What does the guidance cover?
The guidance builds on the FCA’s existing approach. The FCA defines outsourcing as a third party delivering services on behalf of regulated firms, and the term 'cloud' includes different IT services supplied over the Internet. The benefits of outsourcing include cost efficiency, flexibility and increased security. However, there are also associated risks such as the customer's lack of control over the supplier and where the data is being stored. The FCA provides guidance on how to monitor and mitigate these risks.
Who needs to comply with it?
The guidance is not binding but aims to help firms and service providers find ways in which they can comply with the relevant rules.
The guidance affects firms that are currently outsourcing to the cloud and other third party IT services or those that are thinking of doing so.
What do FCA-regulated entities need to do/think about when using cloud services?
Legal and regulatory considerations – the FCA states that a firm should have a “clear and documented business case or rationale” to support the outsourcing of critical or important operational functions. A firm should also ensure that the service is suitable for the firm, taking into account relevant legal or regulatory obligations, as well as ensuring that by entering into an outsourcing agreement it does not worsen the firms operational risk.
In addition, firms must maintain accurate records of contracts, and consider the effect of contractual governing law and jurisdiction as well as any additional legal or regulatory obligations on its arrangements with the cloud provider. A firm should also identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout that chain.
Risk Management – in order to manage any risks arising in an outsourcing agreement, firms should carry out a risk assessment to identify risks and any steps that can be taken to mitigate such risks. The risk assessment should include: identifying current industry good practice and reviewing whether legal and regulatory risk differ due to customers, firms and employees in different geographic or jurisdictional locations. Firms should also assess the overall operational risks and ensure that the contracts provide for the remediation of breaches and other adverse events.
International standards – firms may also wish to assess the provider’s adherence to international standards. For example, does the provider comply with well-understood standards? (e.g. the ISO 27000 series) Is part of the service being assessed relatively stable? Is the service uniform across the customer base?
Oversight of service provider – firms should be aware that they will retain full accountability for discharging all their responsibilities under the regulatory service and it cannot delegate responsibility to the service provider. Therefore, before outsourcing, a firm should be clear about the service being provided and how responsibility and accountability between the firm and its service provider is allocated. Staff should have the skills, competency and resources to oversee, monitor and mitigate any risks, as well as being able to properly manage an exit or transfer from an existing service provider.
Data security – firms should conduct a data security assessment of the service provider which would include agreeing a data residency policy with the provider, setting out the jurisdictions in which the firm's data can be stored, processed and managed. This policy should be reviewed periodically. The data security assessment would also help to understand the provider’s data loss and breach notification process and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations. Firms should also consider how the data will be segregated, transmitted, stored and encrypted as necessary.
Data Protection Act (DPA) 1998 – a firm should comply with each of the 8 principles of the DPA, as well as the guidance provided by the ICO on cloud computing (PDF).
Effective access to data and business premises – a firm should have effective access to data and the business premises of the service provider in order to successfully conduct its monitoring. 'Business premises' is a broad term, but the guidance states that this does not necessarily include data centres. Further to this, a firm should ensure that notifications on accessing data are reasonable and not restrictive. The firm should also ensure that there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or retrieve data. When a firm is seeking to access business premises, it should provide reasonable prior notice and may ask its auditor to undertake the visit. The regulator should also have access to the premises but only if it is necessary. Firms should also ensure that data is not stored in jurisdictions that may hinder access to data for UK regulators.
Relationships between service providers – if the firm does not directly contract with the outsource provider, the firm still needs to ensure that it continues to comply with regulatory requirements. A firm should therefore review its subcontracting arrangements, consider security requirements and ensure that it will still have effective access to data and business premises. The firm should also consider how service providers work together - will the firm or one service provider take the lead systems integration role? A firm should assess how easily a service provider's service will interface with a firm's internal systems or other third-party systems.
Change management – risks can be introduced when changes are made to processes and procedures. A firm should therefore look to establish what provisions can be made for making future changes to technology
Continuity and business planning – where there is an unforeseen interruption of the outsourced services, a firm should consider the impact of the unexpected disruption to the continuity of its operations. A firm could also document its strategy for maintaining continuity of operations and regularly update and test arrangements to ensure their effectiveness. It would also be wise to put in place arrangements to ensure the regulator has access to data in the event of unexpected disruption.
Exit plan – an effective outsourcing plan will minimise disruption of services whilst still complying with regulations. A firm should be aware of how it would transition to another provider whilst maintaining business continuity. An exit plan and termination agreement would document how the firm would remove data from the system, monitor concentration risks and what action would be taken if the outsource provider failed.
In summary, the guidance is a step in the right direction in aiming to help regulated firms adopt the cloud in a safe and compliant way. The guidance also provides a useful standard for regulated firms to base their discussions with a potential cloud provider. For example, the cloud provider will be aware of what restrictions it can put in place when there is an audit, as well as the access requirements of regulators. Cloud providers will also be aware of the compliance requirements imposed on their FCA regulated customers, and will therefore be able to consider how it can facilitate compliance.