Amazon Web Services and Microsoft cloud duopoly to be investigated by Ofcom

Historically, it could be argued that financial institutions were beholden to pick between AWS, Google Cloud and Microsoft Azure for all workloads due to availability, but with other smaller cloud providers offering private cloud fabrics, financial organisations are considering hybrid or multicloud options. However, Ofcom has an alternative view.

Ofcom revealed that AWS and Microsoft had between 70-80% share of the UK’s cloud infrastructure services market in 2022. Google, usually mentioned in the same breath as its competitors, only has 5-10%.

Ofcom has asked the Competition and Markets Authority (CMA) to investigate whether this split of the market share is or will have an adverse effect on competition. However, while Microsoft has stated that they will “engage constructively with the CMA,” Amazon referred to this investigation as an “unwarranted intervention,” as reported in Reuters.

This follows the September 2022 probe into Amazon, Microsoft and Google, citing concerns about the number of businesses investing in cloud services.

According to Ofcom, less than 10% of all businesses’ global IT spending was on public cloud services in 2018, which had risen to 17% in 2022. At the time, if Ofcom had found that the market was not functioning well, a recommendation would have been sent to the government to change policy, as well as enforcement and a market investigation reference being made to the CMA – the latter being what has happened today.

Fergal Farragher, Ofcom’s director responsible for the market study, highlighted that: “The cloud is the foundation of our digital economy and has transformed the way companies run and grow their businesses. From TV production and telecoms networks to AI innovations – all of these things rely on remote computer power that goes unseen.

“Some UK businesses have told us they’re concerned about it being too difficult to switch or mix and match cloud provider, and it’s not clear that competition is working well. So, we’re referring the market to the CMA for further scrutiny, to make sure business customers continue to benefit from cloud services.”

Amazon stalwartly disagreed with Ofcom and a spokesperson said that the UK’s media regulator’s findings were based on “a fundamental misconception of how the IT sector functions, and the services and discounts on offer.”

The features that Ofcom are most concerned with are:
– egress fees, the fees charged when companies want to transfer data out of the cloud, which the ‘hyperscalers’ have set higher than other providers;
– barriers to interoperability and portability, the effort that is require to reconfigure data and applications to work on different cloud; and
– committed spend discounts, the way incentives are structured so it is more beneficial for customers to use a single provider.

This is not the first time that the cloud duopoly, or in some cases, oligopoly has come under fire. In July 2016 and updated in September 2019, the FCA released guidance for firms outsourcing to the cloud. This document mentioned that while the cloud can offer increased flexibility and an opportunity to innovate, “it can also introduce risks that need to be identified, monitored and mitigated.

“These risks primarily affect the degree of control exercised by the firm and specific issues such as data security. Cloud customers may have less control of the supplier, for example the degree to which they can tailor the service provided, and of the data, such as where the data is stored.”

In conversation with Finextra in 2021 on this subject, Orlando Fernández Ruiz, senior technical specialist, governance, remuneration and controls team, prudential policy, Bank of England, explained that when outsourcing, “responsibility or accountability” cannot also be outsourced.

He continued: “Firms will have to implement appropriate governance and controls to oversee the delivery of any service, or utilise the new PRA operational resilience framework, which is not an entirely new study, but brings together initiatives like operational risk management and business continuity.”

Ruiz added that new policies have considered contingency planning and exit strategies, in a technology agnostic manner and the PRA expects any third party to deliver and maintain a business continuity plan in the event of an operational disruption.

“This means that third parties would have to look for alternative mechanisms of continuing to provide important business services and minimise the risk of disruption, with a real emphasis on a stress test.”

The CMA’s investigation will be completed in April 2025.