexibility in testing and introducing new products to customers at scale. There will also be less data silos compared to legacy systems. If financial institutions choose to use cloud as their infrastructures, however, there will only be a few cloud service providers to choose from.
Financial services provision
In Asia and Latin America, BigTech firms have started to also enter into financial services. Experiences from China suggested that these firms can engage in shadow banking, i.e. behave in a bank-like manner without a banking license. By combining separate financial services as payments, lending, wealth management, and insurance which has less stringent compliant requirements, BigTech firms can behave in a bank-like manner without regulatory burdens that come with a banking license. Although Chinese regulators have already implemented measures that will inhibit shadow banking practices by BigTech firms and regulators globally are examining the issues, there will be policy tradeoffs that will need to be considered (e.g. financial inclusion enabled by BigTech offerings v. potentially anti-competitive behavior of large firms).
AI services and applications
New generations of AI, particularly generative AI (genAI), benefit from large amounts of data and large computational power that only the biggest firms can afford. BigTech firms are now dominating AI applications, not only through provisioning of gen AI models for enterprises and end users, but also through data storage and compute power used by financial institutions to develop and maintain their own AI applications. Concentration of compute power and data among BigTech firms mean that financial institutions, if need to deploy genAI, will need to turn to a BigTech firm. If financial institutions want to develop their own AI applications, they might also need to rely on cloud infrastructures of BigTech firms as well.
B. Single point of failure
Although BigTech firms themselves might have superior resources and capacity to safeguard their systems, a failure in their supply chain could ripple to the whole systems, as reflected by global IT outage in July 2024, where a software upgrade by a third-party vendor caused failures of Microsoft-based IT systems, without the fault of Microsoft itself. As financial services firms rely increasingly on a few global BigTech firm for financial serves, a glitch that occurs in a supply chain of IT providers could cause a widespread disruption that potentially can affects stability of the financial system.
The road ahead
As to how to address the emerging challenge of market power concentration and single point of failure, new regulations are starting to come out. Outside the UK, new regulations to help address the challenge of market power concentration include EU’s Digital Services Act which aims to help protect the rights of customers, while EU’s Digital Markets Act aims to ensure that BigTech firms behave in a fair manner. EU’s Digital Operational Resilience Act (DORA), on the other hand, aims to help improve resilience of the financial system, as financial institutions started to rely more and more on third party service providers, including cloud service providers. Additionally, EU’s AI Act was recently also introduced to foster responsible AI development and deployment in the EU.
Interestingly, BigTech firms are global in nature. The risks of concentration of market power and single point of failure from BigTech firms could have global impacts. Coordination among regulators in various jurisdictions might indeed be needed to safeguard global economic and financial stability