In outsourcing deals in the financial services sector service providers are very used to hearing from banks and financial institutions that certain contractual protections are required to meet ‘regulatory requirements’. Now that the FCA has published its final guidance on cloud computing, cloud service providers will need to get used to having similar discussions.
This summer the FCA published its final guidance for UK regulated firms outsourcing to the cloud. In the guidance, which is long overdue, the FCA makes clear that there is “no fundamental reason” why financial services firms cannot use public cloud services, as long as they comply with the FCA’s rules. This statement and the guidance will certainly be welcomed by those UK financial institutions hesitant to embrace cloud to date due to the lack of regulatory certainty over its use. And it should be good news for the cloud sector too – providing a boost in the uptake of cloud services in the sector.
FCA Approach to Outsourcing
In the UK, the FCA and its predecessors have created longstanding guidance which requires firms to appropriately identify and manage the operational risks raised by outsourcing. The approach is proportionate and risk based, taking into account the nature, scale and complexity of a firm’s operations. The guidance builds on this existing approach.
Considerations when using cloud
The FCA identifies three risks it believes are specific to cloud-based solutions:
- customers may have less scope to tailor the service;
- providers may move customer data around with less visibility and control for the data owner; and
- providers may contract out part of the service provided to other cloud providers, without visibility for the customer
The cloud guidance lists a number of areas of interest that regulated firms should consider when using cloud-based services, including how firms should discharge oversight obligations:
- Legal and Regulatory Considerations
- Risk Management
- International Standards
- Oversight of Service Provider
- Data Security
- Data Protection
- Effective Access to Data
- Access to Business Premises
- Relationships Among Service Providers
- Change Management
- Continuity and Business Planning
- Resolution (e., treatment during a dissolution or insolvency event)
- Exit Plan
Each category is accompanied by a list of bullet points and provides a number of clear statements detailing what the FCA expects in terms of access to data, access to premises and exit planning.
Changes in final guidance
The FCA published its draft cloud guidance for consultation in November 2015. The final guidance contains some key changes based on concerns raised during the consultation period. Here are some of the key points to note.
- Supply chain identification. In response to concerns that the FCA expects firms to identify all of the service providers in a supply chain, the FCA has agreed that identifying all providers may not always be necessary. The Cloud Guidance now makes clear that identification only applies where the service providers “are related to the regulated activity being provided”. However, given much of a regulated firm’s activity with providers is likely to relate to regulated activity, this amendment may not provide much practical benefit.
- Cloud data locations. One of the key concerns about the use of cloud services in financial services has always been the degree of knowledge and control (and auditability) of data storage and processing locations. The FCA has now acknowledged that in the context of cloud services firms may not be able to have full “choice and control” regarding the jurisdiction in which its data is stored, processed and managed. Instead, a firm should “agree a data residency policy with the provider upon commencing a relationship with them, which sets out the jurisdictions in which the firm’s data can be stored, processed and managed. This policy should be reviewed periodically.” This change will be welcomed as it more realistically reflects how a firm’s relationship with a cloud provider will work in practice - many large cloud providers now offer ring-fenced geographical cloud options.
- Access to data centres. In response to concerns raised regarding the issue of physical access to data centres, the FCA did not change its stance and emphasised that there may be circumstances where physical access is required for a firm to meet its regulatory requirements. However, given the shared services model of cloud solutions and cloud provider concerns over security and disruption, it’s likely that audit and access rights will continue to be a hotly contested issue, irrespective of what the cloud guidance says.
The cloud guidance is certainly a welcome development for regulated financial services firms, giving them the assurance that as long as they comply with the FCA’s rules and guidelines, they can take advantage of cloud based services. Although the cloud guidance is not prescriptive, it provides a useful framework for firms to help ensure compliance with the FCA’s rules when outsourcing to the cloud.
And, for service providers? Well, they will certainly need to get used to financial services firms raising the cloud guidance during negotiations. Ideally, service providers will start to create offerings tailored for the financial services sector to ensure compliance. At the very least cloud providers will need to get familiar with the cloud guidance and consider how they will approach any requirements raised by customers in reliance on it.