On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published final Guidelines on outsourcing to cloud service providers for insurance and reinsurance undertakings. 

The FCA has notified the European Insurance and Occupational Pensions Agency (EIOPA) that these are not applicable to regulated activities within the UK’s jurisdiction, as they are effective from 1 January 2021, which is after the EU withdrawal transition period is expected to end. 

Instead, the FCA will continue to apply its existing guidance as detailed in FG16/5 – Guidance for firms outsourcing to the cloud and other third-party IT services in the UK.

This guidance was first published in 2016 and most recently updated in September 2019. It will be kept under review to ensure it remains consistent with relevant international standards. 

FG16/5 sets out who the guidance relates to and includes a list of areas that firms should consider when selecting and monitoring third parties in the delivery of IT services that are essential to the effective functioning of the regulated firm’s business operations, including:

• Legal and Regulatory considerations;
• Risk Management;
• International Standards;
• Oversight of service provider;
• Data security;
• Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR);
• Effective access to data;
• Access to business premises;
• Relationships between service providers;
• Change management;
• Continuity and business planning;
• Resolution (where applicable);
• Exit plan.

Other useful information is available. The FCA’s SYSC sourcebook contains general outsourcing requirements (SYSC 8.1) and the ICO  provides guidance on the use of cloud computing here.

You can read our previous article on the topic here.