Cloud Computing and Financial Stability: Mapping Regulatory Models and Their Blind Spots

Cloud computing has become a core infrastructural layer of modern finance. Banks, insurers, payment institutions and market infrastructures increasingly rely on a small number of hyperscale cloud service providers (CSPs) to run critical systems, process data and deliver essential services. This transformation has triggered an intense regulatory response across jurisdictions. Yet there remains significant uncertainty about how cloud-related risks should be conceptualised within financial stability frameworks.

My recent paper ‘Addressing Financial Stability in the Era of Cloud Computing’ addresses this uncertainty by mapping, comparing and critically assessing the regulatory models currently used to govern cloud dependence in finance, before proposing a framework better aligned with the systemic nature of cloud risk. 

Mapping three regulatory models

The paper identifies three regulatory models through which cloud computing is currently addressed in financial regulation.

The first and most prevalent is the outsourcing model. Under this approach, cloud services are treated as outsourced services provided to regulated financial institutions, with regulatory obligations imposed almost entirely on the financial institution: boards retain full responsibility; material cloud arrangements must be identified, notified and documented; and contracts must provide audit, access, resilience and exit rights. Importantly, outsourcing regimes operate along a spectrum of depth and sophistication. At one end are relatively minimalist frameworks that apply generic third-party risk principles to cloud services; at the other are highly granular, cloud-specific outsourcing regimes. Singapore and Australia sit at this latter end of the spectrum. For instance, in Singapore, the financial outsourcing regime administered by the Monetary Authority of Singapore is even complemented by a cross-sector cybersecurity framework overseen by the Cyber Security Agency of Singapore. Although the 2025 amendments to the Cybersecurity Act extend the Critical Information Infrastructure (CII) framework to systems supporting essential services, including banking and finance, regulatory accountability for cloud risk in finance remains firmly anchored in the regulated financial institution, not the cloud service provider.

The second model is the designation of critical third parties (CTPs) within financial regulation. The EU’s Digital Operational Resilience Act (DORA) and the UK’s Critical Third Party regime reflect a recognition that some CSPs have become systemically important to the financial sector and therefore warrant direct regulatory oversight. These regimes introduce supervisory powers over designated providers, including information-gathering and enforcement mechanisms. CII designation in Singapore attaches to specific systems supporting essential services, not to CSPs as macro-critical infrastructures, and such designations are non-public and security-driven. This contrasts with the EU and UK designation regimes, where ‘critical’ status is expressly framed as a financial-stability tool. 

The third model is prudential capital regulation, where cloud-related disruptions are treated as operational risk and absorbed into banks’ Pillar 1, 2 and 3 frameworks under Basel standards.

A central contribution of the paper is to analyse these models together, as alternative attempts to regulate the same underlying phenomenon: the concentration of critical financial infrastructure within a small number of shared cloud platforms.

Where all models fall short

Once the models are clearly distinguished, their shared limitations become visible. Outsourcing regimes, even highly developed ones like Singapore’s, remain bilateral and static. They are designed to manage risk at the level of individual firm–provider relationships and cannot address what happens when many institutions rely on the same CSP, deploy similar architectures and activate continuity plans simultaneously.

Designation regimes under DORA and the UK framework acknowledge systemic importance but remain largely micro-prudential in regulatory technique, even as they are systemically motivated. They focus on strengthening the resilience of individual providers rather than addressing endogenous concentration, architectural homogeneity or correlated failover behaviour. In some cases, designation may even reinforce concentration by creating a regulatory ‘halo effect’.

Prudential capital regulation is backward-looking and assumes losses are idiosyncratic. It is ill-suited to synchronised operational shocks arising from shared infrastructure. Additionally, while Pillar 2 can respond ex post through supervisory add-ons, capital regulation remains ill-suited to synchronised operational shocks arising from shared infrastructure.

Across all three models, cloud-related systemic risk is treated as a scaled-up version of firm-level operational risk. This misses how cloud computing creates a new infrastructural layer through which connectedness and contagion arise endogenously.

From mapping to proposal: a connectedness and contagion framework

Only after establishing these gaps does the paper advance its proposal: a connectedness- and contagion-aware supervisory framework that treats CSPs as macro-critical financial infrastructure. This includes system-wide dependency mapping, macroprudential capacity buffers for critical CSPs, structural isolation of financial-sector control planes, and stronger coordination through a macroprudential authority with cloud engineering expertise.

The broader claim is not that existing frameworks are misguided, but that they are incomplete.  Cloud computing has already become part of the financial stability perimeter. The regulatory challenge is to recognise this shift explicitly and respond with tools designed for system-wide, architecture-driven risk, rather than relying on frameworks built for bilateral outsourcing relationships.

The author’s paper is available here.

Nydia Remolina is an Assistant Professor of Law and Deputy Director, Centre for Commercial Law in Asia, Singapore Management University