The FCA has recently published draft guidance for firms outsourcing to the cloud and other third party IT services. This comes as part of the FCA's work on "Project Innovate" which aims to tackle issues stifling innovation within the regulatory sector. In doing this, the FCA hope to make it easier for banks, insurers and other financial services institutions to undertake innovative projects by highlighting the operational risks involved and enabling firms to put appropriate safeguards in place.
In the guidance, the term 'cloud' is defined widely, encompassing a range of different IT services provided in various forms over the internet (and, importantly, concludes that where a third party provides services to a regulated firm over the cloud that is still 'outsourcing'). The FCA comments that if firms have proper regard to the risks highlighted then there is no reason why cloud services cannot be implemented in compliance with the FCA's rules.
It identifies a number of risks that affect the degree of control exercised by a firm. Namely:
- that cloud customers may have less scope to tailor the service provided;
- that cloud customers may also have to accept that cloud service providers will move their data around; however in some cases cloud customers may be able to specify which overall geographic region their data is stored; and
- that firms should consider the risks associated with outsourced service providers who may contract out part of their operation to other cloud providers. This may occur without firms realising.
The guidance goes on to provide information on a number of areas that a firm should consider during the lifecycle of any outsourcing of IT services that is essential to the core functioning of the business. This includes:
- Legal and regulatory considerations – in particular firms should ensure that the outsourced service is appropriate to meet the firm's regulatory requirements. In addition it urges that firms should identify whether their contract is governed by English law and subject to UK jurisdiction and in any event should ensure effective access to data for the firm, its regulator(s) and auditors.
- Risk management – to this end firms should identify and manage any risks introduced by their outsourcing arrangements. This will include carrying out a risk assessment to identify relevant risks and identifying steps to mitigate them. Firms should make provision in the contract for effective remediation of any breaches.
- Oversight of service provider – even during the outsourcing process firms retain full accountability for discharging all of their responsibilities under the regulatory system. Therefore, firms should ensure that they are clear about the service being provided and where responsibility and accountability between the firm and its service provider begins and ends.
- Data security – firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.
- Data Protection Act – outsourcing arrangements should be compliant with the DPA.
- Effective access to data – there are specific regulatory requirements that govern access to the data held by outsourced providers for regulated firms, their auditors and regulators.
- Access to business premises – specific regulations require physical access to business premises of third party service providers for firms, their regulators and auditors. ‘Business premises’ in this context can include head offices, operations and data centres. Therefore it is important to identify which business premises are relevant for effective oversight. The FCA recommends that the right to access these premises should not be restricted except in specific circumstances such as for legitimate security reasons.
- Relationship between service providers – firms should review sub-contracting arrangements to ensure that these enable them to continue to comply with their regulatory duties.
- Change management – firms should be mindful of the risks that can be introduced when changes are made to processes and procedures. To this end firms should have in place an effective change management process that considers what provision has been made for future changes to technology services, as well as how to test any changes that take place.
- Business continuity – a firm should have in place appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption.
- Exit plan – firms need to have in place plans to exit outsourcing arrangements that do not cause excessive disruption to the provision of services and enable compliance with their regulatory regimes.
The draft guidance provides some useful practical guidance as well as clarifying some of the legal issues that are of concern to firms. However, the relatively 'high level' of the proposed guidance means that firms will still have to work out for themselves how to assess and manage the risks involved in buying services that utilise the cloud.
The FCA has invited feedback on the proposed guidance by 12 February 2016. After this date the FCA intends to publish the final guidance on its website.