Today the Financial Conduct Authority (FCA) published its final guidance for firms outsourcing to the ‘cloud’ and other third party IT services. This report is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.
This guidance sets out the FCA’s view and will be relevant to all firms that it authorises. Dual regulated firms should also confirm the position of the PRA in relation to firms outsourcing to the ‘cloud’ and other third party IT services.
The FCA’s responses to the feedback it received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. The FCA does not consider that the feedback received requires substantial changes to its guidance and proposed approach as set out in GC15/6. However, in some areas the regulator amended the draft guidance, mostly to clarify its expectations.
The main feedback issues were:
- physical access to business premises, including data centres
- the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
- clarifying expectations around aspects of risk management, including concentration risk
- points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
- the provisions to ensure firms have effective access to data
- specific expectations around exit plans.
The FCA statement together with the guidance can be found here.