On 7 July 2016, the UK’s Financial Conduct Authority (FCA) issued finalised guidance for authorised UK financial institutions use of cloud services. In a marked contrast to some other jurisdictions’ approach, this guidance is issued against a policy backdrop of FCA’s ‘Project Innovate’ which is a initiative to foster innovation and competition. The FCA say:
‘Cloud’ is a broad term, and stakeholders have interpreted it differently. We see it as encompassing a range of IT services provided in various formats over the internet. This includes, for example, private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Cloud services are constantly evolving. Our aim is to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.
Using the cloud can provide more flexibility to the service that firms receive, enabling innovation and bringing benefits to firms, their consumers, and the wider market. However it can also introduce risks that need to be identified, monitored and mitigated. These risks primarily affect the degree of control exercised by the firm and specific issues such as data security. Cloud customers may have less control of the supplier, for example the degree to which they can tailor the service provided, and of the data, such as where data are stored.
So we are setting out in more detail our approach to regulating firms which outsource to the cloud and other third-party IT services. We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.
In a post-Brexit world, forward-looking policy approaches like this will be needed to help the UK to retain its role as a leading global financial centre.
Cloud just another type of outsourcing
The FCA’s guidance makes it clear that wherever a third party delivers services to a regulated firm that comprises outsourcing and so relevant regulatory obligations apply – in particular appropriate management of risk.
Cloud is a type of outsourcing so rules applicable to outsourcing (e.g. see SYSC 8) will apply to cloud. In assessing applicable rules, key issues to consider include whether the function being outsourced (i.e. supplied from the cloud) is:
(i) critical or important;
(ii) constitutes a material outsourcing; and/or
(iii) whether it relates to an important operational function.
Checklist of areas for regulated firms using the cloud to consider
Finally, the FCA guidance provides a helpful checklist (with notes) of areas for regulated firms to consider:
- Legal and regulatory considerations
- Risk management
- International standards
- Oversight of service provider
- Data security
- Data protection
- Effective access to data
- Access to business premises
- Relationship between service providers
- Change management
- Continuity and business planning
- Exit plan