The FCA Guidance Consultation 15/6 consults on proposed guidance to clarify various requirements imposed on firms, when outsourcing to the 'cloud.' The proposed guidance is the FCA's response to uncertainty on how the FCA apply their rules to outsourcing to the cloud. The proposed guidance would not be binding on firms, however, the FCA would expect firms to take note of the proposed guidance and use it to inform their systems and controls on outsourcing.
The proposed guidance applies to all firms dealing with the FCA, including those authorised under Part 4A of the Financial Services and Markets Act 2000 (FSMA), and those licensed under other regimes such as the E-Money Regulations 2011. It will also be of interest to those firms that currently provide outsourcing services, or are interested in doing so. The FCA stresses that this proposed guidance is not exhaustive and should not be read in isolation. However, complying with the proposed guidance will generally indicate compliance with the aspects of the FCA rule or other requirement to which the proposed guidance relates.
The high-level regulatory obligations on outsourcing require a firm to appropriately identify and manage the operational risks associated with its use of third party outsource providers, including undertaking due diligence prior to making a decision on outsourcing.
The FCA have identified the following primary risks associated with outsourcing to the cloud:
- The commoditised nature of many cloud services means cloud customers have less scope to tailor the service provided;
- The movement of customer data (in some cases, the customer can specify the geographic region in which their data must remain); and
- Firms using outsource providers who may contract out part of the service to other cloud providers, without customers initially being aware of the contracting out.
This proposed guidance is intended to help firms effectively oversee all aspects of the life cycle of their outsourcing arrangements. This covers making the decision to outsource, selecting an outsource provider, the ongoing monitoring of its outsourced activities and exiting an outsourcing arrangement.
The FCA is consulting on the guidance for a period of three months, responses are required not later than 12 February 2016.
The outsourcing regulatory requirements on firms
The FCA acknowledges that despite firms having different requirements for outsourcing, which is determined by the type of function being outsourced, the outcome that firms are expected to demonstrate and evidence is the same.
The outcome depends on whether the function being outsourced:
- Is critical or important - where a defect or failure in the performance of the outsourced function would materially impair the continuing compliance with the conditions and obligations of the firm's authorisation and/or regulatory obligations, its financial performance or the soundness or continuity of its services and activities;
- Is material outsourcing - where a weakness or failure of the services would cast serious doubt upon the firm's continuing satisfaction of the threshold conditions or compliance with the Principles for Business (PRIN); or
- Relates to important operational functions (for authorised payment institutions and authorised electronic money institutions) - when a defect or failure in performance would materially impair the authorised institution's compliance with the Electronic Money Regulations 2011 or the Payment Services Regulations 2009; its financial performance or the soundness or continuity of the authorised institution.
FCA suggested areas for consideration in outsourcing
In the Consultation Guidance, the FCA sets out a number of areas for firms to consider in outsourcing. Some of the key areas are summarised below:
- Legal and regulatory considerations - firms should ensure that the outsourced service is suitable for the firm; that they identify all service providers in the supply chain and ensure that the requirements on the firm can be satisfied with throughout the chain; and that they know whether its contract with an outsource service provider is governed by English law and subject to the jurisdiction of the UK.
- Risk management - Firms must identify and manage any risks introduced by their outsourcing arrangements, by carrying out risk assessments and identifying steps to mitigate those risks. Firms must also provide for remediation of breaches in its contract with the outsource provider. The proposed guidance doesn't specify whether specific performance of the obligations should be possible.
- Oversight of service providers - Firms retain full responsibility for discharging all of their regulatory responsibilities and they cannot delegate responsibility to the service provider. Therefore, the firm must be clear about the service being provided and the responsibility and accountability of the firm and its outsource service provider in the arrangement.
- Data security - Legal and/or regulatory data protection requirements may arise as a result of the outsourcing agreement, particularly if there is a transfer of sensitive customer information to the cloud. Firms should carry out security risks to ascertain whether such risks exist and how these can be mitigated. In the event that sensitive customer data is transferred between a firm and its outsource provider, both parties must ensure that they remain compliant with the Data Protection Act 1998. Firms must maintain a data residency policy, which states where its data can be stored, and know how their data will be segregated, transmitted and encrypted by the outsource service provider.
- Effective access to data (including firm, personal, customer and transactional data) and business premises (including head office, operations premises and data centres) - Specific regulatory requirements require effective access to data and business premises for regulated firms, their auditors and regulators. There requirements apply whether or not the contracts are subject to English law and UK jurisdiction. In order to do this, the FCA recommends that firms ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access the premises or data. However, the FCA have allowed for service providers, for legitimate security reasons, to limit access to sites such as data centres. Similarly, regulator visits can be qualified so that they only take place if the regulator deems it necessary and required under applicable legal and regulatory requirements. This is a significant and practical concession to the demands of cloud outsourcing firms.
- Exit plan - Firms must be able to terminate an outsourcing arrangement without any undue disruption to their provision of services. The FCA suggests that a firm must have a clear termination plan in place which includes a comprehensive post-compliance obligation on the service provider, to ensure a smooth transition to an alternative service provider. It also states that a firm should be able to remove data from the service provider's system on exit and transition to an alternate service provider.
This represents a positive step by the FCA to support innovation in the financial sector, but it does not address the issue of auditing the cloud - a space which is largely unquantifiable. This may interfere with the rights of customers. For example, as noted in 'Effective access to data' above, firms must ensure that the regulator and auditors have access to their data. However, data stored in the cloud cannot easily be segregated from other customer data.