An exclusive article by Fred Kahn

Possible constraints on AML solution providers now sit at the center of the debate after the designation of critical ICT third-party providers under the Digital Operational Resilience Act. The decision introduces structural challenges for every AML platform operating on public or private cloud infrastructure. Vendors depending on Amazon Web Services, Microsoft, Google Cloud, Oracle, IBM, Equinix, or any other designated provider must now manage heightened supervisory expectations, new due diligence demands from clients, stricter documentation obligations, and more complex operational risk requirements. These constraints alter how AML platforms justify their architectural choices, govern resilience, and manage vendor dependencies, forcing the sector to rethink long-standing assumptions about cloud operations. AML providers now face a transformed landscape where resilience, transparency, and substitutability rise to the same level of importance as detection accuracy or workflow design.

DORA compliance reshapes cloud expectations for AML platforms

The inclusion of major global technology firms in the list of critical ICT providers marks a pivotal moment for operational resilience across the European financial system. Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations, Oracle Nederland, IBM, NTT Data, SAP, Equinix, Interxion, Accenture, Capgemini, Tata Consultancy Services, Orange, Deutsche Telekom, Colt Technology Services, Kyndryl, Bloomberg, Fidelity National Information Services, and LSEG Data and Risk have all been designated. These firms support the infrastructure used by hundreds of AML vendors that deliver screening, monitoring, analytics, onboarding, and reporting solutions.

The new designation introduces a structured oversight mechanism that directly affects AML vendors whose platforms run on these cloud environments. While AML providers have long benefited from scalability, performance, and global reach, the supervisory framework now demands new levels of transparency regarding architecture, recovery, continuity, and governance. Financial institutions must document their exposure to these critical providers, which pushes AML vendors into the supervisory spotlight. This shift impacts the way AML platforms communicate their resilience, explain shared responsibility models, and document inherited controls from their cloud hosts.

Several AML vendors rely on single-provider deployments that historically prioritized performance and global coverage. Under DORA, this approach becomes a potential weakness because it raises questions about substitutability. Clients must now assess whether a vendor can operate if the designated cloud provider experiences a prolonged disruption. AML firms that cannot demonstrate failover options, multi-zone redundancy, or multi-provider elasticity may be considered high risk. Some AML platforms will need to redesign core components of their architecture to remain competitive in regulated procurement cycles.

The designation also increases scrutiny over data handling. AML platforms often process high-volume sensitive data from sanctions screening, politically exposed person checks, adverse media processing, and behavioral monitoring. Clients must now understand exactly where data is stored, how logs are retained, how backups are distributed, and how cross-border flows are managed. If the cloud provider uses regions outside the EU, AML vendors must present evidence that their encryption, key management, access restrictions, and audit trails meet resilience expectations. Some financial institutions may request new documentation, architectural diagrams, and penetration test summaries before approving an AML vendor.

Finally, the new framework elevates expectations for vendor oversight. AML vendors must demonstrate that they monitor their cloud providers continuously, understand incident escalation paths, and track service degradation indicators. Although cloud providers deliver resilient environments, DORA explicitly states that operational risk cannot be outsourced. AML firms must therefore maintain independent monitoring, validation, and control mechanisms, creating additional internal workloads and governance requirements.

How the new oversight impacts AML vendors using public and private cloud

AML vendors relying on public cloud environments now face the most significant shift in regulatory expectations since the early adoption of SaaS-based compliance tools. Financial institutions must document ICT risk exposure in a way that aligns with the new oversight regime. This forces AML vendors to provide deeper evidence of resilience, often in areas they previously considered out of scope.

Public cloud deployments on Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, IBM Cloud, and SAP require comprehensive transparency to meet client expectations. Many AML vendors previously relied on standard cloud contracts that limited audit rights and provided generic assurances of security and availability. Under DORA, these general assurances are no longer sufficient, and clients may request contractual updates or supplementary attestations. AML vendors may need to negotiate enhanced audit provisions, stricter notification timelines, and clearer access to logs, configuration data, and incident evidence.

For AML vendors using multi-tenant architectures, DORA increases scrutiny over segmentation, identity management, and monitoring. Clients may request confirmation that data belonging to different institutions is segregated, encrypted, and monitored independently. These requests may extend to pipeline controls for machine learning models, adversarial testing procedures, patching cycles, and change management documentation. AML firms that update systems frequently must ensure that updates do not compromise continuity. Evidence of testing environments, canary releases, rollback options, and structured deployment governance may become standard client expectations.

Private cloud operators used by AML solution providers also fall under increased attention. Firms such as Colt Technology Services, Deutsche Telekom, Kyndryl, NTT Data, Tata Consultancy Services, Orange, and Capgemini operate private hosting environments critical to several AML platforms. Vendors relying on these providers must evaluate the robustness of their own contractual arrangements and clarify the responsibilities of each party. Supervisors expect financial institutions to map the operating layers, and AML vendors must now provide clear visibility of infrastructure responsibilities, network segmentation, and backup processes.

Another major implication relates to embedded services. AML vendors using sanctions data, analytics tools, or reference data from Bloomberg, Fidelity National Information Services, or LSEG Data and Risk must prepare for deeper due diligence requests. Clients may require clarity on how upstream data providers ensure availability, accuracy, and resilience. The designation of these firms as critical ICT providers means their services can be examined by the supervisory authorities overseeing DORA. AML vendors relying heavily on these sources must therefore be ready to explain data lineage, processing integrity, update cycles, and exception handling.

Operational resilience expectations also extend to governance. AML providers must maintain updated risk registers, define cloud oversight committees, implement structured service reviews, and adopt automated monitoring. These controls must be documented clearly enough for regulated clients to rely on them during supervisory interactions. AML firms without established governance frameworks may struggle to meet the rising standard.

Finally, the new environment impacts AML vendors servicing smaller financial institutions. These institutions also fall under DORA expectations, even if they lack internal cloud expertise. AML vendors may need to simplify client documentation, provide structured resilience templates, and support clients in building risk assessments. Vendors failing to help smaller clients navigate these regulatory obligations may be excluded from new business opportunities.

Stricter operational resilience standards reshape commercial dynamics for AML vendors

The regulatory shift alters the commercial and operational position of AML solution providers across the EU. Financial institutions have already begun integrating resilience scores into vendor assessments, and DORA reinforces this shift. AML vendors must prepare for procurement processes where resilience standards, recovery metrics, and architectural transparency weigh as heavily as detection accuracy or analytics quality.

Contract renegotiation becomes a practical reality. AML vendors must review their agreements with public and private cloud providers to ensure alignment with demands from regulated clients. Many cloud contracts limit audit rights, cap liability, and restrict incident-related disclosures. These clauses may conflict with client expectations under DORA. AML firms may need tailored addendums that permit deeper forms of inspection, enhanced notification requirements, and evidence sharing obligations.

Another commercial shift involves migration decisions. Some AML vendors may consider adopting multi-cloud strategies to reduce concentration risk. Although multi-cloud execution is complex, it may become necessary for AML providers seeking access to large banks and insurers. Vendors unable to demonstrate redundancy across providers risk exclusion from shortlists or increased classification as high-risk suppliers. Even vendors committed to a single provider may need to demonstrate region-level redundancy, automated failovers, and comprehensive restore testing.

Clients will also increase scrutiny regarding model governance. AML platforms relying on machine learning models, natural language processing, or anomaly detection engines must show how these models behave under degraded cloud conditions. Supervisors expect financial institutions to ensure continuity of critical processes, and AML vendors must provide evidence that detection pipelines remain functional during outages or failover events. This may require new forms of resilience testing and documentation, especially for vendors offering real-time or near-real-time analysis.

A key concern involves cross-border data management. AML platforms often use regional clusters to improve latency and performance. However, data governance under DORA requires clear documentation of where personal data and logs are stored, which jurisdictions host backups, how access is restricted, and how encryption keys are managed. Vendors must map these processes precisely and ensure that clients receive updated documentation before onboarding. AML firms with complex or opaque data flows may face challenges.

Finally, commercial pressures may intensify for AML vendors with limited engineering resources. Enhancing resilience, updating documentation, adopting new governance structures, and renegotiating cloud contracts require significant investment. Larger AML firms may absorb these costs more easily, while smaller vendors may struggle. The new environment may encourage consolidation, strategic partnerships, or acquisitions as firms seek stronger operational foundations.

A forward look at operational expectations and strategic choices for AML providers

The designation of critical ICT third-party providers launches a new phase of oversight that will evolve across the coming years. AML vendors must anticipate deeper examinations, thematic reviews, and resilience-oriented audits. Clients will expect evidence that AML providers understand the operational characteristics of their cloud environments and the implications for continuity.

A strategic response involves developing a multi-layered resilience model. AML vendors may need to diversify their infrastructure, introduce parallel deployments, adopt alternative hosting strategies, or enhance hybrid configurations. Even if vendors do not pursue full multi-cloud migrations, they must document exit strategies, failover designs, and recovery sequences. This documentation must be clear enough for clients to use during supervisory engagements.

Governance enhancements become central. AML platforms must formalize oversight, create cloud steering committees, define incident escalation paths, and update risk management documents regularly. Evidence of continuous monitoring, verification of backups, load-testing, and incident analysis will be essential. Clients will request this documentation during onboarding, periodic reviews, or remediation cycles.

Incident readiness must also evolve. AML vendors must classify incidents more precisely, maintain forensic records, and provide timely summaries aligned with client reporting obligations. Vendors may need to upgrade incident management platforms and expand 24-hour monitoring capabilities to ensure rapid detection and communication of disruptions.

Commercially, AML providers that embrace transparency may gain competitive advantage. Vendors able to show clear resilience metrics, simplified documentation, and comprehensive design transparency will strengthen client trust. Conversely, vendors lacking documentation or architecture clarity may face longer procurement cycles, higher scrutiny from clients, or exclusion from regulated opportunities.

Ultimately, AML solution providers must recognize that operational resilience is becoming a core competitive factor. Detection capability, workflow efficiency, and data coverage remain vital, but resilience, substitutability, governance maturity, and cloud transparency now play equally important roles in vendor selection. AML firms that adapt early will be better placed to serve institutions navigating a rapidly evolving regulatory environment.

Related Links

• Digital Operational Resilience Act text
• European Supervisory Authorities joint website
• EU financial services oversight page
• EU ICT risk management guidelines
• EU cybersecurity and operational resilience resources

Other FinCrime Central Articles About DORA

• The Countdown to DORA AML Compliance
• DORA’s Difficult Mandate: Overcoming the Challenges of Cloud-Dependent AML Solutions for ICTs
• Germany’s BaFin says senior bank staff should have better IT knowledge under new DORA rules

Source: EBA

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.