Out-Law News | 12 Nov 2015 | 3:05 pm | 3 min. read
In proposed new guidance on cloud and other IT outsourcing (15-page / 151KB PDF), the regulator said there is "no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules".
Financial services and technology law expert John Salmon of Pinsent Masons, the law firm behind Out-Law.com, said: "It is really positive for the FCA to recognise that the financial services sector can move ahead with plans to use cloud services as long as appropriate safeguards are put in place. This is consistent with the regulator’s efforts to promote innovation in the sector and should help more firms benefit from cloud solutions."
The FCA said cloud outsourcing can help improve competition in the financial services sector. This is because it can "facilitate entry and/or expansion, and increase the ability of financial services providers, overall, to renew their IT systems in a more efficient manner". The "improved choice and innovation in outsourcing" should deliver "commensurate benefits for firms and consumers", it said.
The FCA said that there are risks that companies need to manage when outsourcing to cloud providers. The commoditised nature of many cloud services means cloud customers "may have less scope to tailor the service provided", it said. Cloud customers should also be aware that they may not be able to control where data is stored and that sub-contracting arrangements may exist without them "initially realising", it said
The draft guidance outlines a number of the areas regulated firms need to consider when thinking about outsourcing to the cloud, from regulatory matters, business continuity, data protection and security, to how to manage risk and ensure regulators have effective access to data.
Salmon said: "It is good to see the FCA acknowledge that cloud services while similar to traditional outsourcing arrangements are unique in many respects. Leaving to one side some of the regulatory issues which remain to be debated through the consultation period, what the FCA has already provided in this document should provide firms with a good roadmap to implement cloud strategies that are effective in matching compliance rules written for traditional outsourcing arrangements to the cloud context."
One of the recommendations the FCA made was for financial services companies to determine whether their cloud contracts are governed by UK law and subject to UK court jurisdiction. It said that even if it is not those cloud customers must ensure that they, their auditor and the FCA have "effective access" to its data as well as the cloud provider's "business premises".
The FCA said the 'data' in this context "includes but is not limited to firm, personal customer and transactional data, but also system and process data: for example Human Resource vetting procedures or system audit trails and logs".
"A firm should: ensure that notification requirements on accessing data, as agreed with the service provider are reasonable and not overly restrictive; ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data; advise the service provider that the regulator will not enter into a non-disclosure agreement with the service provider but will treat any information disclosed in accordance with the confidentiality obligation set out in the Financial Services and Markets Act (FSMA)…; ensure that, where a firm cannot disclose data for any reason, the contract enables the regulator or the firm’s auditor to contact the service provider directly," the guidance said.
The FCA said in its guidance that although 'business premises' is a term it considers have broad meaning, and refer to premises such as head offices, operations and data centres, regulated firms do not have to ensure they have access to all of their cloud provider's premises.
"For firms where [the business premises access] requirements apply as rules, their contracts must allow for access - including physical assess - to business premises," the FCA said. "The focus should therefore be on which business premises are relevant for the exercise of effective oversight; this does not necessarily require access to all business premises. For example, service providers may, for legitimate security reasons, limit access to some sites – such as data centres."
However, the FCA said: "A regulator visit to an outsource provider’s business premises can be qualified so that it only takes place if the regulator deems it necessary and required under applicable legal and regulatory requirements, but further conditions should not be applied."
When engaging in outsourcing arrangements, regulated firms "retain full responsibility and accountability for discharging all of their regulatory responsibilities", the regulator said. It said companies need to have an "exit plan" that is "understood, documented and regularly rehearsed" which allows it to come out of outsourcing arrangements "without undue disruption to their provision of services, or their compliance with the regulatory regime".
The FCA's guidance is open to consultation until 12 February 2016.
"The consultation period over the next few months will provide a good opportunity for businesses affected to set out clear views about how existing regulation can be addressed in a way that enables cloud products," Salmon said.