The Financial Conduct Authority (“FCA”) released proposed new guidance on cloud and other IT outsourcing in November. The guidance is in the consultation phase and the FCA has requested comments from interested parties.
The aim of the guidance is to provide clarity as to how existing rules and legislation relevant to FCA-regulated firms should be applied in relation to the outsourcing of any aspect of a firm’s activities to the cloud. It will therefore be of interest to all firms and service providers operating in, or considering entry into, FCA- regulated markets.
The final guidance, once published, will not be binding but should be taken into consideration as part of each firm’s wider obligations under the regime, which will vary depending on the nature of the operator. However, the FCA takes the stance that compliance with the guidance “will generally indicate compliance with the aspects of the FCA rule or other requirement to which [it] relates”.
Risks and duties when outsourcing to the cloud
The FCA adopts a broad definition of “the cloud”, using the term to mean any service provided over the internet and therefore encompassing, amongst others, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
When a regulated firm engages a third party to provide any services on its behalf, it is subject to specific obligations designed to ensure that the risk associated with outsourcing those services is recognised and managed.
The FCA recognises that outsourcing to or via the cloud carries a unique set of risks, because the firm no longer has direct control over the service and/or data involved. These include the possibility that customers will have less opportunity to personalise services to their needs, the risks associated with the transfer of data between different geographic regions and the potential for outsourcing of aspects of a service further down the supply-chain without a firm’s knowledge. The draft guidance addresses these risks.
Considerations when outsourcing
The guidance sets out a number of considerations within 13 “areas of interest” which will be relevant at different stages in the outsourcing lifecycle, from due diligence to post-termination.
Key themes include:
Risk management – firms should satisfy themselves that any proposed arrangement does not erode, impair or worsen the firms operational risk and plan for the management of those risks which are identified. Thought should also be given to the relative risks of different forms of service, for example public versus private or hybrid cloud.
Jurisdiction and access – firms should know which jurisdiction governs their contract and gain assurances as to the location and jurisdiction of the service provider’s premises. Firms, their
auditors and regulators must ensure they have effective access to data and to the provider’s physical premises.
Data security – as well as ensuring compliance with the Data Protection Act 1998, firms should have choice and control over the jurisdictions in which their data is stored and set this out in a data residency policy. The service provider must also agree to adhere to a data loss and breach notification regime which complies with the firm’s regulatory obligations.
Supply chain – the due diligence process must identify all the service providers in the supply chain and ensure that the regulatory requirements imposed on the firm can be complied with throughout the supply chain.
International standards – whist recognised external assurance, such as the ISO 27000 series, may inform a firm’s due diligence it should not be relied on to replace full investigations and ongoing monitoring. Third party audits will be relevant only where they are specific to the service provided – for example, an audit of the data centre the firm will be using for the provision of the services, not a similar data centre elsewhere.
Exit – firms must ensure that they can exit any arrangement without undue disruption and fully understand how any transition phase will operate. To this end, a well-documented and regularly rehearsed exit plan must be in place from commencement.
Deadline for feedback
If you would like to submit feedback on any aspect of the proposed guidance you may do so by email to firstname.lastname@example.org .The deadline for submissions is 12 February 2016.
The full consultation is available as a pdf at https://www.fca.org.uk/static/documents/guidance-consultations/gc15-06.pdf . The finalised guidance will be published in the FCA’s website.