Cyber Security and Cloud Outsourcing of Payments

We study the incentives of competing banks to outsource their payment services to a common infrastructure, managed by a private third-party provider. The latter stores depositors' information in the cloud and offers compatibility services, but is exposed to cyber risk. In the first-best benchmark, the regulator chooses to build a common payment infrastructure when the marginal social benefits are higher than the marginal social costs, and chooses the welfare-maximizing levels of security investment for all players. If the market is unregulated, without cyber risk, banks outsource excessively to the third-party provider compared to the first-best because network effects soften competition for deposits. However, we show that cyber risk and the costs of security may reduce banks' incentives to join the third-party infrastructure, which may result in an inefficiently low level of interoperability of their payment systems. We examine how the liability regime may improve the players' investment in security. We show that increasing the third-party provider's liability towards depositors has a higher impact on payment system security than increasing its liability towards banks. We discuss how several regulatory options impact the security and compatibility of banks' payment systems: supervision of outsourcing agreements, shared responsibility model, public provision of payment services.