Compliant outsourcing to IT services and the Cloud
Outsourcing to third party IT and cloud-based services brings risks that need to be identified, monitored and managed, says ATEB’s Steve Bailey
Over the past few years, there has been a huge increase in the way people use technology. Many people stopped buying music CDs when it became possible to download the tracks straight from iTunes or Amazon. And now it’s possible to get music for free or by paying a subscription via services like Spotify.
Using internet-based services like this is not limited to personal use and many businesses now access such services in a variety of ways, perhaps using cloud-based office software or storing data on a remote server, or by creating and managing client portfolios on an investment platform. Such use of technology is undoubtedly here to stay and generally offers benefits to both firms and clients alike.
However, it brings with it risks that need to be identified, monitored and managed, for example, data security. Reacting to these risks, the FCA has published final guidance (FG 16/5) on outsourcing to third party IT services, in particular using cloud-based services.
The guidance is neither all-encompassing nor binding for adviser firms but includes a list of areas that firms should consider when selecting and monitoring third parties in the delivery of IT services that are essential to the effective functioning of the regulated firm’s business operations.
The FCA’s SYSC sourcebook contains general outsourcing requirements for firms and should also be considered (SYSC 8.1).
Firms should also follow ICO guidance on cloud computing in relation to data protection.
For adviser firms, the FCA guidance refers to whether the function being outsourced is considered critical or important, or is material outsourcing.
Critical or important
An operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a firm with the conditions and obligations of its authorisation, its other obligations under the regulatory system, its financial performance, or the soundness or continuity of its relevant services and activities.
This is defined in the FCA Handbook as outsourcing services of such importance that weakness or failure of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Principles for Businesses.
Firms should notify the FCA when entering into, or significantly changing, material or critical outsourcing arrangements.
Firms should note the guidance from the FCA and ICO and, where appropriate, use it to inform their systems and controls on outsourcing.
Read FG 16/5 and other relevant requirements and guidance.
The following aspects should be considered when selecting or monitoring an outsourced service:
• Legal and regulatory considerations
• Risk management
• International standards
• Oversight of service provider
• Data security
• Data Protection Act (DPA) 1998
• Effective access to data
• Access to business premise
• Relationship between service providers
• Change management
• Continuity and business planning
• Resolution (where applicable)
• Exit plan.
Visit ATEB Consulting website