On July 13, 2026, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority began direct supervision of Microsoft Ireland Operations, Google Cloud EMEA, Amazon Web Services EMEA and Oracle Corporation UK — the first four firms formally designated "Critical Third Parties" to the UK financial system. The designation does not authorise these companies or shift legal liability from the banks that use them; it is narrowly scoped to the resilience of specified cloud services that, if disrupted, could take down multiple financial institutions at once. But it is still a first: statutory, direct oversight of infrastructure providers who were previously supervised only at second hand, through the banks contracting with them.
That direct-versus-indirect distinction is worth holding up against India's own regulatory reflex this month — aimed not at cloud infrastructure, but at a single messaging feature.
The trigger: usernames and a real fraud epidemic
On June 29, 2026, WhatsApp began rolling out global usernames, letting users message each other via an @handle instead of a phone number. India's Ministry of Electronics and Information Technology (MeitY) objected almost immediately, issuing WhatsApp a notice directing it not to launch the feature in India "until the consultation on this point is achieved to the satisfaction of the Government," and asking it to explain why regulatory action shouldn't follow. Similar notices went to Telegram and Signal. The original three-day deadline was extended to July 9; Meta submitted a response that week, which MeitY is still reviewing.
The government's underlying concern is not hypothetical. "Digital arrest" scams — where fraudsters impersonate CBI, police or customs officials over video calls and coerce victims into transferring their savings to avoid a fake "arrest" — cost Indians roughly ₹4,057 crore across 297,727 reported cases between 2022 and May 2026, with 2024 alone accounting for ₹1,935.5 crore of that. Overall cyber fraud losses hit ₹22,495 crore in 2025, with complaints up 24% year-on-year. The Supreme Court took suo motu notice of the crisis in a case it is still actively hearing, describing the forgery of judicial orders used in these scams as striking "at the very foundation of public trust in the judicial system." Given that scale, a regulator asking whether a new anonymity feature will make impersonation easier is a reasonable question, not bureaucratic overreach for its own sake.
Where the response goes wrong
The problem is not that MeitY asked the question. It's how it answered it. As the Internet Freedom Foundation's Apar Gupta pointed out, the government is "objecting to a design before any harm has occurred, and asking companies to justify a feature 'to the satisfaction of the government' — [although] no law allows that." There is no statute setting out what satisfies the government, what evidence would clear a feature, or what happens to the next company that ships something similar. Encryption-policy expert Namrata Maheshwari has warned this creates a "slippery slope": once a company demonstrates it's technically possible to withhold or modify a feature for one jurisdiction, other governments gain precedent to demand the same, with far less scrutiny for their reasons than India's own courts might apply.
Compare that to how India already regulates infrastructure risk in finance — the exact domain the UK just expanded into. The Reserve Bank of India's 2023 Master Direction on Outsourcing of Information Technology Services requires banks and NBFCs to conduct due diligence, maintain audit rights, and manage concentration risk before using any cloud provider, including for services from Microsoft, Google or AWS. It doesn't regulate the cloud providers directly — RBI oversees the outsourcing relationship, not Amazon's infrastructure — but it is a published, prospective, rules-based framework that treats every provider the same way. The WhatsApp notice is the opposite: single-company, single-feature, no defined criteria, decided in real time through correspondence.
The actual fraud vector is unaddressed
Usernames barely existed in India when the crackdown began, so they cannot be the primary enabler of a scam pattern with a four-year, ₹4,000-crore track record. Digital arrest fraud runs on impersonation of state authority, forged court documents, and victims' fear of engaging a lawyer before it's "too late" — problems of law-enforcement verification and public awareness, not app design. The Supreme Court's own docket includes fabricated Supreme Court orders used to extort a 73-year-old woman in Ambala out of more than ₹1 crore; no username was involved. Pressuring WhatsApp to withhold a feature does nothing about the SIM-card fraud, forged legal documents, or cross-border mule networks that actually move the money, and India's own government has separately claimed credit for blocking over 83,000 WhatsApp accounts and thousands of Skype IDs tied to these scams using existing enforcement tools — evidence that platform cooperation on takedowns, not feature bans, is where the real leverage already sits.
What a better model looks like
The UK's Critical Third Party regime offers a template worth studying: publish the criteria, apply them evenly across providers, scope the intervention to the specific risk (resilience, not content or product design), and leave everything else to ordinary commercial law. India doesn't need to copy the UK's cloud-resilience framework for messaging apps, but it should borrow the method — durable, general rules instead of one-off notices decided company by company, feature by feature, with no public standard for what compliance requires.