FG 16/5 Outsourcing to the cloud and other third party IT services

Over the past few years, there has been a huge increase in the way people use technology. Many people stopped buying music CDs when it became possible to download the tracks straight from iTunes or Amazon. And now it’s possible to get music for free or by paying a subscription via services like Spotify.

Using internet based services like this is not limited to personal use and many businesses now access such services in a variety of ways, perhaps using cloud based Office software or storing data on a remote server, or by creating and managing client portfolios on an investment platform. Such use of technology is undoubtedly here to stay and generally offers benefits to both firms and clients alike.

However, it brings with it risks that need to be identified, monitored and managed, for example, data security. Reacting to these risks, the FCA has published final guidance (FG 16/5) on outsourcing to third party IT services, in particular using cloud based services.

The guidance is neither all-encompassing nor binding for adviser firms but includes a list of areas that firms should consider when selecting and monitoring third parties in the delivery of IT services that are essential to the effective functioning of the regulated firm’s business operations.  The FCA’s SYSC sourcebook contains general outsourcing requirements for firms and should also be considered (SYSC 8.1). Firms should also follow ICO guidance on cloud computing in relation to data protection.

For adviser firms, the FCA guidance refers to whether the function being outsourced is considered critical or important, or is material outsourcing.

Critical or important
An operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a firm with the conditions and obligations of its authorisation, its other obligations under the regulatory system, its financial performance, or the soundness or continuity of its relevant services and activities. 

Material outsourcing
This is defined in the FCA Handbook as outsourcing services of such importance that weakness or failure of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Principles for Businesses. 

Firms should notify the FCA when entering into, or significantly changing, material or critical outsourcing arrangements.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

Firms should note the guidance from the FCA and ICO and, where appropriate, use it to inform their systems and controls on outsourcing.

Action Required By You

Read FG 16/5 and other relevant requirements and guidance.

The following aspects should be considered when selecting or monitoring an outsourced service …

  • Legal and regulatory considerations;
  • Risk management;
  • International standards;
  • Oversight of service provider;
  • Data security;
  • Data Protection Act (DPA) 1998;
  • Effective access to data;
  • Access to business premise;
  • Relationship between service providers;
  • Change management;
  • Continuity and business planning;
  • Resolution (where applicable);
  • Exit plan.

ATEB clients should speak with their account manager; otherwise contact ATEB here to find out how we can help.


SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in