Business

Microsoft, Google, Amazon and Oracle to come under UK banking regulation

Ryan Brothwell 3 min read
Microsoft, Google, Amazon and Oracle to come under UK banking regulation

Key Points

  • UK designates Microsoft, Google Cloud, AWS and Oracle as Critical Third Parties from 13 July 2026.
  • Bank of England, PRA and FCA will jointly oversee critical services the four firms provide to the financial sector.
  • Regime established under the Financial Services and Markets Act 2023 to reduce risk of widespread disruption from cloud outages.
  • Oversight covers only systemic services to financial firms, not the providers' wider operations.
  • Further providers may be designated over time under a rolling, risk-based approach.

Four of the world’s biggest cloud and technology providers will come under direct oversight by UK financial regulators from Monday (13 July), after the government designated them as Critical Third Parties to the financial system.

Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL and Oracle Corporation UK Limited are the first firms designated under the new regime, the Treasury announced on Friday (10 July).

The move is intended to reduce the risk that an outage at a single cloud provider disrupts online banking, payments and other services that millions of people and businesses use every day.

Banks and other financial firms have become increasingly reliant on a small number of cloud providers to run core systems. The Treasury warned that disruption at a major supplier could affect multiple firms simultaneously, potentially knocking out services customers depend on.

Under the regime, regulators will be able to gather information from the designated firms, assess their resilience, and work with them to address risks to the continuity of critical services. This includes making and enforcing rules specific to Critical Third Parties where necessary.

Economic Secretary to the Treasury and City Minister Rachel Blake said the designations would help ensure that critical services remain resilient, protecting consumers and businesses while supporting economic growth.

The Critical Third Parties regime was established through the Financial Services and Markets Act 2023. Oversight applies only to the systemic services the firms provide to the financial sector, not their wider operations, and financial firms remain responsible for managing risks from their own suppliers.

The Treasury said the designations followed a period of evidence gathering and engagement with the providers, and that further firms may be designated over time under what it described as a rolling, risk-based regime. There is no statutory limit on the number of Critical Third Parties that can be designated.

All four firms said they would comply with the new requirements. Microsoft said the designation marked a new chapter in its 40-year relationship with UK government agencies, while AWS said it supported the authorities’ objective of ensuring a robust financial system.

Google Cloud said the framework could enhance long-term resilience with effective implementation, and Oracle said it was committed to working closely with regulators and its financial services customers.

The designation means the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will jointly oversee the critical services these firms provide to banks, insurers and financial market infrastructure.

Now read: UK users to get new controls over social media feeds