Bank of England Gets Power to Regulate Amazon, Google and Other Cloud Giants Serving UK Banks

New rules taking effect this week mean two regulators can now inspect and direct the tech companies that keep Britain's financial system running, a first for the UK.

ThreatVectr Newsdesk· 3 min read
Aerial 16:9 editorial photograph of the Bank of England building in the City of London, shot from directly above at midday, surrounded by dense financial distri
Share

Key points

  • From Monday, the Bank of England and the Financial Conduct Authority gain direct oversight of large cloud and tech providers serving UK banks.
  • The rules target a small group of four firms classed as "critical third parties", which reportedly includes Amazon and Google.
  • The FCA is the Financial Conduct Authority, the UK body that polices financial services firms and protects consumers.
  • The goal is to cut the risk of IT outages or cyber-attacks at these firms disrupting services for millions of UK customers.
  • No specific breach triggered the change: regulators acted on the structural risk of too many banks depending on too few tech suppliers.

Britain's banks do not run on their own computers any more. They rent storage, processing power, and software from a handful of giant technology companies, most of them American. That works well until one of those companies has a serious problem.

From Monday, the Bank of England and the FCA have the authority to tell those companies exactly what resilience standards they must meet. If a cloud provider, meaning a company that rents computing power and storage over the internet, fails to comply, regulators can act directly rather than going through the bank that hired them.

Why does this matter to ordinary bank customers?

Because a single outage at a major cloud company can freeze online banking, block card payments, and shut down business payroll systems all at once, across multiple banks simultaneously. Regulators are not reacting to one specific incident. They are reacting to a concentration risk: too many critical financial services sitting on too few tech platforms.

The Guardian first reported the scope of the change, naming Amazon and Google among the four firms initially brought under the new framework.

The Bank of England and the FCA will now be able to set minimum standards for how these firms protect themselves against cyber-attacks and recover from failures. They can request information, carry out tests, and require changes. The firms themselves, not just the banks that use them, carry the compliance burden.

This matters because existing rules only let regulators pressure banks about their suppliers indirectly. A bank could demand contractual protections from Amazon Web Services, for example, but regulators could not reach Amazon itself. That gap closes this week.

The change sits within the Financial Services and Markets Act 2023, which gave the Treasury the power to designate technology companies as "critical third parties" when their failure could threaten UK financial stability.

What affected organisations should do now. Banks already using cloud services from any designated firm should review their contracts and check what new audit or reporting rights those contracts give them under the updated regime. Tech suppliers affected should treat the FCA and Bank of England as direct regulators, not just clients of their clients, and assign compliance owners accordingly.

© 2026 Threat Vectr