The regulator has published finalised guidance to firms on outsourcing to the cloud (17-page / 198KB PDF) in which it said there is "no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules".
The guidelines are not binding but the FCA said it expects firms to take note of them and use them "to inform their systems and controls on outsourcing". The FCA's handbook sets out specific requirements on outsourcing by financial services firms.
The FCA's final guidance contains some changes to draft provisions it had consulted on late last year.
In its draft guidance the FCA had suggested that financial firms looking to use cloud services would need to have "choice and control regarding the jurisdiction in which their data is stored, processed and managed".
However, financial firms and cloud providers raised objections with those proposals in response to the FCA's consultation, arguing that the 'choice and control' provisions were "impractical and may stifle provider innovation". As a result the regulator has adapted its guidelines.
The final guidelines encourage firms to "agree a data residency policy with the provider upon commencing a relationship with them, which sets out the jurisdictions in which the firm’s data can be stored, processed and managed".
Under the guidelines firms must ensure that cloud providers do not store data "in jurisdictions that may inhibit effective access to data for UK regulators".
"Considerations should include the wider political and security stability of the jurisdiction; the law in force in the jurisdiction in question (including data protection); and the international obligations of the jurisdiction," the guidance said. "This should include consideration of the law enforcement provisions within a jurisdiction."
The FCA said that it wants to "ensure firms are able to determine which jurisdictions their data are held" but that it recognised "many cloud providers are not able to allow firms full control of this".
It said. "In light of this, we have modified our guidelines, to make clear that firms should agree a data residency policy with the provider, which sets out the jurisdictions where their data can be stored, processed, and managed. Providers should have discretion to store, process and control data in the jurisdictions outlined in this policy which are considered acceptable by the firm."
Expert in financial services and technology Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com, said: "This is a positive development and is more in line with the reality of engaging with cloud service providers. Arguably the FCA is retaining the principles behind 'choice and control', but front-loading them so that the jurisdictions list can be assessed by the financial services firm and agreed up-front. The cloud service provider is then free to move data around that pre-agreed list, which provides the flexibility needed."
Dunn said one area where the guidance is less clear is on how firms meet their regulatory obligations when outsourcing in ensuring they, their auditors and regulators have "effective access to data" as well as to "the business premises of the service provider".
The FCA said that to enable 'effective access' to premises of service providers in the context of cloud computing firms will not necessarily need to be able to access every building owned and operated by a cloud provider. However, the regulator appears to have ruled out remote access as a means for firms to meet their regulatory duties.
In its guidance it said: "A firm should be able to request an on-site visit to the relevant business premises, in accordance with applicable legal and regulatory requirements. This right should not be restricted".
However, in an appendix to the guidance, the FCA said: "We agree that physical access to data centres may not always be necessary to provide effective access, but we also consider that there may be circumstances where physical access to data centres is necessary for a firm to meet its regulatory requirements,"
The FCA has said "The focus should … be on which business premises are relevant for the exercise of effective oversight; this does not necessarily require access to all business premises. For example, service providers may, for legitimate security reasons, limit access to some sites - such as data centres."
Craig Callery, a data protection specialist at Pinsent Masons, said: "While the FCA's guidance appears initially helpful by recognising cloud providers' sensitivities around access to data centres, in practice if the FCA is saying that on-site access to relevant business premises is required, in most cases the relevant business premises will be the provider's data centre and so things have not moved on significantly with this new guidance,"
Dunn said that in response to the FCA's consultation many financial services businesses had raised concerns with a proposed requirement that they identify all service providers in the supply chain. They said that obligation would be overly onerous in cloud service arrangements.
In its final guidance the FCA restricted the requirement on firms to identify service providers to those services in the supply chain relating to regulated activity only.
Dunn said: "It will be interesting to see how financial services companies respond to this – it is possible that they will not see it as a big change since a lot of their activity with cloud providers will relate to regulated activity anyway."
The FCA's guidance also addresses a range of other issues it said firms need to consider and take account of when outsourcing to the cloud. These include issues around data protection, resolution and exit planning, as well as addressing the risk of outages suffered by cloud providers.