The Financial Conduct Authority has recently published guidance setting out its requirements for regulated firms when they use cloud and other third party IT services. The guidance is in a consultation phase with responses required by 12 February 2016.
What does the guidance cover?
The FCA defines cloud services widely as all IT services provided over the internet, including software-as-a-service, platform-as-a-service and infrastructure-as-a-service, and whether public, private or hybrid in nature.
The guidance adopts a fairly cautious approach and emphasises a number of risks in using cloud services, for instance that data held by cloud services is often transferred to different locations without the financial firm’s knowledge.
The guidance identifies specific areas for firms to consider, with recommendations and guidance for each:
- legal and regulatory considerations: regulated firms should carry out due diligence and ensure they know the location of the cloud provider;
- risk management: regulated firms must monitor the risk associated with cloud services and require the cloud provider to notify it of any breaches;
- standards: it is likely to be helpful if the cloud provider adheres to relevant international standards;
- oversight of service providers: the regulated firm will retain full accountability to the regulator;
- data security: the regulated firm should undertake risk assessments to understand the cloud provider’s data loss and notification procedures, and it should have choice and control over the location, including jurisdiction, in which the data is stored, processed and managed;
- Data Protection Act 1998: while data protection requirements are separate to FCA requirements, specific reference is made to compliance with the ICO’s guidance on cloud computing;
- effective access: to data should be available to the regulated firm, its auditors and the regulator;
- access to business premises: should be available to the regulated firm, its auditors and the regulator;
- change management: and establishing how change is effected and carried out should be properly documented;
- continuity and business planning: and ensuring that the cloud provider has appropriate policies in place should be clearly addressed;
- resolution: cloud services should not be organised in a way that creates additional complexity in, or creates a barrier to, the operation of the resolution regime; and
- an exit plan to ensure that the financial firm can exit without undue disruption to the provision of their services should be put in place.
Specific issues: consequences of the FCA’s treatment of cloud services as being a form of outsourcing
The guidance explicitly states that the FCA considers cloud services to be a form of outsourcing. While this is not a surprise and reflects many regulated firms’ approach to date, it is useful to have express confirmation of the FCA’s view so as to lay to rest any uncertainty on this point.
However, this means that the use of cloud services by regulated firms will need to comply with the relevant general obligations and guidance around outsourcing in the FCA Handbook. Compliance with these has generally been perceived as a brake on the use of cloud. It is interesting therefore that the FCA’s approach is to “avoid imposing inappropriate barriers” and to state that it “sees no fundamental reason why cloud services cannot be implemented, with appropriate consideration, in a manner that complies with [its] rules“.
Indeed, much of the guidance, although appropriate in the general outsourcing sphere, is not market-standard for cloud services. For example:
- Geography, choice and control: A fair bit of emphasis is placed on geographic aspects. Regulated firms are expected to know the jurisdiction in which the cloud provider is based, and to have choice and control over the jurisdiction in which their data is stored, processed and managed. They are also expected to assess whether this gives rise to differing legal and regulatory risks. While the location of providers and data is currently an important topic in the market for cloud services (including in the light of the Schrems case), relatively few cloud providers provide the requisite degree of control at present.
- Access to data and business premises: Similarly, few cloud providers permit customers, or customers’ auditors or regulators, to have unrestricted access to “data” and to the provider’s “business premises”. Both these terms are interpreted broadly to include respectively (a) transactional data, system audit trails and logs, and process data, and (b) head offices, operations and data centres. However, some comfort is provided by acknowledgements in the guidance that:
- rights in relation to business premises can be focused on those premises which are relevant for the exercise of effective oversight, and that access to sites such as datacentres might need to be limited for security reasons; and
- a regulator’s right to visit business premises can be qualified to cases where the regulator deems it necessary and required under applicable law and regulation. (However, further conditions should not be applied, and providers should commit to co-operate with requests made during a regulator’s visit.)
- A clear exit plan: In relation to exit, the guidance states there should be a regularly rehearsed exit plan, and a specific commitment on the cloud provider to co-operate with the regulated firm and any new provider to ensure there is a smooth transition. Interestingly, there is also a focus on concentration risk – i.e. on multiple firms using the same provider – which may be hard for a regulated firm to understand and monitor itself.
What happens next: will the guidance lead to an expansion in the use of cloud services by regulated firms?
In many respects, the new guidance is not far removed from existing FCA outsourcing guidance. Complying with that existing guidance has been problematic for many cloud providers, both in terms of the cost implications, and more importantly in terms of the practicalities of compliance in relation to a cloud service.
So it remains to be seen whether and how cloud providers adapt their contracting models to comply with these guidelines. In some jurisdictions, regulators have entered into separate direct arrangements with cloud providers to enable direct rights for regulators (such as access to data and premises) so as to allow financial firms to use cloud providers in a compliant manner.
The FCA does not seem to be envisaging such an approach here. While the guidance is a welcome first step in enabling FCA-regulated firms to make wider use of cloud services, there appear to be some contradictions between the vision it espouses and the detail of the guidance provided. At present, it seems that closer co-operation between the FCA, regulated firms and cloud providers is likely to be needed if a step-change in the use of cloud services is desired.
With this in mind, it will be interesting to see if the responses to the consultation – in particular those from regulated firms and cloud providers who are both interested in expanding use of cloud services – make a significant impact on any further version of the guidance.