Skip to content

UK Places AWS, Google Cloud, Microsoft, and Oracle Under Bank-Level Financial Oversight in First Use of FSMA 2023 Powers

· by Pondero Newsdesk

The short version

HM Treasury formally designated four US cloud providers as Critical Third Parties to the UK financial system on July 10, effective July 13, 2026, marking the first activation of supervisory powers under the Financial Services and Markets Act 2023. The Bank of England, PRA, and FCA can now gather information, test resilience, and enforce sector-specific rules directly against vendors that previously sat outside the UK regulatory perimeter.

UK Places AWS, Google Cloud, Microsoft, and Oracle Under Bank-Level Financial Oversight in First Use of FSMA 2023 Powers

UK financial regulators can now compel the cloud providers running most of the country's banking infrastructure to prove resilience, respond to formal information demands, and face sector-specific enforcement actions. HM Treasury formally designated Amazon Web Services, Google Cloud, Microsoft, and Oracle as Critical Third Parties to the UK financial system on July 10, effective July 13, 2026, marking the first activation of supervisory powers under the Financial Services and Markets Act 2023.

What happened

The designated legal entities are Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL, and Oracle Corporation UK Limited per the HM Treasury announcement. The designation applies only to systemic services each provider sells into the UK financial sector. Broader commercial operations serving non-financial customers fall outside the scope.

Under the Critical Third Party framework, the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority can now gather information directly from the four providers, evaluate their operational resilience arrangements, require mandatory self-assessments, set incident reporting requirements, and enforce CTP-specific rules per the Bank of England's announcement. Powers to do so existed on paper under FSMA 2023 but had not been exercised until July 13.

A 2024 survey by the Bank of England and FCA found that Microsoft, Google, and Amazon controlled 73% of cloud computing services used by UK financial companies per the Bank of England announcement. HM Treasury cited a related figure: more than 65% of UK financial organizations rely on the same four providers for core infrastructure per the GOV.UK announcement. That concentration means a single large-scale outage at any one provider could cascade across banks, insurers, and exchanges simultaneously.

HM Treasury described the regime as rolling, with no statutory cap on the number of providers that can be designated. Future rounds can add new entrants without requiring new legislation.

Why it matters

Before July 13, UK financial regulators held authority over the banks, insurers, and exchanges consuming cloud services, but had no direct power over the cloud providers supplying those services. A financial firm could face regulatory scrutiny over inadequate operational resilience even when the root cause of a disruption sat entirely inside a vendor's infrastructure. The CTP designation closes that gap by drawing cloud providers inside the regulatory boundary.

The practical effect runs in two directions. For the four designated providers, any services sold to UK financial firms now carry compliance obligations that did not exist before: resilience assessments, mandatory incident reporting, resilience testing, and the possibility of enforcement if CTP-specific rules are not met. Those obligations attach to the providers themselves, not just to the financial firms consuming their services.

For financial institutions using these platforms, cloud contracts governing UK workloads will need to reflect the new regulatory expectations. Vendor accountability conversations that were previously commercial negotiations can now carry formal regulatory weight. A provider's failure to cooperate with regulator information requests is no longer just a contract dispute. It is a regulatory breach.

The framework also accelerates pressure on concentration risk planning. Firms that had been slow to document single-provider exposure now have a regulatory driver to address it, even though the CTP framework does not mandate multi-cloud architecture outright. Regulators can examine whether a firm's reliance on one of the four providers poses systemic risks and what the firm has done to mitigate that.

Context and reactions

Rachel Blake MP, Economic Secretary to the Treasury and City Minister, said the designations "will help ensure critical services financial firms rely on remain resilient, protecting consumers" per the GOV.UK announcement. Nikhil Rathi, FCA Chief Executive, explained the regulatory logic: "When the same providers serve thousands of firms, a single failure can reverberate across the financial system."

All four vendors issued statements accepting the framework. Microsoft said the designation "marks a new chapter in this relationship" and that it "remains fully committed to complying with oversight." Google Cloud stated the framework "can enhance the long-term resilience of the UK's financial ecosystem and increase understanding, transparency, and trust between parties." AWS said it "will comply with all applicable regulations and remain committed to helping customers meet resilience objectives." Oracle said it is "committed to working closely with regulators and customers toward enhancing operational resilience objectives."

The UK action follows a related European move. In November 2025, the EU named 19 technology firms as critical infrastructure providers under the Digital Operational Resilience Act per The Next Web. Amazon, Google, and Microsoft were on that EU list. Oracle was not. The UK CTP designation is more expansive on that point: Oracle's financial-sector footprint in the UK earned it a designation the DORA process did not extend.

The London Stock Exchange Group's cloud dependency illustrates the practical stakes. LSEG migrated core infrastructure to Microsoft Azure in 2022 and expanded its AWS deployment in April 2025 per The Stack. Both vendors now sit inside the BoE/PRA/FCA regulatory perimeter for the services LSEG consumes. Any resilience shortfall the regulators identify in those vendor services can now be addressed directly rather than only through LSEG as the regulated financial firm.

What to watch next

The first concrete test of the new regime will be the regulators' initial formal information requests to the four providers. The Bank of England, PRA, and FCA have not set a public timeline for that first action, but the mechanism is live as of July 13. Published resilience assessment findings or any enforcement decisions will define how the CTP framework operates in practice and signal how aggressively UK regulators intend to use the new powers.

Watch the scope of future designation rounds as well. HM Treasury confirmed there is no statutory cap on how many providers can be designated. Payment infrastructure firms, critical data vendors, and major software providers to the financial sector are plausible candidates for future rounds. The EU's DORA experience, which began with hyperscalers and broadened to trading platforms and data services, offers one template for where the UK list could expand next.

Sources