@en

Telephone 020 3813 2890 for a free no obligation chat about your regulatory requirements with one of our compliance consultants.

© Compound Growth Limited 2012 - 2018 | Terms of Use

Registered in England and Wales as limited company number 07626537 - Registered Office 120 Pall Mall, London, SW1Y 5EA

We use cookies, if you consent to this use, please continue to browse our site.

Here to help with Regulation and Compliance

Compound Growth

Finalised FCA Outsourcing Guidance for IT & Cloud Services

7th July 2016

FCA Guidance: IT Outsourcing to Cloud and third parties

The Financial Conduct Authority today issued their finalised guidance for firms outsourcing to the ‘cloud’ as well as other third party IT services.

Having consulted upon proposed guidance for IT Outsourcing Arrangements & Cloud Services in November last year, FG16/5 sets out the FCA’s finalised stance.

FCA’s IT Outsourcing Guidance - Who will this affect?

Today’s guidance from the regulator will be relevant to any firm that is authorised by the FCA. In particular, it will be of interest to those firms that either already outsource, or are considering outsourcing, to ‘the cloud’ as well as the outsourcing of other IT services to third parties.

What is the ‘Cloud’?

According to the FCA’s guidance, whilst ‘Cloud’ is often interpreted differently and thus is a broad term, the regulator sees it as “encompassing a range of IT services provided in various formats over the internet”

For example, this includes:

• Private, public or hybrid cloud;
• Infrastructure as a Service (IaaS);
• Platform as a Service (PaaS); and
• Software as a Service (Saas)

In providing their finalised guidance the FCA make clear they are aware that cloud services are “constantly evolving”, yet their aim is “to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.”

Benefits & Risks of using Outsourced Cloud Services:

Whilst utilising cloud based services can provide a greater level of flexibility to firms, with a knock-on benefit for the firm’s customers and the wider market, the use of these services can also introduce risks that need to be identified, monitored and mitigated.

Largely, these risks will affect the level of control that the firm exercises as well as specific issues such as the security of data.

Those firms that use cloud services from a supplier may have less control of the supplier, (such as to what extent the service can be tailored to them), and of the data, (such as where it might be stored).

Thus, the FCA’s guidance aims to help firms (as well as service providers) to understand the regulator’s expectations where cloud and other third party IT services are outsourced. The guidance provides a list of each area that should be considered by a firm during the preparation and evaluation for using such services, as well as the ongoing monitoring of third party services that are essential to the effective functioning of a firm’s business.

Feedback to the IT Outsourcing Consultation:

Respondents were required to submit their comments to the FCA’s November GC15/6 Consultation by 12th February 2016.

Whilst the regulator advises that the comments received required no substantial changes to be made to the proposed guidance, there were some areas where the FCA’s draft guidance was amended to make the regulator’s expectations clearer for firms.

Many of the comments submitted tackled the following issues:

• Clarifying the FCA’s expectations with regards to the aspects of risk management – including concentration risk;
• The scope of the firm’s obligations with regards to the supply chain and sub-contracting arrangements;
• The requirement for physical access to a provider’s premises, together with that of their data centres;
• Specific expectations with regards to exit plans;
• The provisions required to ensure that firms have effective access to data; and
• Issues about the choice and control with regards to the jurisdictions where data is stored, processed and managed.

Notification of Breaches

One particular topic of interest to respondents was the FCA’s stance on the notification of breaches.  Those within the industry were particularly concerned that the FCA’s requirement for providers to notify of “any breaches” would be too onerous with respondents suggesting that “a threshold for beach notification should be determined”.

However, the FCA responded that they “consider that requirements for the notification of breaches to the firm to be an important part of risk management.”

The continued to explain that “While we accept that the wording in the guidance is high-level, we consider that the current wording gives firms some scope to agree with the provider exactly what constitutes a breach (which is generally not a defined term in our rules) or other relevant events, in the context of the service being provided.”

Jurisdiction of Data:

Another topic that received particular comment was in relation to the Jurisdiction of Data storage, processing and management.

The FCA guidance states that firms should have “choice and control” over the jurisdictions in which their data is held. However, commentators thought that this would be impractical and risk stifling innovation since many providers might not be able to allow firms to have full control of this. As a result, the FCA have altered the Finalised Guidance to instead require firms to agree a ‘data residency policy’ with the provider that sets out the jurisdictions where the firm’s data can be stored, processed, and managed.

The FCA on Outsourcing:

Firms are reminded that they cannot delegate any part of their regulatory responsibility and/or accountability to a third party. As the FCA highlights, those looking to outsource are reminded of the regulatory obligations and requirements placed upon firms, these being:

• That operational risks associated with the use of third parties are appropriately identified and managed by the firm; and
• That includes undertaking due diligence before making a decision on outsourcing.

It should be noted that requirements will differ dependent upon firm type and the different types of function that may be outsourced, however, of specific importance will be whether or not the outsourced function is considered critical or important and whether it is material outsourcing or if it relates to important operational functions for authorised payment institutions and authorised electronic money institutions.

Next Steps for Firms:

Whilst the guidance is not exhaustive, or binding upon firms, the regulator expects that firms will ‘take note’ of the guidance and implement it, where appropriate, particularly when setting up and maintaining their systems and controls for IT and cloud outsourcing.

Thus it would be prudent for firms that use cloud services and other third party IT providers to review their records, processes and procedures to the FCA guidance. In particular, where critical or important operational functions or material outsourcing is occurring or being considered, that the business has clearly analysed the reasons for use of the service and provider and that these reasons are clearly documented and that ongoing risks are assessed and monitored.

Related Reading:

• FCA Consults upon Guidance for IT Outsourcing Arrangements & Cloud Services
• FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services
• GC15/6: Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services

Read our latest articles, news and views affecting compliance and regulation in the UK Financial Services Industry.