Proposed guidance for firms outsourcing to the cloud and other third party IT services- An overview of the FCA guidance consultation
The FCA has produced this draft guidance, as a response to perceived uncertainty as to how their rules apply to the cloud and “other third party IT systems”. The latter term is not further defined.
The FCA notes that it sees no reason why cloud services (including public cloud services) cannot be implemented in a manner that complies with the FCA handbook. Further, it views cloud and other third party IT services as potentially facilitating competition.
The draft guidance is not binding, though the FCA expects firms to take note of it. It is also not exhaustive nor should it be read in isolation. However, the FCA is of the view that complying with the guidance, will generally indicate compliance with the relevant FCA rules.
Firms regulated by the PRA should confirm their approach with the PRA.
The consultation period ends on 12 February 2016.
The guidance identifies several areas that a firm should consider as part of its preparations for use, evaluation and on-going monitoring of third party providers that are essential to the effective functioning of the firm’s business operations.
It notes that, where a third party provides services on behalf of a regulated firm, including a cloud provider, this is considered outsourcing and firms need to consider the relevant regulatory obligations. This guidance is intended to assist firms meet their regulatory requirements when outsourcing, including by use of the cloud.
The overall aim of the high-level regulatory obligations on outsourcing is that a firm appropriately identifies and manages the operational risks associated with use of third parties. The guidance emphasises that regulated firms retain full responsibility and accountability for discharging all of their regulated responsibilities. Firms cannot delegate any part of this responsibility to a third party.
The guidance considers particular “areas of interest” and identifies actions the regulated firm should take in respect of outsourcing a function that is “critical or important”, “material” or involves “important operational functions”. Some of the key “areas of interest” are outlined below:
- Legal and regulatory considerations: Firms should ensure the outsourcing agreement complies with FCA rules. It should have a clear business case as to why it has chosen to outsource the relevant function and during due diligence should review whether the outsourcing will impair the firm’s operational risk. It should have thought through the consequences of the location of the supplier’s 1 SYSC 8.1.4R, 2 PRIN, 3 Electronic Money Regulations 2011 and Payment Services Regulations 2009 premises in a foreign jurisdiction, in particular in respect of ensuring access to data, compliance with data protection legislation and access to premises for auditors and regulators. It should identify all service providers in the supply chain and ensure that the requirements of the firm can be complied with throughout the supply chain.
- Risk management: Firms should identify and manage risks introduced by the outsourcing. The outsourcing agreement should provide for “prompt and appropriately detailed notification of any breaches or other relevant events arising including the invocation of the disaster recovery arrangements”. The scope of this guidance is unclear – most outsourcing agreements do not provide for the supplier to notify the customer of “any breaches”. They also state that firms should ensure the agreement provides for remediation of breaches; again many outsourcing arrangements may provide for a remedy in damages rather than remediation.
- International standards: While firms should review on an on-going basis a supplier’s compliance with international standards, this of itself is not enough. That said, compliance with well-known standards such as ISO 27000 series may be more relevant and should be taken into account as appropriate.
- Oversight of service providers: Since risk of regulatory compliance cannot be delegated, firms should be clear about the services being provided and who remains responsible for each aspect (as between the firm and the service provider). There should also be dispute resolution processes in place and the firm should retain sufficient staff with the correct skills to manage the outsourcing arrangement.
- Data security: Firms should be aware of their responsibilities in respect of personal data and particularly if there is sensitive personal data. They should carry out a security risk assessment that includes the service provider and should have a “data residency policy” which sets out where data can be stored. The guidance states that firms should also “have choice and control” regarding the jurisdiction in which their data is stored. If using the public cloud then they should consider data segregation.
- Data Protection Act: A firm should ensure the agreement will enable it to comply with the DPA and with guidance issued by the ICO in respect of cloud arrangements (which will change over coming months given the latest draft data protection regulation).
- Effective Access to Data: Specific regulatory requirements (e.g. SYSC8.1.8(9) may require effective access to data for regulated firms. Data for this purpose means personal data but also system and process data (e.g. staff vetting procedures). Firms should ensure there are agreed (not overly restrictive) provisions relating to access and ensure there are no restrictions on the number of requests that can be made to access such data.
- Access to business premises: This is a particular concern in respect of audit access. The guidance requires that it should be able to require an onsite visit in accordance with applicable legal and regulatory requirements. This right should not be restricted, but it is acceptable to be obliged to provide reasonable prior written notice of this visit, expect where there is an emergency. The scope of the visit may be limited to those services that the firm is using. In respect of visits by a regulator, these can only be restricted to the extent required by applicable legal and regulatory requirements. The service provider must commit to cooperate with the reasonable requests of the regulator. Any visits by a regulator can be restricted to normal business hours and at a time specified by the service provider or with reasonable notice, except in an emergency. It is also acceptable to restrict the regulator so that the regulator minimises disruption to the service provider’s operations.
- Supply chain: Firms should review subcontracting arrangements to ensure that these enable the regulated firm to comply with its regulatory requirements e.g. in respect of security and effective access to data. Firms should consider the Contracts (Rights of Third Parties) Act in respect of these arrangements
- Business continuity:Firms should ensure they are able to continue to function in the event that there is an unforeseen interruption in services. They should document their strategy for recovery and regularly test the arrangements.
- Exit plan: Firms should ensure that they can transfer services without undue disruption or risk of non-compliance with the regulatory regime. They should have documented exit plans in place which would include a specific obligation on the service provider to cooperate with the firm and any replacement supplier. It should specifically have a plan for removing data from the service provider’s systems and for the service provider’s insolvency.
There is an initial question mark as to the scope of this guidance. Who are the “other third party IT suppliers”. That said, the guidance makes clear that use of a cloud based supplier for a “material” or “critical” function can constitute an outsourcing within the FCA rules.
Much of the new guidance repeats established good practice and previous guidance (e.g. the “Dear CEO” letter to asset managers), particularly for example the emphasis on carrying out proper due diligence, continual monitoring of the service provider and having appropriate exit plans in place.
Some of this guidance is also likely to establish a new norm e.g. in respect of suppliers’ positions on audit access and access by regulators. Suppliers now have a clear set of guidance as to restrictions it is legitimate to impose in respect of audit.
As already noted, in respect of Risk Management, some of the guidance appears aspirational. No doubt this will be fed back to the FCA during the consultation process. If not, it risks creating either one sided and onerous contracts for suppliers who will be obliged to notify of “any breach” or a focus of debate in contract negotiations as to what this guidance really requires the supplier to notify the firm of.
Some of the guidance does not seem particularly appropriate for a typical cloud service. This includes a number of the comments relating to control of the location personal data is processed. Many cloud suppliers (as opposed to “third party IT services”) are unlikely to be able to comply with this.
A copy of the draft guidance can be found here.