In early July 2016, the Financial Conduct Authority (FCA) issued a finalised guidance paper entitled ‘Guidance for firms outsourcing to the ‘cloud’ and other third party IT services’. With many firms making increasing use of technology in delivering financial services, its content needs to be carefully studied, and firms need to consider whether they need to alter existing practices and procedures in light of the guidance.

Oxford Dictionaries defines cloud computing as:

“The practice of using a network of remote servers hosted on the internet to store, manage and process data, rather than a local server or a personal computer.”

The regulator says it sees “no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules”.

Risk management issues are at the heart of much of the guidance. If a firm outsources to the cloud, who determines how the service is provided – the authorised firm or the cloud provider? In these circumstances, where is data stored and how secure is it?

As with any other form of outsourcing, the authorised firm can never delegate responsibility for compliance to a third party service provider. The FCA will always hold the authorised firm accountable for the failings of third parties which it uses.

Firms must inform the FCA whenever they enter into an outsourcing arrangement which meets the regulator’s definition of either ‘critical’ or ‘material’.

According to the guidance document, “an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation, its other obligations under the regulatory system, its financial performance, or the soundness or continuity of its relevant services and activities”.

Material outsourcing is “outsourcing services of such importance that weakness or failure of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Principles for Businesses “.

Some of the many factors the FCA says firms should consider when outsourcing include:

• Is there a genuine business case for outsourcing the function?
• Sufficient due diligence should be carried out on the third party to ensure that any decision to outsource would not increase the level of operational risk the authorised firm is exposed to
• The risks the firm identifies must be documented, together with details of how these risks will be mitigated
• There must be a detailed formal written contract in place with the third party, setting out what the third party is expected to do and where the responsibilities of the authorised firm and the outsourcing provider begin and end
• Whether UK law or the law of any other state will apply to the outsourcing agreement
• The contract with the third party must cover the issue of who is responsible for rectifying breaches and other adverse events
• The authorised firm must have a ‘data residency policy’ with the outsourcing provider, which explains in which jurisdictions the firm’s data can be stored, processed and managed
• A senior individual should be assigned responsibility for monitoring the performance of the outsourcing provider on a day-to-day basis, and this should be someone with the skills and experience to carry this out effectively
• The third party should allow the authorised firm access to its business premises, with reasonable notice, to allow the authorised firm to carry out its monitoring activities. The right of access should also be extended to the FCA or another regulator if necessary
• What would happen if the outsourcing provider failed, or was unable to carry out the outsourced function at any time due to a business continuity issue?
• What is the authorised firm’s exit plan should it wish to end the arrangement?

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.