The FCA have now published their guidance on outsourcing to the cloud for financial services organisations in the UK. This guidance, which follows on from a consultation exercise which took place at the start of the year, sets out the requirements for regulated entities when using the cloud.
The guidance supports use of the cloud, and recognises the benefits it can bring to banks, consumers and the wider market. It also brings welcome clarity to certain areas which will be useful in both managing expectations and negotiating contracts - whether acting for banks or suppliers.
However, there is no escaping the fact that additional time and resources will be needed, both to justify the decision to use the cloud in the first place, and to agree the contract itself. There are now a series of definite steps which banks and other organisations will need to follow before they can safely use the cloud.
Chief among them is the need to carry out due diligence and be satisfied that use of the cloud does not worsen their operational risk, which will include comparing the risks of using different "flavours" of the cloud. There are also detailed requirements around understanding and being satisfied with the entire supply chain, and reviewing the legal risks of using services in different jurisdictions, which will mean additional upfront work when shortlisting suppliers.
In addition, the contract itself will need to contain provisions around audit rights, change management, access to premises and remediation of breaches which go beyond what is typically offered in the marketplace today. No doubt suppliers will look to respond to these requirements in different ways, which will create a further opportunity for competitive advantage and differentiation.
This guidance will now form the basis of negotiation and contracting strategies, and both customers and suppliers will need to update their policies and documentation accordingly.