On 7 July 2016, the Financial Conduct Authority (FCA) published its finalised guidance (the Guidance), “FG16/5 - Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services”. The Guidance aims to clarify the requirements on firms when outsourcing to the cloud and other third-party IT service providers. It is intended to help all firms effectively oversee all aspects of the lifecycle of their outsourcing arrangements, from making the decision to outsource, selecting an outsource provider and monitoring outsourced activities on an ongoing basis, through to exit. Complying with the Guidance will generally indicate compliance with the FCA outsourcing requirements, although there will still be issues for firms in achieving compliance, for example when using providers standard terms of business, and some firms (and providers) may have hoped that the Guidance would have gone further in some areas.
The FCA considers that while cloud based services can provide increased flexibility to firms, the use of these services also presents risks which need to be identified, monitored and mitigated. The risks include the level of control the firm exercises over the outsourced service and data security. To address this, the Guidance provides a list of each area that should be considered by a firm during the preparation and evaluation for using such services, as well as the ongoing monitoring of third party services that are essential to the effective functioning of a firm’s business. Data security aspects will be particularly important in light of the GDPR and the Guidance signposts data protection compliance, reiterating that the requirements must be met separately from FCA rules.
What is the ‘Cloud’?
In the Guidance, the FCA states that it sees the cloud as encompassing a range of IT services provided in various formats over the internet. This includes private, public and hybrid cloud, and the key cloud service categories Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Importantly, the FCA confirmed that they see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with its rules. This is stated as being in line with the FCA’s desire to of avoid imposing inappropriate barriers to firms' ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.
In its response to the Guidance Consultation, the British Banking Association (BBA) requested that the FCA reconsider the appropriateness of considering all cloud services under the generic category of IT outsourcing for the purposes of SYSC 8. In the Guidance, the FCA did not amend the wording that “where a third party delivers services on behalf of a regulated firm - including a cloud provider - this is considered outsourcing”. This usage of “outsourcing” is different to the definition in the FCA handbook, which defines outsourcing as “an arrangement of any form between a firm and a service provider by which that service provider performs a process, a service or an activity which would otherwise be undertaken by the firm itself”. It is also not clear whether “on behalf of” is intended to be distinguished from delivering services “to” a regulated firm. In principle, everything from a product support for an application on a firm’s systems to a full infrastructure as a service solution could be categorised as an outsourcing. Where there is an outsourcing, firms still need to determine the applicable regulatory obligations and the key consideration for the application of regulations, and this Guidance, remains whether the outsourcing is “critical or important” (as defined in SYSC 8.1.4), or (for authorised payment institutions and authorised electronic money institutions) relates to “important operational functions” under the Electronic Money Regulations 2011 and the Payment Services Regulations 2009. This will by necessity result in the inclusion of appropriate contractual provisions in agreements between firms and service providers, as well as requiring due diligence, governance, monitoring and supervision by the firm through its own activities and processes.
The Guidance also takes into account responses from the consultation held by the FCA after it released the Guidance Consultation in November 2015. In its response to the feedback, set out in the Annex to FG16/5, the FCA states that it does not consider that substantial changes to the draft guidance consulted on are required. However, in some areas, the FCA amended the draft guidance to clarify its expectations.
Some of the main discussion points include the following:
Several respondents, including the BBA, felt that firms should be allowed to determine the most appropriate way of addressing operational risk and have the freedom to set their own risk appetites within reason. The BBA went as far as to say that the “only limiting factor for risk acceptance should be the threshold of the law”. However the FCA confirmed that they would not be modifying their guidelines stating that firms need to take reasonable steps to ensure that outsourcing arrangements “avoid undue additional operational risk” in line with the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (SYSC).
Notification of Breaches
The FCA noted that many respondents believed that the expectation on firms to notify the FCA of “any breaches” was unduly burdensome with some requesting that a threshold for breach notification be determined. In particular, the BBA requested that the wording should focus on breaches which may indicate a risk for the security of the firm’s data or operations rather than simply “any breaches and other relevant events”. Although the FCA stated that they consider the notification requirement to be “an important part of risk management”, it confirmed its belief that the current wording gives firms some scope to agree with the provider exactly what constitutes a breach in the context of the service being provided.
Another concern for both providers and firms, including the BBA, was the requirement that firms should have “choice and control” over the jurisdictions in which their data is held. Many respondents felt that this was impractical and risked stifling innovation since many providers might not be able to allow firms to have full control of this. As a result, the FCA altered the Guidance to instead require firms to agree a ‘data residency policy’ with the provider that sets out the jurisdictions where the firm’s data can be stored, processed, and managed.
Access to Business Premises
The FCA noted the BBA’s concerns that the expectation of a firm having physical access to a provider’s premises, in particular to their data centres, was impractical and that users could not ensure that this provision was contained in their contracts with providers. In response, the FCA amended their Guidance to highlight the relevant SYSC rules that firms need to take into account, and to clarify that their view is that ‘business premises’ is a broad term which may include head offices, operations centres, but does not necessarily include data centres.
Given its support for greater innovation and competition, it comes as no surprise that the FCA is seeking to facilitate the use of innovative digital technologies like cloud computing. The Guidance is useful as it confirms that, generally, the FCA sees no fundamental reason why cloud services cannot be implemented in a manner that complies with its rules. It also aligns with the work being undertaken by the FCA's Project Innovate, which was developed by the FCA to foster competition and growth in financial services by supporting businesses developing new products and services that could benefit consumers, providing clarification for FinTech start-ups seeking to understand the financial services regulatory framework.
Clarity on the FCA’s attitude to the ‘cloud’ should also provide comfort to cloud service providers looking to enter the sector, reducing the concentration risk highlighted by both the FCA and respondents. It should also increase uptake amongst firms who, in the absence of clear guidance, were reluctant to adopt cloud solutions, and encourage firms to consider using cloud technology to replace old and archaic IT systems.
Although not binding on firms, the FCA expects that firms will “take note” of the Guidance and implement it, where appropriate. Therefore firms seeking to use cloud service and other third party IT providers should refer to the Guidance when planning their IT strategy.