Global financial regulators, including the Financial Stability Board (FSB) and the Bank for International Settlements (BIS), are issuing stark warnings about the systemic risks posed by the financial sector's increasing reliance on a small number of large technology companies for essential services like cloud computing and data analytics. This growing concentration of critical third-party providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, is seen as a significant threat to global financial stability, with potential-disruption implications for Kenyan banks and the wider East African economy.

The concerns are echoed locally, where Kenyan regulators, including the Central Bank of Kenya (CBK), have highlighted the risks associated with third-party technology providers. At a recent Joint Financial Regulators Forum, Kenyan authorities identified this dependency as a major source of risk, noting that a failure at a single provider could compromise the operations of numerous financial institutions simultaneously. This follows the CBK's ongoing efforts to strengthen the sector's cyber-resilience, with updated guidance planned to address risks from cloud computing and other emerging technologies.

The Global Regulatory Response

The FSB, an international body that monitors the global financial system, has been tracking this issue for several years. In reports published as early as December 2019, the FSB warned that the rapid growth of 'Big Tech' in finance could reduce the resilience of financial institutions. The board's analysis highlights that an operational incident at a major cloud service provider could affect the operations of multiple financial institutions at once, leading to data breaches and system-wide disruption. This concentration risk is a key concern, as the failure of one of these critical tech firms could have a cascading effect across the financial system, potentially freezing payments or other vital services.

In response, regulators in major economies are taking concrete steps. The United Kingdom is implementing a new regulatory framework in 2025 for 'Critical Third Parties' (CTPs), which will grant financial regulators, including the Bank of England, direct oversight over key technology firms. This regime will impose new rules on designated CTPs, including requirements for operational resilience, incident reporting, and effective risk management. Similarly, the European Union's Digital Operational Resilience Act (DORA), with a compliance deadline of January 2025, aims to create a harmonized framework for managing ICT-related risks and bringing critical third-party providers within the regulatory perimeter.

Implications for Kenya and East Africa

For Kenya, a leader in financial innovation in Africa, the move towards cloud adoption is well underway. Local banks and financial institutions are increasingly leveraging cloud services to enhance efficiency, scalability, and customer experience. While this digital transformation offers significant benefits, it also exposes the Kenyan financial sector to the global risks identified by regulators. The CBK has acknowledged these challenges, cautioning financial institutions to balance innovation with robust data security and compliance with regulations like the Data Protection Act.

The CBK's 2017 Guidance on Cybersecurity is currently being updated to better address the evolving threat landscape, including risks associated with cloud computing. This move aligns with global trends toward more stringent oversight of the technology providers that underpin the financial system. The reliance on these services means that a global outage, such as the one caused by a software update in July 2024 that disrupted financial services worldwide, could have a direct impact on Kenyan consumers and businesses. The government's own digital transformation, including its selection of Microsoft for a cloud partnership, underscores the deepening integration of these technology providers into the nation's critical infrastructure.

The international regulatory push suggests that Kenyan financial institutions will need to enhance their own third-party risk management frameworks. This includes conducting thorough due diligence, ensuring contracts have clear stipulations for resilience and data portability, and developing robust contingency plans to mitigate the impact of potential disruptions. As global regulators move to directly supervise Big Tech, the standards they set are likely to influence supervisory expectations in Kenya and across the region, compelling both financial firms and their technology partners to heighten their focus on operational resilience to safeguard the stability of the financial system.