Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
Over the past few decades, the force of globalisation has fuelled more liberalised cross-border trade, integrated supply chains and the harmonisation of some regulatory frameworks.
However, in recent years we have seen a slowing or in some cases even a reversal of this trend, with greater economic fragmentation arising from geopolitical tensions, nationalism, and protectionist policies.
In this context, the financial services sector, and in particular those working in tech procurement, face increasingly challenging regulatory divergence. From conflicting data localisation laws and intensifying cybersecurity concerns, to rapidly evolving AI governance frameworks and more general trade restrictions, the global tech procurement landscape has never been so complex.
In this article, we explore (i) key trends arising from an increasingly fragmented and uncertain global landscape and their impact on financial institutions' technology procurement, (ii) how financial institutions are adapting and responding to these challenges and (iii) some practical tips for managing compliance issues.
We see regulatory movements towards digital sovereignty and data politicisation. As a result, financial institutions now face a patchwork of restrictions on cross-border data transfer and localisation requirements (ie, rules limiting the processing, transfer or use of specified data outside national borders).
Other than data localisation requirements, regulators are also keen to understand what data arrangements financial institutions have in place with overseas technology providers. This is demonstrated through notifications and other regulatory requirements. For example, financial institutions in Australia that are subject to the Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 230 Operational Risk Management (CPS 230) are required to notify APRA in certain circumstances relating to material offshoring arrangements (a key touch point being where data or personnel relevant to the service being provided will be located offshore).
Operational resilience has been a key focus for regulators over recent years in a highly-connected but shifting geopolitical environment. Regulators in some jurisdictions have been stepping up their focus on understanding how economic and non-economic global shocks, geopolitical risks, supply chain risks (including vulnerabilities in relying on internationally-based third-party service providers to deliver essential services and reliance on ‘fourth parties’) and other risks may impact the financial system, and whether or not financial institutions are resilient to such operational risks.
Examples of regulations that address operational resilience include (i) the APRA Prudential Standard CPS 230 in Australia; (ii) the Guidelines on Business Continuity Management and the Guidelines on Risk Management Practices – Operational Risk issued by the Monetary Authority of Singapore (MAS Guideline"); (iii) DORA in the European Union; and (iv) the EU Cyber Resilience Act (EU CRA).
National security is now a heightened priority for countries worldwide. Geopolitical turmoil, rising numbers of state-affiliated cyberattacks, new and emerging national security threats (including pre-positioning attacks), re-emergence of distributed denial of service (DDoS) attacks mounted by politically motivated groups and high-profile data breaches are spurring stricter cybersecurity laws worldwide.
These laws include:
|
Regulatory bodies are testing the ability of financial institutions to safeguard sensitive data and respond effectively to cyber incidents. Pressures to prioritise national resilience are also driving developments in sanctions regimes and approvals of foreign investments into critical asset classes and businesses such as banking, superannuation, insurance and financial markets infrastructure (for example, through FIRB in Australia). In turn, financial institutions must adapt their frameworks and operations, such as the location of their digital infrastructure in some cases, to align with updated requirements.
The rise in artificial intelligence (AI) across economies has also sparked sovereignty debates. Many foundational AI models are developed overseas, with opaque data handling processes, "black box" internal workings that even providers may struggle to fully explain, and priorities that may not align with local needs. This has led to calls for governments to build and invest in domestic AI capability, infrastructure, and expertise. For financial institutions in particular, the risks are twofold: reliance on offshore models raises sovereignty and resilience concerns, while responsible AI use requires addressing issues such as transparency, explainability, and avoiding discriminatory outcomes (eg ensuring algorithms used in credit assessments do not unfairly disadvantage certain groups).
An increasingly protectionist trade climate is disrupting ICT supply chains in the finance industry. Banks and other financial institutions rely heavily on ICT suppliers to provide digital services and store sensitive corporate and customer data. ICT-related trade restrictions are impacting costs at source, creating ripple effects for financial institutions. For example, mounting tariffs on hardware manufacturing hubs like Taiwan, South Korea and Malaysia make components such as chips, servers and cooling systems more expensive and lead to more limited supply. As a result, banks and other financial institutions are having to find ways to mitigate the cumulative effect of trade barriers (ie the incremental costs of tariffs applying each time a component crosses a border along the supply chain).
In light of more stringent local law developments and cybersecurity requirements, in some cases financial institutions have stepped back from centralised, globally connected data centres at the heart of traditional cloud services and have been turning to "sovereign clouds".
Sovereign clouds are architectures for customising and isolating cloud systems to specific jurisdictions. They offer financial institutions several use cases including (i) guaranteed data storage within a country's borders, (ii) enhanced cybersecurity (as sovereign clouds segregate data from other cloud tenants by design) and (iii) a risk mitigant against retaliatory trade measures by pegging stored data to neutral jurisdictions. The downside is typically higher unit cost and potential impacts on redundancy (though the latter element can be mitigated through primary and secondary cloud arrangements).
|
|
We expect to see financial institutions continue to hedge against rising pass-through costs, national security concerns and AI capability by considering options to decentralise and onshore digital infrastructure operations to either the home territory (onshoring) or more local, favourable territories (nearshoring).
For instance, booming investor appetite for data centre development in APAC in recent years means financial institutions now have more optionality when it comes to localising data centre operations within a region. In turn, this reduces compounding costs by bringing data centre value chains closer to hardware manufacturing hubs. It is no surprise that Malaysia, known for its semiconductor and electronics production capacities, is currently the fastest growing data centre market in APAC. It is also the case that hyperscale cloud operators, responding to calls from regulated customers, are also increasingly providing regionalised infrastructure services. Rocky customer sentiment and/or political and media scrutiny over national security concerns may also be feeding this localisation movement. By shifting data processing and storage closer to customers, financial institutions can improve customer confidence and reduce supply chain exposure.
Financial institutions are increasingly partnering with local providers to regionalise their operations in more cost-effective ways and minimise exposure to shifting patterns of trade. Local providers can offer more flexibility when it comes to dealing with and understanding local law requirements – an advantage over other providers who operate at a global scale and do not do a lot of work in the region.
To effectively adapt to a fragmented global landscape, financial institutions should consider the following:
Partner, Melbourne
Partner, London
Partner, London
Partner, Paris
Partner, Paris
Counsel, Germany
Senior Associate, Melbourne
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead