Today's most important change is the UK's first formal designation of four technology providers—Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK—as Critical Third Parties to the financial sector, effective 13 July 2026. The Bank of England, PRA and FCA will directly oversee the resilience of their designated systemic services.
This is a major structural change, but it does not transfer responsibility away from companies. Existing operational-resilience, outsourcing and third-party-risk duties continue to apply. Designation also does not mean that a provider or service is inherently resilient or appropriate for a particular bank.
The second major development is Ofcom's consultation on Fraudulent Advertising Codes of Practice, published on 10 July. The proposals would require the largest social-media and search services to strengthen advertiser verification, account integrity and controls intended to prevent scam advertisements. The consultation closes on 2 October 2026, with final decisions planned by mid-2027.
Better platform controls could reduce authorised push-payment fraud and impersonation, but implementation will not be immediate. Banks remain exposed to scam advertisements, account takeover, synthetic identities and AI-generated financial promotions.
Regulators can now examine systemic cloud and technology providers directly while continuing to hold banks accountable for outsourcing decisions, impact tolerances, supplier mapping, exit planning and customer outcomes.
A common cloud failure could affect customer channels, payments, fraud detection, data processing and cyber monitoring simultaneously. Banks should expect sector-wide testing and regulatory requests for service-level dependency evidence.
Cloud services must be mapped below the commercial provider level to regions, identity services, control planes, APIs, software components and support arrangements.
Direct oversight of four providers increases transparency but also confirms the systemic concentration risk created by dependence on a small group of predominantly non-UK technology companies.
Three designated entities are EU-incorporated operating companies within US-headquartered groups. Banks must distinguish contractual provider location from ultimate ownership, control-plane jurisdiction, remote-access location and foreign-law exposure.
Cloud providers increasingly supply AI models, AI platforms and data services. Banks should measure where critical AI and fraud controls share the same provider as their core infrastructure.
Ofcom's proposals strengthen preventive controls upstream, but banks must retain independent detection, confirmation-of-payee, behavioural analytics and customer-intervention controls.
Banks should not imply that new platform obligations eliminate customer risk. Consumer Duty requires clear warnings, proportionate support and fair treatment of victims.
Boards need consolidated reporting covering critical third parties, cloud concentration, customer-impact scenarios, fraud-platform dependencies, data sovereignty and tested exit capability.
No credible primary-source UK or EU privacy fine, newly confirmed major bank data breach or material banking technology outage published during today's reporting window was identified. Unverified allegations have been excluded.
The designations represent the operational start of a UK regime intended to address risks that no individual bank can adequately manage alone. Regulators will assess the designated providers against outcome-focused resilience rules, but the regime complements rather than replaces banks' obligations under operational-resilience and outsourcing requirements.
Ofcom's proposed codes address paid-for fraudulent advertising on the largest search and social-media platforms. Ofcom reports that 51% of online adults have encountered potentially fraudulent advertisements on social, search or video-sharing services.
The EDPB's new web-scraping consultation creates a practical compliance benchmark for organisations that gather online data to train, fine-tune or retrieve information for generative AI. Feedback is open until 30 October 2026.
The critical-third-party designations increase supervisory visibility but also expose an important distinction:
A UK-regulated bank may consume a service overseen by UK regulators while the provider's ownership, control plane, software development, support teams or legal exposure remains international.
Daily Insight - 11th July 2026