July 7, 2016, saw the UK’s Financial Conduct Authority (FCA) publish fresh guidance in order to clarify the requirements which apply to the financial services firms it regulates when outsourcing to the cloud. When the FCA talks about the cloud, it is referring to the full range of cloud solutions which have evolved (such as private, public and hybrid cloud) as well as the various “X as a Service” solutions such as IaaS (infrastructure), PaaS (platform) and SaaS (software).
The FCA makes clear that although the guidance is not binding, when considered in the context of the regulatory system as a whole , it does illustrate how firms can comply with the relevant rules. The FCA expects to see firms taking note of the guidance and using it, where appropriate, to inform their systems and controls on outsourcing. Dual regulated firms (e.g. banks) will, in addition, need to confirm the position of the Prudential Regulation Authority (PRA) in relation to firms outsourcing to the cloud. Auditors of financial services firms are also expected to pay attention to the guidance.
Even though cloud solutions can introduce new risks, and may result in a customer having less control (by having to accept the standard service offering, as compared with traditional outsourcing models), the FCA says that it sees no fundamental reason why firms cannot implement cloud services in a compliant manner, and that it has successfully supported new and existing firms to implement such solutions.
At just 17 pages, the guidance is relatively easy to digest, will no doubt become required reading for firms and their suppliers, and will be used as leverage in negotiations, especially where a cloud supplier has not, previously, been willing to change its standard terms. Cloud suppliers of course will still want to push back against departing from standard provisions, especially where those positions reflect the underlying deal economics and drivers, for example, where efficiencies achieved through scaling across a multi-customer platform require a standard solution and set of service levels.
One area which will require more attention is that of due diligence due to the onus that the FCA places on a firm ensuring that its operational risk is not made worse though the adoption of a cloud solution. Firms are still expected to notify the FCA prior to entering into material outsourcing and, where an outsourcing involves the cloud, firms will no doubt need to discuss with the FCA their views about the impact on their operational risk. Firms will also need to undertake due diligence to ensure they have an adequate understanding of the entire supply chain (i.e., the arrangements that the cloud provider has with other service providers whose services, such as data hosting, form part of the cloud solution), as well as reviewing legal risks where services are provided from other jurisdictions. Turning to the contract, provisions which will need to be looked at, in view of the guidance, include:
- data security, including having a data residency policy which governs where data can be stored, processed and managed;
- change management, with particular reference to risks which can be introduced where changes are made to processes and procedures;
- audit rights, access to data (including system and process data) and access to premises, including access by the regulator;
- oversight and dispute resolution; and
- termination arrangements, including ensuring that there is a tested exit plan in place which is sufficient to enable a firm to transition away without undue disruption to their provision of services, or their compliance with the regulatory regime.
Where applicable, the contract should provide that neither a firm’s entry into resolution—the process by which the HM Treasury, the Bank of England, the PRA and the FCA can intervene to manage the failure of a firm—nor a subsequent change in control shall constitute a termination event. Services should be organised in such a way that they do not become a barrier to a resolution or orderly wind-down of a firm.
The FCA states that the guidance is cognizant of the current UK and EU regulatory framework and that it will keep a watching brief to see if any changes are required as that framework changes, including those consequent on Brexit.