Four companies just got a new regulator, and none of them are banks. Starting Monday, the Bank of England, the PRA and the FCA will jointly oversee Amazon Web Services, Google Cloud, Microsoft and Oracle as the UK’s first “critical third parties.”

That label used to be reserved for the banks themselves. Now the infrastructure underneath them gets the same treatment: resilience standards, scenario testing, mandatory self-assessments and incident reporting when something breaks. The logic is simple math. When four vendors run the back end for thousands of financial firms, one outage doesn’t stay contained. It cascades.

FCA CEO Nikhil Rathi framed it as a systemic play: “the same providers serve thousands of firms, a single failure can reverberate across the financial system.” Banks still own vendor risk on paper, but now regulators get a second set of eyes directly on the providers, not just the contracts banks sign with them.

This is the opening move, not the whole game. The FCA’s own Mills Review, published this month, already flags AI model providers and hyperscaler compute as the next concentration risk, warning that such concentration could leave banks facing higher prices and weaker bargaining power. Cloud oversight is the template. AI vendors are the logical next name on the list, and the FCA hasn’t ruled it out.

The math here favors the hyperscalers, oddly enough. AWS, Google Cloud, Microsoft and Oracle now face audits and incident reporting, but that’s a fixed cost spread across thousands of client banks. A FinTech leaning on just one of those providers gets no such scale: the same failure exposes it directly to its own regulator, with no other supplier to share the blame and none of the hyperscalers’ bargaining power to soften the bill.

Marcus Webb