Proposed FCA guidance on outsourcing to the cloud and other third party IT services

15/12/2015

On 12 November 2015 the FCA published its “Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” (here) (“Proposed Guidance”).

The Proposed Guidance is intended to help firms effectively manage and oversee their outsourcing arrangements. It broadens and builds on a document released by the FCA in July 2014, which identified “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” (FCA document here and our article here). It is further evidence of the regulators’ increased focus on IT systems and acknowledgement that financial services institutions rely on technological innovation to deliver and improve services.

The Proposed Guidance sets out the FCA’s position on compliance with regulation while outsourcing to the cloud and engaging other third party IT services. While not binding, the FCA “expects[s] firms to take note of [the Proposed Guidance] and, where appropriate, use it to inform their systems and controls on outsourcing”.

Key points from the Proposed Guidance

  • Not to be read in isolation. The Proposed Guidance supplements, rather than replaces, existing rules and regulations. When considering entering into outsourcing arrangements, firms should pay particular attention to SYSC 8 in the FCA Handbook, amongst other things. For dual-PRA and FCA regulated firms, the PRA has released a note (here) which reminds authorised firms they must also comply with the Fundamental Rules and other relevant parts of the PRA Rulebook, as well as any notification requirements when considering outsourcing critical or important functions.
  • Practical guidance and considerations. The FCA has described its approach to IT outsourcing as “risk based and proportionate, taking into account the nature, scale and complexity of a firm’s operations”. This practical approach can be seen in the pre-contractual, operational and security aspects of the Proposed Guidance. For example, firms should conduct proper due diligence before contracting with a service provider and retain records of all contracts. Although this advice appears simple, these steps are often overlooked as detailed in our recent article on Raphaels bank being fined £1,278,165 by the PRA its intra-group outsourcing failures (here).
  • Identify supply chain. The FCA has identified subcontracting by service providers as a particular risk of outsourcing to cloud based services. The Proposed Guidance states that before entering into outsourcing arrangements, a firm should identify all service providers (not just subcontractors) in the supply chain and ensure that all requirements on the firm can be complied with throughout. It is hoped that the FCA will provide further guidance, following its consultation, on the extent to which service providers within the supply chain must be identified. Would this obligation include, for example, security or cleaning service providers engaged by the IT service provider at its data centre?
  • Regulator access. The Proposed Guidance seeks to give a practical approach on regulator access to service centres. Often a difficult provision to negotiate in outsourcing contracts, firms want unrestricted access for regulators whereas service providers are concerned with disruption to their business and, in shared service centres, the risk of breaching confidentiality obligations to other customers. The Proposed Guidance limits the need for access to “relevant premises” only. Regulators can be restricted to visiting during business hours, at a time specified by the service provider and on reasonable notice, except where there is an emergency or crisis situation. However, the individuals attending from the regulator cannot be restricted.
  • Exit. More challenging aspects of the Proposed Guidance concern exiting outsourcing arrangements, once they are in place. Firms must ensure they can exit “without undue disruption to their provision of services, or their compliance with the regulatory regime”. The Proposed Guidance states that firms should know how to remove data from the service provider’s systems on exit. They should also monitor the risks relating to a service provider failure and consider the action they would take. Issues surrounding access to data and continued service provision following a service provider becoming insolvent or otherwise failing are well known. Data or its encryption key can be “held to ransom” in insolvency situations, where a customer has deep pockets or relies on its data. Solutions which seek to mitigate the risk of this occurring, such as mirrored IT systems where the customer has a backup provider, are expensive. Therefore, more guidance from the FCA on a firm’s minimum obligations concerning exit and accessing/backing up data would be welcomed.

Comments may be made on the Proposed Guidance until 12 February 2016, following which the FCA will publish the final guidance.