Information Matters - UK Digital Sovereignty

Digital Sovereignty: what it means for UK businesses, the public sector and policy makers.

Home » Digital Sovereignty Front Page » Who controls the technology behind a UK financial-services firm?

Who controls the technology behind a UK financial-services firm?

by

A Sovereignty Exposure Profile for a UK mid-market financial-services firm — a challenger bank, building society, mid-size insurer or asset manager.

Download PDF version

What this is

Most financial firms now run on software and cloud services rented from a handful of large suppliers. This report asks a simple question about a typical UK mid-market firm: who ultimately controls the technology it depends on, where does its data physically sit, and what could go wrong if a key supplier were cut off or compelled to hand data over?

It is a picture of a typical firm of this kind, not an audit of any one named company.

How we worked it out

We broke the firm’s technology into seven everyday building blocks — the cloud it runs on, its office software, its main business applications, its artificial-intelligence (AI) tools, its data platform, the system that logs staff in, and its payment connections. For each block we looked at four things, all checked against the suppliers’ own public documents and company filings:

  1. How few real alternatives are there? (If only one supplier can realistically do the job, you are exposed.)
  2. Whose laws can reach the data? A British supplier answers to UK law. A US supplier — even one storing data in Britain — can be compelled under the US CLOUD Act (the Clarifying Lawful Overseas Use of Data Act, a 2018 law that lets US authorities require a US company to hand over data it controls, wherever in the world it is stored) and under Section 702 of the US Foreign Intelligence Surveillance Act, a surveillance power. Keeping data in a “UK region” does not remove this reach — the test is who controls the company, not where the data sits.
  3. How hard would it be to leave? Some services you could swap in days; others would take a year to migrate.
  4. Can you see inside and control it while you use it? Or is it a closed “black box”?

We then judged two separate harms for each block, each rated from 1 (low) to 5 (high):

  • If access were cut off — could the firm keep operating? (We call this the continuity risk.)
  • If the data were read or legally demanded — how bad would that be? (The confidentiality risk.)

A block’s overall rating is the worse of those two. These are the considered judgements of our analysts, informed by verified facts — not precise measurements.

The headline

For this typical firm, every one of the seven building blocks comes out as High exposure on one or both measures. The single most important reason is not any one weakness — it is concentration: the same company, Microsoft, sits underneath most of the stack at once.

The seven building blocks

digital sovereignty financial services uk

Building blockWhat it doesMain supplier (where it’s controlled from)Exposure
CloudThe computers everything runs onMicrosoft Azure — United StatesHigh
Office softwareEmail, documents, meetingsMicrosoft 365 — United StatesHigh
Business applicationsCustomer records (CRM) + core bankingSalesforce — US; core platform variesHigh
AI tools“Summarise this”, “draft that”Microsoft (Azure OpenAI) — United StatesHigh
Data platformWhere the firm’s data is pooled and analysedSnowflake — US (runs on Microsoft’s cloud)High
Staff log-inControls who can sign in to everythingMicrosoft Entra — United StatesHigh
PaymentsCard and money movementVisa / Mastercard — United StatesHigh

(“CRM” means customer-relationship management — the system that holds the customer list and sales history. The “core platform” is the banking or policy-administration engine; this is the one place a firm can meaningfully choose a UK or European supplier — for example Thought Machine, based in the UK — instead of a US one.)

Every supplier on this list is US-controlled (we confirmed each from company filings). That one fact sets the floor for the whole picture: all of this technology is reachable under US law.

The biggest risk: one company underneath most of it

concentration map financial services software

It is tempting to think that using seven different building blocks means the risk is spread out. For this firm, it isn’t. Microsoft controls four of the seven blocks directly — the cloud, the office software, the AI tools and the staff log-in. Add the data platform, which runs on Microsoft’s cloud underneath, and Microsoft effectively sits under roughly two-thirds of the firm’s most important technology.

That matters because a single problem at one company — an outage, a commercial dispute, or a legal order — would not hit one block. It would hit cloud, office software, AI, log-in and data all at once, and because the log-in system fails first, everything else locks up within hours. This is the most decision-useful finding in the report, and it is invisible if you look at each block on its own.

What happens if a supplier is switched off

We imagine a 30-day scenario in which a key supplier withdraws service, and ask how quickly each block would fail versus how long it would take to move to an alternative:

  • Payments would fail in hours and has effectively no substitute — the hardest single dependency.
  • Staff log-in fails almost instantly; if it’s down, nothing else can be used.
  • Cloud, data and the core banking system would each take six months to a year to move — painful but survivable with planning.
  • AI tools are the exception: they could be swapped for an open, self-run alternative in weeks.

What a firm can realistically do

There is no way to make this fully British today, but the exposure can be lowered deliberately — and some moves are cheaper than they look. By building block:

  • Artificial intelligence — the quickest win. Instead of sending data to a US AI service, run an open model the firm controls. Open-weight models such as Mistral (a French company) or Meta’s Llama can run on the firm’s own servers or on UK/European hosting, which lowers the legal-reach, lock-in and “black box” problems at once — among the cheapest changes available.
  • Cloud — localise now, move where it matters. Pinning workloads to a UK region of the current provider helps in practice but does not remove US legal reach. To remove it, move appropriate workloads to a UK- or European-controlled provider — for example OVHcloud or Scaleway (France), IONOS (Germany), or UK providers such as Civo. Treat this as a multi-year programme for regulated systems, not a flip.
  • Core banking / policy platform — choose at renewal. This is the one block where a UK or European supplier is genuinely competitive: Thought Machine (UK), Temenos (Switzerland), Mambu (Netherlands) or SAP (Germany) in place of a US core. Long contracts mean the renewal is the decision point — plan ahead of it.
  • Breaking the Microsoft concentration — the structural project. Moving the staff log-in and/or the cloud off Microsoft is the single most valuable structural change, because it stops one problem taking down most of the stack at once. The open-source log-in system Keycloak, self-hosted, is one way to reduce reliance on a single US log-in provider; identity is the hardest block to move, so scope it early.
  • Data platform. Keep the data in a UK/EU region, hold your own encryption keys, and favour open table formats (such as Apache Iceberg) so the data is not trapped inside one vendor’s system.
  • Payments. Largely accept and monitor — but use domestic UK rails (Faster Payments and Bacs, run by Pay.UK) wherever the use-case allows, rather than the international card schemes.

A practical sequence: start with the AI layer (cheap, fast), localise cloud and data in parallel, line up a UK/European core platform for the next renewal, and treat moving away from a single dominant supplier as the multi-year structural goal.

(Each alternative should be checked against the same four questions before relying on it — some “European” options still host on US clouds or carry foreign investors. These are options to weigh, not recommendations.)

Where the data come from

Every statement about who controls a supplier and where its data sits is taken from primary sources — company filings with the US Securities and Exchange Commission, UK Companies House records, regulators’ publications, and the suppliers’ own legal and security pages — and is listed in the evidence ledger in the full analyst version of this profile. The office-software block (Microsoft 365) was independently verified in detail in June 2026. The judgments about how hard things are to leave, and how critical each block is, are our reasoned view of a typical firm in this sector, stated as such.

How to read this

This is a sector picture, meant to help a firm see where it is exposed and what its realistic options are — not a scorecard of good and bad suppliers. The ratings rank exposure; they don’t measure it precisely, so read them as broad bands (Low, Medium, High), not exact numbers. As with all Information Matters work, this profile reflects the opinions of our team — human and AI — and should not be taken as a statement of fact.

About Martin De Saulles

Dr Martin De Saulles is a technology analyst, writer and Principal Analyst at Information Matters. He has 20+ years experience of researching and writing about technology and innovation across a number of publications as well as several books on data and AI.
LinkedIn

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap