What is happening?
In November 2015, the Financial Conduct Authority ("FCA") issued its anticipated draft guidance to help firms and service providers understand its expectations when outsourcing to the cloud and other third party IT services ("Guidance").
The Guidance is in consultation phase with responses due by 12 February 2016. It is neither exhaustive nor binding but it provides a valuable insight into a previously unclear area, in particular:
- the FCA considers cloud services delivered on behalf of a regulated firm as outsourcing;
- the existing FCA rules on outsourcing therefore apply to the cloud; and
- it provides guidance on how these existing rules on (traditional) outsourcing apply in this new context.
Following completion of this phase, the FCA intends to publish final guidance on its website.
Since its creation in 2013, the FCA has campaigned for greater innovation and competition in the financial services sector based on the premise that this will create better financial services for consumers. So, it is no surprise that it is now focusing on promoting the use of (relatively) innovative digital technologies like cloud computing. This focus is very welcome; cloud computing has been around for years and other regulators (for example, in the US and the Netherlands) have either published guidance or approved the use of certain aspects of cloud computing in the financial services many years ago.
The FCA views the proper use of outsourcing to the cloud (and other third party IT services) as part of this campaign: it can help promote the emergence of new entrants (thereby reducing concentration risk issues where the market is dependent on a limited number of service providers) and encourage firms to look at more cost-effective ways to renew legacy IT systems (e.g. by replacing on-premise solutions with cloud-based ones which could lead to cost savings that could be passed down to consumers).
Another trigger for producing this more detailed Guidance is the FCA's recognition (following roundtable discussions with stakeholders) that whilst cloud services undertaken on behalf of a regulated firm may constitute outsourcing, the risks associated with these projects differ from traditional outsourcing projects (e.g. commoditised cloud services mean less scope for amendments). So, the existing rules will apply but the Guidance is designed to provide firms with help when considering how to apply them in the cloud context.
What does it cover?
The Guidance covers outsourcing to the cloud and other third party IT service providers ("service providers"). It sets out a detailed list of considerations for firms covering the full lifecycle from pre-contract tasks (e.g. evaluation of service provider suitability) to contract management (e.g. day to day service provider monitoring) and exit planning. The key principles underpinning these considerations are the identification and management of operational risks associated with using third parties.
Cloud is defined broadly: "private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Services (PaaS) and Software as a Service (SaaS)." Based on this definition most (if not, all) cloud models will be captured by the Guidance.
The FCA has set out 13 considerations.
The Guidance should not be read in isolation. Since the FCA has confirmed cloud service offerings as a form of outsourcing, regulated firms (in addition to taking account of the Guidance) need to ensure the terms they agree with service providers align with the general outsourcing requirements dotted throughout the FCA Handbook (including the specific guidance in the SYSC 8 chapter) either to comply with mandatory rules or in order to align with recognised best practice. In fact, some of the Guidance maps to the SYSC 8 requirements (e.g. guidance around effective access to data and business premises).
Legal and regulatory:
- Firms should undertake a variety of pre-contractual due diligence tasks (e.g. compiling a business case supporting the outsource and reviewing the contract to ensure it complies with the FCA's rules). This will enable firms to identify and resolve any issues at the outset in order to satisfy themselves that the outsource will not adversely affect operational risk.
- The firm should identify all the service providers in the supply chain and ensure that the firm's requirements can be complied with throughout the chain. This could be difficult when contracting with a SaaS provider that is subcontracting hosting to a third party. In such circumstances, it can be difficult to ensure such subcontractors provide the requisite comfort to ensure the firm is compliant with its requirements (e.g. access to subcontractor's premises).
Risk management / international standards / data security:
- These considerations cover activities which must be completed pre-contract and during the contract.
- Risk assessment: the recommendations cover pre-contract due diligence (e.g. a risk assessment prior to the outsource to identify issues and steps to mitigate them) and contract protections (e.g. contractual provisions for the prompt notification and remediation of breaches).
- Data security and standards: the FCA recommends a separate data security risk assessment of the firm's technology estate and the service provider and, linked to this, it states that as part of pre-contract due diligence and contract management it may be helpful if service providers are compliant with applicable information security standards, the logic being that a service provider's adherence to (for example) ISO 27000-series indicates robust data security processes.
- One concern, under data security requirements, is that the firm should have "choice and control regarding the jurisdiction in which their data is stored, processed and managed." Given the one-to-many model adopted by service providers (which often results in limited changes being countenanced by the cloud provider) and their "follow-the-sun" support model (which means data is often processed in many jurisdictions by support teams around the world) we suspect firms may have challenges in this regard, although it is also the case that many cloud providers do now agree to maintain data within certain jurisdictions only.
- These considerations relate to contract management.
- Since a firm cannot outsource its regulatory responsibilities it should ensure the contract includes appropriate mechanisms to allow it to quickly identify and deal with issues. For example:
- the firm should ensure its staff have sufficient skills to oversee and challenge service performance and properly manage exit to ensure a seamless transition in-house or to a replacement supplier; and
- the contract should include suitable arrangements for dispute resolution so issues are resolved at the lowest level quickly or escalated where appropriate.
- The Guidance reiterates that cloud outsourcing is subject to data protection law, and that specific ICO guidance on this point should apply.
- The Guidance does not attempt to elaborate on data protection obligations. More important, from a data protection perspective, will be the comparison with stricter contractual requirements which will be imposed by the General Data Protection Regulation.
- The General Data Protection Regulation has now been agreed, and will enter into force during early 2018. As well as requiring more detailed contractual provisions, this will also impose direct obligations on data processors for the first time and significantly increase the severity of potential sanctions.
Effective access to data / access to business premises:
- These considerations align with the FCA's existing rules in the FCA Handbook (i.e. SYSC 8.1.8(9)).
- Effective access to data: the FCA defines "data" widely to include "firm, personal, customer and transactional data".
- Access to business premises: this is often a hot topic with service providers who are sensitive to any access to premises such as data centres that will store many customers' data.
- It is clear that the FCA expects physical access to business premises (for firms where the FCA's requirements apply as rules, e.g. common platform firms) which could cause problems for service providers. However, there is room for manoeuvre: where service providers can show legitimate security concerns they may be able to limit access to some sites (e.g. data centres).
Change management: firms should agree comprehensive procedures to govern changes so that new risks are not introduced as services are changed.
Continuity and business planning / exit plan: firms should have in place robust procedures to ensure continuity of service in the event of an unforeseen disruption to the outsourced services. This could include business continuity planning, step-in rights (if practical), identifying the appropriateness of insourcing activities and effective exit planning procedures to ensure seamless transition to a new service provider if necessary.
Resolution: the outsourced services should be organised in a way that does not create additional complexity or a barrier to the resolution or orderly wind-down of the firm.
One of the aims of the Guidance is to provide insights into how an innovative technology like cloud computing can be utilised by firms in a manner that is aligned with the existing regulatory rules that apply to more traditional outsourcing projects. The FCA stated how, in the lead up to publishing the Guidance, "we have been working to identify areas where our regulatory framework needs to adapt to enable further innovation…" The Guidance is a very welcome approval of the use of cloud (which should hopefully lead to more uptake in this area by firms who, in the absence of clear guidance, were reluctant to adopt cloud solutions). It aligns with the work being undertaken by the FCA's Project Innovate to help provide support for FinTech start-ups eager to understand the regulatory framework and provide services in the newly "digitised" financial services sector, whilst also providing much-needed clarity to the financial services institutions looking for more certainty on how to plan their cloud strategy.