Outsourcing to the ‘cloud’

You may also find our previous article on this topic of interest.

The FCA has updated its guidance for firms outsourcing to the ‘cloud’ to reflect changes in relevant legislation. This guidance does not apply to designated investment firms or IFPRU investment firms.

The term ‘cloud’ encompasses a range of different IT services. Each service has features and risks associated with it, and it is for firms to consider which outsourcing option is the best fit for their business.  It is important to note that where a third party delivers services on behalf of a regulated firm, including a cloud provider, this is considered to be outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them.

The changes made to the guidance are not substantial – they are mostly to clarify the FCA’s expectations, particularly on the following points:

  • physical access to business premises, including data centres;
  • the scope of firms’ obligations relating to supply chain and sub-contracting arrangements;
  • clarifying expectations around aspects of risk management, including concentration risk;
  • points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
  • the provisions to ensure firms have effective access to data
  • specific expectations around exit plans.

Physical access to business premises

Access to business premises applies to UCITS investment firms only.  The FCA uses ‘business premises’ as a broad term.  This may include head offices and operations centres, but not necessarily data centres.   UCITS investment firms should ensure that their contracts allow for this access.

Scope of firm’s obligations

Regulated firms retain full responsibility and accountability for discharging their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.   It is therefore important that an appropriate level of due diligence is undertaken before making the decision to outsource, with a documented rationale to support the decision.  

Clarifying expectations around aspects of risk management

Firms should ensure that entering into an agreement does not increase the firm’s operational risk. This can best be achieved by carrying out and documenting a risk assessment.  The assessment should also consider the firm’s obligations under the General Data Protection Regulation (GDPR), along with ‘concentration risk’ which relates to the reliance that firms themselves may have on any single provider.  It should be clear what service is being provided and where responsibility and accountability between the firm and its service provider begins and ends.

Access to Data

A firm should ensure that notification requirements on accessing data, are agreed with the service provider, and are reasonable and not overly restrictive.

Exit Plans

Firms need to ensure that they can exit outsourcing plans without undue disruption to their service or compliance with the regulatory regime.  Firms should ensure termination arrangements are documented with a specific obligation put on the outsourcing provider to fully cooperate with both the firm and any new outsource provider to ensure a smooth transition, with particular onus on how data will be removed from the service provider’s systems on exit.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

An update rather than a whole set of new rules, this guidance is a timely reminder of the risks involved in dealing with data. Businesses and individuals rely more and more on data and technology and it is important to ensure that teh risks are minimised or negated.

Action Required By You

  • Firms should ensure that robust due diligence has been undertaken on outsource providers with a documented rationale to support the decision to use the provider;
  • Firms should also review contracts to ensure they meet the regulatory requirements. 
SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in