New Guidance from the FCA
Cloud computing offers enormous potential savings for businesses with regard to their spending on information technology and communications (ICT). However, the Cloud also presents equally enormous risks, since it means a vast amount of valuable financial and personal data is held by third parties, frequently offshore. Because of the complexity of Cloud arrangements, it is often unclear to the customer who exactly has control of data at any moment, or where that data is stored or processed.
As a result, there has long been uncertainty about how financial services firms can reconcile their obligations under the Financial Services and Markets Act (FSMA ) while making effective use of Cloud-based ICT.
The Financial Conduct Authority (FCA) has at last issued a guidance note (FG 16/5) on the topic. The major clarification is that the FCA considers the adoption of Cloud services to be “outsourcing”. As a result, existing rules on outsourcing will apply to use of Cloud services of all types, especially when it comes the outsourcing of critical or important business functions by regulated firms.
The guidance is essential reading for anyone regulated under the FSMA and for anyone offering IT or communications services in this sector. While it is not compulsory, failure to adhere to the guidance will be a black mark against a firm in the event of a security breach or where clients’ interests have been put at risk as a result of data or ICT failures.
The guidance lists fourteen separate areas of concern. These are Legal and regulatory considerations; risk management; international standards; oversight of service provider; data security; Data Protection Act; effective access to data; access to business premises; relationship between service providers; change management; continuity and business planning; resolution (if applicable) and exit plan. As the reference to “resolution” implies, this is not just a cradle-to-grave approach; the FCA needs to ensure that if a regulated business has to be wound down, its Cloud computing and outsourcing arrangements will not prove a barrier to an orderly wind down and transition.
The FCA warns:
“Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.”
If the outsourcing is of a critical or important function, or is sufficiently material that failure of the outsourced service might threaten the firm’s ability to comply with its regulatory obligations or threaten its financial soundness, the FCA needs to be informed in advance of the proposed outsourcing.
Key obligations under the new guidance are:
- A thorough review of the proposed outsourcing contracts supported by a clear and documented business case, verified by due diligence.
- Due diligence to include assessment of how far the proposed service provider is bound by international standards which may require an audit of the service provider’s operation.
- The regulated firm should inform itself of where the service provider’s business premises are located and, if they are not in the UK, ensure that all the access, audit and regulatory requirements can still be performed.
- If there is a supply chain or multiple providers engaged in providing relevant services, these need to be identified and the firm needs to ensure all the obligations can be complied with throughout the supply chain or network.
- Access both to physical premises and to data for the regulated firm itself, its auditors and the regulator needs to be assured and (in the case of data) not limited or restricted by volume constraints.
In short, the watchwords are ownership, transparency and accountability.
The requirements of the FCA guidance are sensible and pragmatic in the light of the needs of a regulated sector to protect end-user customers. Nevertheless, comparing the requirements of the guidance with many standard form Cloud agreements from Cloud ICT providers, even some of the largest and most reputable, suggests a major expectation gap between the information the FCA expects will be available to firms outsourcing ICT to the Cloud and what service providers in the sector are used to offering.
Susan Hall, ICT partner at Clarke Willmott LLP said, “The guidance offered by the FCA with regard to use of Cloud-based ICT services by regulated businesses is clear and coherent. However, the degree of due diligence required of regulated businesses is likely to come as a great shock to Cloud services providers. Negotiating contracts in this area to fulfil both parties’ expectations is likely to be complicated and require experienced legal advisers who are also familiar with the sector.”