Telephone 020 3813 2890 for a free no obligation chat about your regulatory requirements with one of our compliance consultants.
Registered in England and Wales as limited company number 07626537 - Registered Office 120 Pall Mall, London, SW1Y 5EA
Here to help with Regulation and Compliance
Finalised FCA Outsourcing Guidance for IT & Cloud Services
7th July 2016
FCA Guidance: IT Outsourcing to Cloud and third parties
The Financial Conduct Authority today issued their finalised guidance for firms outsourcing to the ‘cloud’ as well as other third party IT services.
Today’s guidance from the regulator will be relevant to any firm that is authorised by the FCA. In particular, it will be of interest to those firms that either already outsource, or are considering outsourcing, to ‘the cloud’ as well as the outsourcing of other IT services to third parties.
According to the FCA’s guidance, whilst ‘Cloud’ is often interpreted differently and thus is a broad term, the regulator sees it as “encompassing a range of IT services provided in various formats over the internet”
For example, this includes:
In providing their finalised guidance the FCA make clear they are aware that cloud services are “constantly evolving”, yet their aim is “to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.”
Whilst utilising cloud based services can provide a greater level of flexibility to firms, with a knock-on benefit for the firm’s customers and the wider market, the use of these services can also introduce risks that need to be identified, monitored and mitigated.
Largely, these risks will affect the level of control that the firm exercises as well as specific issues such as the security of data.
Those firms that use cloud services from a supplier may have less control of the supplier, (such as to what extent the service can be tailored to them), and of the data, (such as where it might be stored).
Thus, the FCA’s guidance aims to help firms (as well as service providers) to understand the regulator’s expectations where cloud and other third party IT services are outsourced. The guidance provides a list of each area that should be considered by a firm during the preparation and evaluation for using such services, as well as the ongoing monitoring of third party services that are essential to the effective functioning of a firm’s business.
Respondents were required to submit their comments to the FCA’s November GC15/6 Consultation by 12th February 2016.
Whilst the regulator advises that the comments received required no substantial changes to be made to the proposed guidance, there were some areas where the FCA’s draft guidance was amended to make the regulator’s expectations clearer for firms.
Many of the comments submitted tackled the following issues:
One particular topic of interest to respondents was the FCA’s stance on the notification of breaches. Those within the industry were particularly concerned that the FCA’s requirement for providers to notify of “any breaches” would be too onerous with respondents suggesting that “a threshold for beach notification should be determined”.
However, the FCA responded that they “consider that requirements for the notification of breaches to the firm to be an important part of risk management.”
The continued to explain that “While we accept that the wording in the guidance is high-level, we consider that the current wording gives firms some scope to agree with the provider exactly what constitutes a breach (which is generally not a defined term in our rules) or other relevant events, in the context of the service being provided.”
Another topic that received particular comment was in relation to the Jurisdiction of Data storage, processing and management.
The FCA guidance states that firms should have “choice and control” over the jurisdictions in which their data is held. However, commentators thought that this would be impractical and risk stifling innovation since many providers might not be able to allow firms to have full control of this. As a result, the FCA have altered the Finalised Guidance to instead require firms to agree a ‘data residency policy’ with the provider that sets out the jurisdictions where the firm’s data can be stored, processed, and managed.
Firms are reminded that they cannot delegate any part of their regulatory responsibility and/or accountability to a third party. As the FCA highlights, those looking to outsource are reminded of the regulatory obligations and requirements placed upon firms, these being:
It should be noted that requirements will differ dependent upon firm type and the different types of function that may be outsourced, however, of specific importance will be whether or not the outsourced function is considered critical or important and whether it is material outsourcing or if it relates to important operational functions for authorised payment institutions and authorised electronic money institutions.
Whilst the guidance is not exhaustive, or binding upon firms, the regulator expects that firms will ‘take note’ of the guidance and implement it, where appropriate, particularly when setting up and maintaining their systems and controls for IT and cloud outsourcing.
Thus it would be prudent for firms that use cloud services and other third party IT providers to review their records, processes and procedures to the FCA guidance. In particular, where critical or important operational functions or material outsourcing is occurring or being considered, that the business has clearly analysed the reasons for use of the service and provider and that these reasons are clearly documented and that ongoing risks are assessed and monitored.
Read our latest articles, news and views affecting compliance and regulation in the UK Financial Services Industry.
Please contact our Compliance Support Team for a free no obligation discussion of your regulatory requirements and how our regulatory & compliance consultants can help your business move forward compliantly.
Call by Telephone:
(020) 3813 2890
Comment from the FCA:
“This guidance is intended to help all firms to effectively oversee all aspects of the life cycle of their outsourcing arrangements: from making the decision to outsource, selecting an outsource provider, and monitoring outsourced activities on an ongoing basis, through to exit.”
FCA, FG 16/5 July 2016
FCA on Outsourcing:
“Where a third party delivers services on behalf of a regulated firm – including a cloud provider – this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them.”
FCA, FG 16/5 July 2016
FCA on Data Jurisdictions:
“We want to ensure firms are able to determine which jurisdictions their data are held but we recognise that many cloud providers are not able to allow firms full control of this. In light of this, we have modified our guidelines, to make clear that firms should agree a data residency policy with the provider, which sets out the jurisdictions where their data can be stored, processed, and managed”
FCA, FG 16/5 July 2016