Staying compliant when using cloud services
ATEB Consulting’s Steve Bailey looks at the FCA’s latest guidance and what it means practically for firms
The FCA has updated its guidance for firms outsourcing to the ‘cloud’ to reflect changes in relevant legislation. This guidance does not apply to designated investment firms or IFPRU investment firms.
The term ‘cloud’ encompasses a range of different IT services. Each service has features and risks associated with it, and it is for firms to consider which outsourcing option is the best fit for their business. It is important to note that where a third party delivers services on behalf of a regulated firm, including a cloud provider, this is considered to be outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them.
The changes made to the guidance are not substantial – they are mostly to clarify the FCA’s expectations, particularly on the following points:
• Physical access to business premises, including data centres;
• The scope of firms’ obligations relating to supply chain and sub-contracting arrangements;
• Clarifying expectations around aspects of risk management, including concentration risk;
• Points around the choice and control in relation to the jurisdictions where data is processed, stored and manage
• The provisions to ensure firms have effective access to dat
• Specific expectations around exit plans.
Physical access to business premises
Access to business premises applies to UCITS investment firms only. The FCA uses ‘business premises’ as a broad term. This may include head offices and operations centres, but not necessarily data centres. UCITS investment firms should ensure that their contracts allow for this access.
Scope of firm’s obligations
Regulated firms retain full responsibility and accountability for discharging their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party. It is therefore important that an appropriate level of due diligence is undertaken before making the decision to outsource, with a documented rationale to support the decision.
Clarifying expectations around aspects of risk management
Firms should ensure that entering into an agreement does not increase the firm’s operational risk. This can best be achieved by carrying out and documenting a risk assessment. The assessment should also consider the firm’s obligations under the General Data Protection Regulation (GDPR), along with ‘concentration risk’ which relates to the reliance that firms themselves may have on any single provider. It should be clear what service is being provided and where responsibility and accountability between the firm and its service provider begins and ends.
Access to Data
A firm should ensure that notification requirements on accessing data, are agreed with the service provider, and are reasonable and not overly restrictive.
Firms need to ensure that they can exit outsourcing plans without undue disruption to their service or compliance with the regulatory regime. Firms should ensure termination arrangements are documented with a specific obligation put on the outsourcing provider to fully cooperate with both the firm and any new outsource provider to ensure a smooth transition, with particular onus on how data will be removed from the service provider’s systems on exit.
An update rather than a whole set of new rules, this guidance is a timely reminder of the risks involved in dealing with data. Businesses and individuals rely more and more on data and technology and it is important to ensure that the risks are minimised or negated.
Firms should ensure that robust due diligence has been undertaken on outsource providers with a documented rationale to support the decision to use the provider. They should also review contracts to ensure they meet the regulatory requirements.