The Financial Conduct Authority (FCA) recently published the final text of its guidance for firms outsourcing to the cloud and other third party IT services which outlines thirteen "areas of interest" for regulated firms to consider when engaging third party IT service providers. Following our previous Insight on the initial draft of this guidance, this latest Insight outlines the finalised guidance and what it means for regulated firms and their service providers.
What is the purpose of the guidance?
The guidance aims to help regulated firms and IT service providers understand the expectations of the FCA and the requirements of regulated firms when firms outsource (or consider outsourcing) to the cloud or other third party IT services. The FCA is of the view that "complying with this guidance will, generally indicate compliance with the FCA outsourcing requirements".
The FCA consulted on draft of guidance in November 2015 and the FCA's response to the feedback received is helpfully set out in an Annex to the finalised guidance. The FCA has also worked with Project Innovate in arriving at the finalised guidance. The changes to the draft guidance are not substantial although a number of important clarifications have been made.
What does the guidance say?
The guidance provides a list of thirteen areas that regulated firms should consider when they are using, considering using and thereafter monitoring third party IT providers:
- Legal and regulatory considerations: firms must review the outsourcing contract to ensure that it complies with the FCA's requirements.
- Risk management: firms must identify and manage risks introduced by their outsourcing arrangements, including considering any reliance on a single provider ("concentration risk").
- International standards: during the initial due diligence stage and then during the ongoing monitoring of a third party service provider, firms should take account of the provider's adherence to international standards.
- Oversight of service provider: firms retain full accountability for discharging their responsibilities under the regulatory system and cannot delegate responsibility to the service provider.
- Data security: firms should carry out a security risk assessment of the service provider. This includes agreeing a "data residency policy" which details the jurisdictions where the firm's data can be processed.
- Data Protection Act 1998 (DPA): firms must comply with the eight principles of the DPA and associated guidance;
- Effective access to data: some firms have specific regulatory requirements which require effective access to data related to the outsourced activities for regulated firms, auditors, regulators and relevant competent authorities. This includes taking steps to ensure that data are not stored in jurisdictions which may make access for UK regulators more difficult.
- Access to business premises: relevant firms to have effective access to data related to the outsourced activities, as well as to the business premises of the service provider (which may not necessarily include data centres).
- Relationship between service providers: if the regulated firm does not directly contract with the outsource provider, it should review sub-contracting arrangements relevant to the provision of the regulated services to ensure they will allow the firm to comply with its regulatory requirements.
- Change management: firms require a comprehensive change management process.
- Continuity and business planning: firms must have appropriate arrangements in place to ensure that they can continue to meets their regulatory obligations in the event of an unforeseen interruption of outsourced activities.
- Resolution (where applicable): services should be organised so that they do not become a barrier to the resolution or wind-down of a firm.
- Exit plan: firms need to be able to exit outsourcing plans without undue impact on service provision or compliance with their regulatory obligations. Exit plans should be fully tested. This includes monitoring concentration risk and considering what actions would be required if the service provider failed.
Additionally, the FCA's guidance reminds regulated firms' of their obligations to notify the FCA when they enter into a material or critical outsourcing arrangement.
What does this guidance mean for regulated firms?
The FCA is clear that it expects firms to take note of the guidance and, where appropriate, use it to inform their systems and controls on outsourcing. Additionally, regulated firms must remember that they retain full accountability for discharging their responsibilities under the regulatory system and cannot delegate responsibility to their service providers. Therefore, firms should adopt this guidance, and embed it into their internal procedures and policies. The guidance is not comprehensive and should be treated as supplementary to the FCA's requirements as set out in its Handbook and in particular it's Senior Management Arrangements, Systems and Controls sourcebook (SYSC).
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.