Finalised guidance from the FCA on firms outsourcing to the cloud and other third party IT services

As we previously reported, in November 2015 the Financial Conduct Authority published draft guidance setting out its requirements for regulated firms who use cloud and other third party IT services.

Following a consultation phase, the FCA has now published its final guidance, alongside a summary of the responses and feedback on the draft guidance.

While the FCA has not made substantial changes to the guidance and the FCA’s main messages on the use of cloud remain intact, it has made a few notable clarifications to its previous position. We highlight below the main areas of clarification and the impact of these on regulated firms’ use of cloud services.

Definition of cloud

The FCA has declined to clarify how the guidelines apply to different forms of cloud service. Instead it emphasises that regulated firms should continue to assess services on a case-by-case basis to decide whether they are critical, important or material to them.

Location of the cloud

The FCA has backtracked slightly in relation to a regulated firm’s degree of control over the location of the cloud services. Previously, a regulated firm was required to have choice and control over the jurisdictions in which the cloud provider could store and process data. The updated guidance states that a regulated firm should agree a data residency policy with the provider, setting out the jurisdictions where data can be stored, processed and managed.

However, when deciding on the permitted jurisdictions, a regulated firm should not use cloud providers who store data “in jurisdictions that may inhibit effective access to data for UK regulators“. The regulated firm should also consider the political and security stability in the relevant jurisdiction.

The previous position was largely impractical and the FCA is now highlighting the importance of transparency, rather than complete control on the part of the regulated firm. This updated approach is more in line with market practice and is likely to be welcomed by regulated firms. However, it still envisages regulated firms exercising more control over the jurisdiction in which the services are provided than is necessarily standard for some cloud offerings.

Access

The guidance states that a regulated firm, its auditors and the regulator must have effective access to the data and the cloud provider’s business premises. However, following the consultation process, the FCA has now clarified that “business premises” does not automatically include data centres. Although this will be welcomed by regulated firms and cloud providers, it should be noted that the FCA has reserved its position in relation to data centres, stating that “there may be circumstances where physical access to data centres is necessary for a firm to meet its regulatory requirements“.

Despite these clarifications, a requirement for cloud providers to allow access to data and business premises is far from standard practice in the current market and will require providers to restructure their
approach.

The FCA has also resisted calls to amend the number of access requests that a regulated firm may make each year. Although the FCA guidance does not comment on the issue of charging for such access, the level of any such charges may affect whether a regulated firm considers itself to have “effective access”.

Sub-contracting

The FCA has clarified its expectations of regulated firms in relation to their review of the cloud provider’s sub-contracting arrangements. Under the final guidance, a regulated firm must only review a cloud provider’s sub-contracting arrangements to the extent that such arrangements are relevant for the provision of the regulated activity.

Oversight

The FCA has reinforced its original position that the regulated firm must have the appropriate skills and resource necessary for testing any activities outsourced to a cloud provider. The FCA stresses that the regulated firm must have the necessary expertise to take back control of the outsourced function if required.

However, typically a key benefit of outsource arrangements is that once a function is outsourced, the firm no longer needs to retain the same level of internal expertise and resource required to carry out the outsourced functions. An obligation to maintain too high a level of internal capability may mean that regulated firms find cloud solutions less attractive.

Risk management

Regulated firms must monitor “concentration risk” and consider the action that should be taken if the provider fails. The updated guidance clarifies that “concentration risk relates to the reliance that firms themselves may have on any single provider“. This explanation should assist regulated firms to understand their obligations in relation to their risk management of cloud solutions. Interestingly, it does not seem to cover explicitly the risk of several regulated firms all relying on the same provider.

However, the FCA has refused to impose a threshold for breach notification. Instead, the requirement for a cloud provider to notify the regulated firm of any breaches is an important point for the cloud provider to agree with the regulated firm in the context of the specific services provided and on a case-by-case basis.

Conclusion

Although the clarifications made in finalising this new guidance soften a few aspects of it, cloud providers and regulated firms may still encounter problems in complying with all the requirements covered in the guidance. A number of the recommendations, such as effective access, are potentially costly and/or problematic for cloud providers. Ultimately, the adjustments made do not remove certain obligations which, although appropriate for general outsourcing, may not be the norm for many cloud services.