In July the FCA produced its final guidance, following on from its draft guidance published last November (GC 15/6) (the "Guidance").
The purpose of this Guidance is to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third-party IT services. The Guidance deals with various stages of the life cycle of an outsourcing arrangement, from making the decision to outsource, selecting an outsourced provider, and monitoring outsourced activities on an ongoing basis, through to exit.
The FCA confirms that "where a third party delivers services on behalf of a regulated firm – including a cloud provider – this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them".
Firms are reminded that they retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.
One change from the draft Guidance is that instead of firms having "choice and control” regarding the jurisdiction in which the firm’s data is stored, processed and managed, the finalised Guidance now makes reference to a data residency policy. The FCA wants to ensure firms are able to determine which jurisdictions their data is held but recognises that many cloud providers are not able to allow firms full control of this. The FCA now suggests firms should agree a data residency policy with the provider, which sets out the jurisdictions where their data can be stored, processed, and managed. Providers will have discretion where to store data as long as it is in line with what has been agreed in the policy.
In relation to access to business premises, the FCA has clarified its view that "business premise" is a broad term which may include head offices and operations centres, but does not necessarily include data centres.
Some respondents to the consultation challenged the FCA's position that an outsourcing arrangement should be entered into only when “it does not erode, impair or worsen the firm's operational risk”. The respondents argued that an outsourcing should be permitted as long as it fits within the firm’s risk appetite, which may not necessarily mean that operational risk does not worsen. The FCA refused to change its position on this.
The finalised Guidance is a useful checklist of areas that firms should consider in relation to outsourcing to the cloud and other third-party IT services.
The Guidance can be viewed here.