The FCA has released its guidance on outsourcing to the cloud and other third party IT services.
The guidance aims to clarify the issues which regulated firms (and interestingly their service providers) should be aware of and consider throughout the life cycle of outsourcing arrangements. It is part of the FCA's continued support of the use of innovative technologies and solutions in the interest of consumers and follows a line of guidance issued in this area to clarify requirements.
Although, the guidance is non-binding, the FCA states that it "expects firms to take note of the guidance and, where appropriate, use it to inform their systems and controls on outsourcing".
The FCA also uses the guidance as an opportunity to reiterate that the driver for regulatory requirements, relating to outsourcing, is to ensure that firms looking to use third parties need to ensure that appropriate measures are implemented and operational risks are appropriately managed (i.e. "firms do not take on undue operational risk"). In addition, the FCA also mentions that the guidance should not be read in isolation and that firms will still have to comply with regulations and standards which already apply to outsourcing, for example, Senior Management Arrangements, Systems and Controls (SYSC 8) requirements or those requirements set by the PRA.
When looking through the guidance, readers should note that the FCA sees the "cloud" as encompassing various types of IT services provided over the internet.
13 areas of interest
The guidance sticks to the 13 "areas of interest" which were set out in the proposed guidance in November 2015, as we highlighted in our previous article.
Firms are encouraged to consider, as part of their decision to outsource, the following "areas of interest":
- legal and regulatory considerations;
- risk management;
- international standards;
- oversight of service provider;
- data security;
- Data Protection 1998 (and potentially the new General Data Protection Regulations);
- effective access to data;
- access to business premises;
- relationship between service providers;
- change management;
- continuity and business planning;
- resolution planning in the event of insolvency or administration (where applicable); and
- exit planning.
- Data residency policy. The FCA recommends that firms agree a "data residency policy" with providers to identify acceptable jurisdictions for data hosting. On the face of it, agreeing independent data residency policies may seem an unreasonable and unrealistic suggestion; however, firms who are using cloud providers to host personal data will already do this to some extent, as a certain level of transparency is required under the current data protection regime.
- Effective access to data. The regulator seems to be aware of the challenges in securing appropriate audit rights where shared services are provided and the conflict of interest with other customers to maintain confidentiality of their information. However, the regulator clearly requires that contracts include an unfettered right to request audits and access to information in order to assess governance and compliance with regulatory standards where the regulator "deems it necessary and required under applicable legal and regulatory requirements". While a challenge, in our experience, IT suppliers have been flexible in granting or extending audit rights to regulators.
- Monitor concentration risk. Over time, IT providers learn about a customer's requirements and are able to tailor their offering and grow with a customer's business. It is the natural course for long term business relationships to grow and for providers to become more entwined and entrenched with customers' operations. The FCA acknowledges that this is the case but notes that the risk is one for firms to be aware of. If these larger relationships are not monitored, over time customers may become dependent on their providers, creating a single point of failure and thus exposing firms to undue risk in the event the provider is not able to continue to provide services or if service levels start to fall. This risk can become systemic and unmanageable but will remain the responsibility of the firm to address. Businesses need to ensure that as part of their decision making process that concentration risk is a weighted factor.
- Oversight of the service provider. The FCA states that firms are required to have the "appropriate level of skill and resources to test outsourced activities; identify, monitor and mitigate against risks arising; and properly manage an exit or transfer". This is an area which firms have in the past struggled with or, at worst, ignored, assuming that they can rely on the expertise of the provider to assist with risk monitoring. However, this requirement goes to the heart of the guidance requiring that firms cannot delegate their responsibilities to providers. Firms need to ensure that they have in place appropriate internal controls and the required resources and skill set to monitor risks. Creating and maintaining an effective exit plan is critical in exit or transfer scenarios for firms to be able to identify what providers are required to do and to manage transfer of services appropriately to ensure the services and, in turn, the customers, are not adversely affected. While these issues are often "kicked in to the long grass" when finalising a contract, it is key that this is contemplated and agreed at an early stage where there is still negotiation leverage.
The guidance is a clear acknowledgment by the regulator that IT service providers and cloud services are becoming a critical part of the industry and essential for financial services providers to remain competitive. However, as technologies and shared platforms (such as cloud services) become more common, the increased reliance on these types of services also increases the risk of unmanageable failure, if the points above are not considered at the outset.