Amazon found itself under scrutiny by federal banking regulators. PHOTO: PASCAL ROSSIGNOL/REUTERS
Fed Examined Amazon’s Cloud in New Scrutiny for Tech
| le 2 August 2019
The Federal Reserve conducted a formal examination this spring of an Amazon.com Inc. facility in Virginia, the first of what is expected to be ongoing oversight of giant cloud providers that have become repositories of sensitive banking information, people familiar with the matter said.
Around the same time, prosecutors allege, a 33-year-old hacker in Seattle stole Capital One Financial Corp. data from Amazon’s cloud storage.
The federal examiners who visited Amazon in April are the same ones who regulate Capital One. It doesn’t appear they were aware of the giant hack. A person familiar with the matter said the Fed was told last week, a few days before Paige A. Thompson was charged with stealing personal information of more than 100 million Capital One card customers and applicants.
The examiners were greeted warily at the Amazon offices. Chaperoned by an Amazon employee, they were allowed to review certain documents on Amazon laptops, but not allowed to take anything with them, some of the people said.
The examination points to a culture clash between government and big tech, which has been far less regulated than the financial sector. Antitrust investigations are under wayinto whether Amazon, Facebook Inc. and other tech companies have used their size and influence to stifle competition.
The examination, headed up by the Federal Reserve’s Richmond branch, also brings to the fore the question of where banks end and where the vendors that power them begin.
The examiners in Virginia were focused on Amazon’s resiliency and backup systems, some of the people said, describing the visit as the first of what is expected to be ongoing oversight of the tech giant.
Technology companies such as Amazon are now a crucial player in the U.S. banking system, whether they want to be or not.
They run the databases that hold customer credit scores and social-security numbers. They analyze risk for banks’ traders and process payments. Cloud computing has made possible services that customers now take for granted, like mobile access to their bank accounts and split-second decisions on their efforts to buy and sell securities.
Amazon is the biggest player, controlling nearly half of the public cloud market in 2018, according to Gartner. Amazon Web Services came out of a 2003 brainstorming session about ways to use the company’s extra data centers. It now contributes three-quarters of the company’s overall profits, helping to support its low-margin retail business.
Goldman Sachs Group Inc., Nasdaq Inc. and payments company Stripe Inc. all use Amazon. A competing cloud service from Microsoft Corp. counts JPMorgan Chase & Co. and TD Bank among its clients. Google, a smaller player, is also courting banks.
Most big banks use all three to some extent. Some, like Capital One, have closed their proprietary data centers and moved much of their digital footprint to the cloud, which makes Amazon and its competitors crucial to day-to-day banking.
But Washington hasn’t figured out yet how to regulate them. Established bank vendors such as FiServ Inc. have been subject to inquiries from financial regulators for years because they provide the core software that runs banks’ deposit and loan platforms.
Regulators have only limited power over nonbanks, and typically rely on banks to vet their own vendors. A U.S. Treasury report last year found that bank regulations hadn’t “sufficiently modernized to accommodate cloud and other innovative technologies.”
Part of that modernization will require reckoning with a cultural chasm between Silicon Valley’s entrepreneurs and Washington officials: After the meeting in Virginia, the Feds sought more documents and information from Amazon, people familiar with the matter said.
The company balked, demanding to first see details about how its data would be stored and used, and who would have access and for how long, some of the people said.
Tech giants have fought new oversight. When the government weighed new cybersecurity standards in 2017, Amazon lobbied against them. Cloud companies, it argued, simply sell a system and turn over the job of running and securing it to their clients.
“Imposing additional cybersecurity requirements…could unnecessarily lead to redundancy and increases in compliance costs, while potentially leaving systemically important financial institutions less secure,” Amazon wrote to regulators in 2017. The proposal was eventually dropped.