The Financial Conduct Authority (FCA) recently published its long-awaited guidance on the use of Cloud services by regulated firms (the Guidance).

We should stress that the Guidance does not serve to replace the existing regulatory framework (including the requirements of the FCA Handbook (SYSC 8), the Data Protection Act, and the PRA Rulebook).  Rather it is intended to serve as:

  • guidance on the regulatory requirements as they apply to Cloud services
  • a set of practical recommendations for firms to consider when implementing Cloud solutions

For this reason the Guidance represents a significant step forward in the ability of firms to confidently adopt cloud-based IT services.

Key themes of the new FCA guidance on Cloud services

The FCA Outsourcing requirements (and the PRA Rulebook in the case of dual-regulated firms) have always been interpreted as being technology neutral – that is to say that the rules specify:

  • mandatory, high-level requirements
  • applicable to Common Platform Firms2
  • when outsourcing critical or important functions
  • whether for traditional on-premise solutions or for Cloud services, including services referred to as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).3   

Helpfully, the FCA paper confirms this rationale; it goes on to consider a number of key themes and provides practical guidance designed to help firms assess risks and define appropriate mitigation strategies.

Barriers to adoption

Cloud solutions offer a number of commercial benefits when compared with traditional data centre models – they are flexible and scalable, and can be rapidly deployed with little upfront investment.  By the same token they can be ramped-down or cancelled on short-notice and without punitive cancelation charges.

With the positives come certain negatives – Cloud solutions are typically provided from multi-tenanted data centres and customers rarely have any ability to vary the fundamental nature of the offering, or the underlying terms and conditions. 

Few Cloud offerings are built from the ground-up for European financial institutions.  As such vendors’ stock security policies, access and audit restrictions (combined with their ability to unilaterally vary terms of service) present considerable challenges from a regulatory standpoint.

Whilst it is fair to say that there has been recent acknowledgement of these concerns on the part of the major Cloud service providers, in the absence of clear guidance from the FCA (and in the era of heightened regulatory oversight), adoption has been conservative.

As a result, financial institutions have been wary of hosting critical production workloads in the public Cloud, instead:

  • limiting use to non-sensitive applications (such as external websites) or test and development environments, or
  • deploying hybrid or private Cloud solutions which offer few benefits over traditional data centre models.

Get Cloud-ready with our tailored workshops

Whilst the commercial and technological benefits of Cloud services are well publicised, the restrictions imposed by standard Cloud delivery models have left financial institutions uncertain of the regulatory boundaries and have limited universal adoption.

As such, the Guidance comes at a critical time and we expect this welcome injection of clarity to prompt CIOs and CTOs of regulated firms to fundamentally review their approach to cloud-based IT services.

Following on from its recent Cloud Study and in order to address the challenges and opportunities highlighted above, Eversheds is launching a range of tailored Cloud Readiness Workshops for financial institutions.  The workshops will help clients:

  • assess the suitability and compliancy of existing Cloud arrangements
  • develop or refine strategies for future Cloud deployments.

Eversheds will work closely with in-house counsel, data privacy officers, security specialists, procurement teams and internal compliance functions to review policies and procedures and map compliance against regulatory requirements.

FCA consultation period: have your say by 12 February 2016

The consultation process affords regulated entities and Cloud service providers an opportunity to comment on the FCA Guidance.  Any comments will be taken into consideration when the FCA issues its final position on the topic.