A new proposed guide from the FCA has clarified ways in which regulated firms can outsource to the cloud safely and responsibly. Broader than the guidance issued in the FCA’s July 2014 paper, Considerations for firms thinking of using third party technology (off the shelf) banking solutions, these proposals deal specifically with cloud solutions and any additional associated risks. It is intended to assist firms in overseeing the “life-cycle of their outsourcing arrangements”.

No fundamental reason why cloud services cannot be implemented

This has been a long time coming. The FCA has highlighted the key regulatory, data protection, security and business continuity issues that regulated firms should consider when procuring cloud computing. “Cloud” is defined widely as “a range of IT services provided in various forms over the internet” and the FCA notes that, provided “appropriate consideration” is given to such risks, there is “no fundamental reason why cloud services cannot be implemented” by a regulated firm in compliance with the FCA’s rules.

The guidance is also of relevance to new entrants in the UK banking market, cloud providers and their respective advisors.

Risks need to be identified, monitored and mitigated

The guidance sets out a non-exhaustive list of areas of interest for a firm to consider and corresponding obligations it will need to undertake to discharge its oversight obligations. This should be viewed as supplementary to a firm’s regulatory responsibilities. While not binding, the FCA’s view is that compliance with the guidance is likely to indicate compliance with the FCA rule or requirement to which it relates.

Three key risk areas

  1. Even if a contract relating to a UK regulated firm is not subject to English law or jurisdiction, the firm must ensure that it, its auditors and the FCA have effective access to its data (including firm, personal customer, transactional and HR vetting procedures and audit trails);
  2. Firms must also have access to their cloud provider’s business premises (including those of its affiliates). Whilst this does not require access to all of such provider’s premises such as data centres and, subject to FCA visits being necessary and required under applicable law, this will go some way to address the perceived lack of transparency over the use of a firm’s data by cloud providers.
  3. Firms must implement properly documented and regularly “rehearsed” exit plans to provide them with a smooth passage out of the outsourcing without undue disruption to their business, whilst ensuring continuous regulatory compliance.

The sky’s the limit, as long as risks are proportionally managed

The FCA’s aim is to encourage innovation by avoiding imposing unnecessary barriers to firms procuring such technology while ensuring risks are properly identified, monitored and mitigated.