Daily Insight - 11th July 2026

UK & EU Edition

Summary

Today's most important change is the UK's first formal designation of four technology providers—Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK—as Critical Third Parties to the financial sector, effective 13 July 2026. The Bank of England, PRA and FCA will directly oversee the resilience of their designated systemic services.

This is a major structural change, but it does not transfer responsibility away from companies. Existing operational-resilience, outsourcing and third-party-risk duties continue to apply. Designation also does not mean that a provider or service is inherently resilient or appropriate for a particular bank.

The second major development is Ofcom's consultation on Fraudulent Advertising Codes of Practice, published on 10 July. The proposals would require the largest social-media and search services to strengthen advertiser verification, account integrity and controls intended to prevent scam advertisements. The consultation closes on 2 October 2026, with final decisions planned by mid-2027.

Potential impacts

Customers

Better platform controls could reduce authorised push-payment fraud and impersonation, but implementation will not be immediate. Banks remain exposed to scam advertisements, account takeover, synthetic identities and AI-generated financial promotions.

Regulatory exposure

Regulators can now examine systemic cloud and technology providers directly while continuing to hold banks accountable for outsourcing decisions, impact tolerances, supplier mapping, exit planning and customer outcomes.

Operations and resilience

A common cloud failure could affect customer channels, payments, fraud detection, data processing and cyber monitoring simultaneously. Banks should expect sector-wide testing and regulatory requests for service-level dependency evidence.

Technology

Cloud services must be mapped below the commercial provider level to regions, identity services, control planes, APIs, software components and support arrangements.

Suppliers

Direct oversight of four providers increases transparency but also confirms the systemic concentration risk created by dependence on a small group of predominantly non-UK technology companies.

Data governance and sovereignty

Three designated entities are EU-incorporated operating companies within US-headquartered groups. Banks must distinguish contractual provider location from ultimate ownership, control-plane jurisdiction, remote-access location and foreign-law exposure.

AI governance

Cloud providers increasingly supply AI models, AI platforms and data services. Banks should measure where critical AI and fraud controls share the same provider as their core infrastructure.

Financial crime and fraud

Ofcom's proposals strengthen preventive controls upstream, but banks must retain independent detection, confirmation-of-payee, behavioural analytics and customer-intervention controls.

Conduct

Banks should not imply that new platform obligations eliminate customer risk. Consumer Duty requires clear warnings, proportionate support and fair treatment of victims.

Executive accountability

Boards need consolidated reporting covering critical third parties, cloud concentration, customer-impact scenarios, fraud-platform dependencies, data sovereignty and tested exit capability.

Priority Intelligence Signals

No credible primary-source UK or EU privacy fine, newly confirmed major bank data breach or material banking technology outage published during today's reporting window was identified. Unverified allegations have been excluded.

Critical Third Parties and Cloud Concentration

The designations represent the operational start of a UK regime intended to address risks that no individual bank can adequately manage alone. Regulators will assess the designated providers against outcome-focused resilience rules, but the regime complements rather than replaces banks' obligations under operational-resilience and outsourcing requirements.

Immediate control implications

  • Map each important business service to the precise designated-provider services it consumes.
  • Identify hidden common dependencies across cloud hosting, identity, data, observability, security, AI and disaster recovery.
  • Separate provider-level resilience claims from bank-specific configuration and architecture.
  • Confirm whether recovery arrangements rely on another service operated by the same provider.
  • Test region, account, identity-plane and provider-wide failure independently.
  • Review contractual incident, testing, audit, data-access and exit provisions.
  • Determine which material services remain outside the designation scope.

Executive indicators

  • Percentage of important business services dependent on each designated provider.
  • Number of services dependent on one provider for both production and recovery.
  • Provider-wide and control-plane failure scenarios tested.
  • Untested exit plans and portability gaps.
  • Critical fourth-party dependencies without contractual visibility.
  • Regulatory incidents linked to designated providers.
  • Data assets for which provider or affiliate retains key-management capability.

Fraud, Financial Crime and Conduct

Ofcom's proposed codes address paid-for fraudulent advertising on the largest search and social-media platforms. Ofcom reports that 51% of online adults have encountered potentially fraudulent advertisements on social, search or video-sharing services.

Bank implications

  • Platform verification may reduce scam reach, but fraudsters are likely to migrate toward compromised accounts, organic posts, direct messaging and AI-generated content.
  • Bank fraud systems should capture the originating platform, advert, account and communication channel.
  • Takedown requests should be measurable and escalated where platforms fail to respond.
  • Customer warnings should explain that regulated-looking advertisements can still be fraudulent.
  • Victim treatment must remain consistent with Consumer Duty and reimbursement requirements.
  • Fraud intelligence should inform the bank's response to Ofcom before 2 October.

Priority indicators

  • APP fraud losses by originating platform and advert type.
  • Median time from bank detection to platform takedown.
  • Repeat adverts using the same brand, payee or destination account.
  • Fraud linked to verified or compromised platform accounts.
  • Customer complaints involving misleading advertisements.
  • AI-generated voice, image or video fraud cases.
  • Scam reports sent to platforms and law enforcement with successful outcomes.

Data Privacy, AI and Web Scraping

The EDPB's new web-scraping consultation creates a practical compliance benchmark for organisations that gather online data to train, fine-tune or retrieve information for generative AI. Feedback is open until 30 October 2026.

Principal risks

  • Public availability does not remove GDPR obligations.
  • Data may be inaccurate, stale, excessive or obtained from unreliable sources.
  • Special-category and children's data may be ingested unintentionally.
  • Article 14 transparency may be difficult at scale.
  • Data-subject objections, deletion and correction may not propagate into models.
  • Cross-border scraping can create poorly documented international data flows.
  • Vendor claims that training data is "public" may be insufficient evidence.

Practical actions

  • Add a scraped-data category to ROPA, DPIA and AI-use-case records.
  • Require data-source and collection-timestamp metadata.
  • Detect and exclude special-category, criminal-offence and children's data where not justified.
  • Implement suppression lists and retraining/remediation procedures.
  • Require suppliers to disclose provenance, lawful-basis analysis and rights-handling capability.
  • Record source and processing jurisdictions in data-lineage tools.

Data Sovereignty and Jurisdictional Control

The critical-third-party designations increase supervisory visibility but also expose an important distinction:

A UK-regulated bank may consume a service overseen by UK regulators while the provider's ownership, control plane, software development, support teams or legal exposure remains international.

Sovereignty questions for executives

  • Which legal entity contracts with the bank?
  • Which affiliate operates the control plane?
  • Where are privileged administrators located?
  • Who controls encryption keys and recovery credentials?
  • Can a foreign authority compel disclosure or service restriction?
  • Can the provider transfer telemetry, prompts or support data outside approved regions?
  • Can the bank recover independently of the provider?
  • Can workloads be moved without breaching impact tolerances?
  • Are AI services and cloud infrastructure concentrated in the same corporate group?

Required sovereignty indicators

  • Critical workloads by provider-headquarters jurisdiction.
  • Foreign privileged-access sessions.
  • Bank-controlled versus provider-controlled encryption keys.
  • Services without tested cross-provider portability.
  • Government-access requests or supplier disclosures.
  • Unapproved data-region or support-location exceptions.
  • Critical AI systems dependent on foreign-controlled model APIs.

Operational and Regulatory Outlook

1

Next 7 days

  • Critical Third Party designations take effect on 13 July 2026.
  • Cyber Security and Resilience Bill second reading is scheduled for 14 July 2026.
  • Banks should expect early requests to clarify which designated-provider services are material or systemic.
2

Next 30 days

  • EU AI Act Article 50 transparency obligations apply from 2 August 2026.
  • Banks should complete generated-content, chatbot, marketing and customer-communication assessments.
  • Critical-provider resilience and concentration MI should be escalated to executive committees.
3

Next 90 days

  • EU data-sovereignty consultation closes 8 September 2026.
  • Cyber Resilience Act reporting obligations begin 11 September 2026.
  • Ofcom fraudulent-advertising consultation closes 2 October 2026.
  • EDPB web-scraping consultation closes 30 October 2026.