Earlier this month the Financial Conduct Authority launched a consultation (Guidance Consultation 15/6) on draft guidance which is intended to help firms oversee effectively all aspects of the life cycle of their cloud and third party IT outsourcing agreements from initial due diligence to exit. It does so by setting out the FCA's expectations in relation to the use of such services.

Is there a need for the guidance?

Both firms and cloud service providers have expressed uncertainly about the application of FCA rules on outsourcing to the cloud. The FCA, recognising that such concerns could be a barrier to the use of cloud services in the sector, is anxious not to stifle innovation. The main aims of the proposed guidance, therefore, are to facilitate the use of cloud services and help ensure firms meet their regulatory responsibilities.

What does the guidance say?

The FCA states that it sees "no fundamental reason" why cloud services cannot be implemented, "with appropriate consideration", in a manner that complies with its rules.

Whilst not intended to be exhaustive, following the guidance will, in the FCA's words "generally indicate compliance" with the rules/requirements to which the guidance relates.

When considering outsourcing a function to a third party firms must bear in mind that the act of outsourcing does not delegate regulatory responsibilities to the service provider. Firms remain accountable for discharging their regulatory obligations.

The guidance identifies several areas which a firm should take into consideration when outsourcing to a cloud or other third party IT service provider. The following are some of the more notable considerations:

Before entering into an outsourcing arrangement, firms should carry out robust due diligence to ensure that:

  • outsourcing is the right choice from a business perspective and will not erode, impair, or worsen the firm's operational risk;
  • the service will allow the firm to comply with applicable FCA rules and other laws such as those relating to data protection;
  • risks are identified and managed appropriately;
  • account is taken of external assurances in the form of adherence by the service provider to international standards, such as the ISO 27000 series;
  • sub-contracting arrangements are reviewed and steps taken to ensure they allow the firm to meet its regulatory requirements; and
  • there is a "Plan B" in case the service provider fails or does not perform properly.

Outsourcing agreements should:

  • ensure effective access to data held by the service provider for the firm, its auditors and regulators;
  • allow the firm and its auditors to monitor the service provider and have access to relevant business premises for the exercise of effective oversight;
  • make provision for appropriate regulator access to service provider business premises;
  • include provisions for the remediation of breaches;
  • impose sufficient obligations regarding data security and how data is transmitted, stored and encrypted;
  • have a robust change management process;
  • ensure business continuity in the vent of unexpected interruption; and
  • provide for exit planning where the outsourced service is to end.

What is the effect of the guidance?

The guidance is non-exhaustive and should be read against the backdrop of the pre-existing regulatory framework contained in the FCA Handbook. The guidance is also just that – guidance. It is not binding on firms but rather outlines the preferred practice for the outsourcing process.

The full Guidance can be viewed on the FCA website. The consultation is open until 12 February 2016.

© MacRoberts 2015

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.