Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
There are some things in global finance which you really shouldn’t look at too closely if you value your sanity. Repo and money markets would definitely be one. But even the banking system’s funding arrangements are benign compared to the Lovecraftian horror of their IT outsourcing, because there’s no central bank to guarantee a happy ending. As one senior bank supervisor put it a few years ago, there is no such thing as a database provider of last resort.
In other words, Hell is empty, and all the demons are in the ECB Outsourcing Register. The annual “horizontal review” from the ECB’s Banking Supervision committee was published last week. Do you want to know what proportion of “critical functions” are not compliant with basic regulatory guidelines? It’s just under 10 per cent. The average number of “critical” service providers per large bank? Fifty-eight per cent. What’s the average number of subcontractors on the average banking industry outsourcing contract? Four and a bit. What proportion of critical outsourcing providers would be “easy” to replace in the event of a problem? Just 17.7 per cent, although the good news is that the proportion which would be “impossible” to replace is now 8.6 per cent — the remainder are apparently “difficult”.
Whatever the opposite of “setting your mind at rest” might be, that’s what it does to consider the extent to which the European banking system (and it’s unlikely that the US or UK are any better) relies on a complicated web of supply chains for software-as-a-service, offsite data centres and other euphemisms for “other people’s computers”. It’s all driven by the growth of cloud computing, of course — cloud now makes up more than a fifth of the total, having grown 13.5 per cent in the last year (and the ECB’s report is based mainly on data as of the end of 2023, so it is likely to be even more important now).
The growing role of cloud contracts has meant that European banks are, more than ever, dependent not only on a small number of outsourcing providers (30 firms account for half the total spend), but on non-EU firms. Within these top-30 firms, slightly more than 50 per cent of contracts are with companies whose ultimate parent is a US corporation.
Which raises a bit of an issue for Europe, as it starts to worry about strategic independence in a world of heightened geopolitical tension. As Henry Farrell and Abe Newman pointed out in their book Underground Empire, the US controls a number of systems of “weaponised interdependence”, of which two of the most important are the global dollar banking system and the internet. However, it seems that the interaction of finance and distributed computing might have created a third; the Euro area banking system (including the payment rails over which any future central bank digital currency will have to run) is highly dependent on server farms which might be physically located in Europe, but whose owners might ultimately answer to a foreign power.
If you’re looking for a crumb of comfort, it might be that the regulatory definition of a “critical function” in this context is quite expansive; it doesn’t necessarily mean that an executive order could switch off the whole European financial system. But the trouble with the system as it’s currently set up is that it’s practically impossible to say anything about the true level of risk with any degree of confidence.
(* Editorial note to pedants: the FT style guide says data is singular.)
https://www.ft.com/content/7de594be-605c-407e-bf63-fb119d2513bc
