Regulatory Framework Arrives Just as the Horses Gallop Into the Distance
The Bank of England has a new hobby: writing strongly worded letters to companies it cannot actually fire. On July 13, Britain formally designated Microsoft, Google, Amazon and Oracle as critical third-party suppliers to the UK's financial sector, bringing them under direct regulatory oversight for the first time. This is what happens when a major economy wakes up to the fact that its banks, insurers and market infrastructures run on infrastructure owned by California technology firms. The realization arrived approximately ten years too late.
The numbers explain the panic. HM Treasury found that more than 65 percent of UK financial organisations rely on the same four cloud providers for their infrastructure. This is not diversification. This is monoculture risk packaged as digital transformation. When one of these firms hiccups, dozens of financial institutions catch cold simultaneously. When one fails, the entire system seizes. This became something more than theoretical concern in 2024, when an AWS outage in Europe prompted British lawmakers to ask a pointed question: why did they not already have oversight of the companies that could detonate their financial system?
The answer, as usual, was bureaucratic. The Financial Services and Markets Act 2023 created the legal machinery for this designation, but implementation took the better part of two years. Regulators and regulated firms spent the interim period in mutual confusion about what "oversight" actually means when your regulator has no authority to restructure a company's operations or force it to change vendors. The three-headed regulatory apparatus—Bank of England, Prudential Regulation Authority, Financial Conduct Authority—will now jointly supervise Microsoft, Google, Amazon and Oracle. They will demand resilience testing. They will require self-assessments. They will collect incident reports. None of this prevents the incident itself.
This is the peculiar horror of regulating companies you do not control. The framework works beautifully if you are trying to regulate a British bank that cannot relocate and cannot refuse to comply. It works terribly if you are trying to regulate a technology company that could move its servers to Dubai next week and still service the London market. The regulatory leverage is theatrical. Microsoft and Google will cooperate with the framework because the optics of non-cooperation are terrible and the actual penalties are manageable compared to the cost of losing the UK market. They will submit to testing and reporting. They will promise resilience. And they will continue to operate precisely as they choose, because they can.
The Morning Brief
Enjoying this? Get it in your inbox.
Google Cloud offered the obligatory statement: "With effective implementation and meaningful industry engagement, this new Critical Third Party framework can enhance the long-term resilience of the UK's financial ecosystem." This translates as: we will work with you as long as working with you costs us nothing. Meaningful industry engagement in regulatory matters is usually code for "we negotiated exceptions during the consultation period."
Europe arrived at the same realization slightly earlier. In November 2025, European regulators designated 19 technology providers as critical ICT third-party providers, including Google Cloud, AWS, and Microsoft. This was the regulatory equivalent of locking the barn door after the horses had not only escaped but had already purchased property overseas. Both frameworks share the same fundamental weakness: they attempt to regulate dependence itself rather than reduce it. The smart policy move—forcing financial institutions to maintain diverse infrastructure suppliers, limiting any single vendor to below a threshold of critical functions—was never politically viable. Banks wanted the cost savings of consolidation. Regulators wanted to avoid the howling from the financial sector. So they invented supervision instead, which is cheaper and accomplishes approximately nothing.
The UK has now joined the European Union in formally acknowledging that it has outsourced the operational backbone of its financial system to American technology companies. The regulatory response is to sit very quietly in a room with those companies and ask them to please be careful. This is not a financial stability framework. This is hoping very loudly.
Subscriber Only
Subscribe to The Alignment Times and get every article delivered to your inbox.
Illustration generated with AI
Ingrid Holt
Staff writer covering financial markets and corporate strategy. Has strong opinions about spreadsheets.
Numbers Better Than Expected; Feelings Remain Complicated
Apr 5, 2026
Country Famous For Engineering Efficiency Finds Process Difficult To Engineer Away
Apr 3, 2026