United Kingdom (and EU regulation)

FCA finalised guidance for firms outsourcing to the cloud and other third-party IT services

Last November we blogged an article concerning FCA Guidance Consultation 15/6: Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (GC15/6).

The FCA has now published Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services (FG16/5). The purpose of the guidance is to clarify the requirements on firms when outsourcing to the cloud and other third-party IT service providers. The guidance is broader than, but includes issues covered in “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” which the FCA published in July 2014 as part of its barriers-to-entry work for firms entering, or considering entering the banking sector.

FG16/5 will be of interest to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.

FG16/5 sets out the FCA’s view and will be relevant to all firms that it authorises. Dual regulated firms should also confirm the position of the PRA in relation to their outsourcing to the ‘cloud’ and other third party IT services.

In FG16/5 the FCA states that it sees no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with its rules.

The FCA does not consider that the feedback received to GC15/6 merited substantial changes to the draft guidance. However, the main feedback issues consisted of:

physical access to business premises, including data centres;
the scope of firms’ obligation relating to supply chain and sub-contracting arrangements;
clarifying expectations around aspects of risk management, including concentration risk;
points around the choice and control in relation to the jurisdictions where data is processed, stored and managed;
the provisions to ensure firms have effective access to data; and
specific expectations around exit plans.

View FCA finalised guidance for firms outsourcing to the cloud and other third-party IT services, 7 July 2018