The FCA recently published an updated version of the guidance it issued to firms in July 2016 on outsourcing to the cloud. The guidance identifies areas that firms should take into account when appointing cloud service providers and using other third-party IT services.
The revised guidance, FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (the FCA Guidance), can be found here.
The release of the updated FCA Guidance follows the publication of the European Banking Authority (EBA) ‘Final Report – Recommendations on outsourcing to cloud service providers’ which applies to ‘credit institutions, investment firms and competent authorities’. The Final Report can be found here. Although the EBA’s Final Report was issued in December 2017, the EBA’s recommendations took effect on 1 July 2018.
FCA Guidance – What is new?
- Application: The FCA has confirmed that the FCA Guidance does not apply to a bank, building society, designated investment firm or IFPRU investment firm to whom the EBA recommendations apply. The FCA Guidance, however, remains applicable to all other firms authorised under FSMA.
- Regulatory Requirements: The FCA Guidance reminds firms of the relatively new regulatory requirements on outsourcing to be found in the MiFID Org Regulation (Commission Delegated Regulation (EU) 2017/565).
The FCA Guidance points out that whilst SYSC 8.18R(9) on access to data and business premises applies to UCITS investment firms, the FCA has extended parts of the MiFID Org Regulation to common platform firms. This includes Article 31(2)(i) which requires investment firms, their auditors and relevant competent authorities to have effective access to data related to outsourced functions and relevant business premises of the service provider where necessary and competent authorities must be able to exercise those access rights.
- Data Protection: The FCA Guidance has also been updated to refer to the General Data Protection Regulation and the Data Protection Act 2018 which came into force in May 2018.
EBA Recommendations on cloud outsourcing
The EBA’s recommendations, which take account of the Committee of European Banking Supervisors (CEBS) 2006 guidelines on outsourcing, apply to “institutions” as defined in point 3 of Article 4(1) of Regulation No. 575/2013 on prudential requirements for credit institutions and investment firms.
The recommendations cover the following eight areas:
1. Materiality assessment: Firms should consider the activities being outsourced and the importance of these activities to the functioning of the business. For example:
- Are they critical to the viability of the business?
- What would be the impact of a data breach for customers?
2. Duty to adequately inform supervisors: Firms must inform the relevant competent authority, such as the FCA or PRA, of material activities that are outsourced. Firms should also maintain a register of all activities outsourced to the cloud. The recommendations set out details of the relevant information required.
3. Access and audit rights: Firms should ensure they have contractual arrangements in place which allow them, their auditors and competent authorities, to gain access to cloud service providers’ business premises for the purpose of inspecting and auditing the provision of the outsourced services. Firms should also ensure that such rights are not restricted by contract.
4. Right of access: Contracts should allow for a right of access to be exercised within a reasonable period of time, except where an emergency or crisis has not allowed prior notification, whilst the service provider must fully cooperate with any party exercising its right of access.
5. Security of data and systems: Selecting a potential service provider will require careful consideration of the risks to data and systems.
6. Location of data and data processing: The recommendations caution firms about engaging service providers whose outsourcing arrangements take place outwith the EEA due to the data protection risks and supervisory obstacles involved. Firms should consider what legal enforcement provisions exist in the country where the outsourcing will take place and the implications this has for risk and supervision.
7. Chain outsourcing: Subcontracting by a service provider adds complexity to the outsourcing process and may increase the risk of engaging an outsourcer. The recommendations emphasise:
- Subcontractors should be bound to the same obligations as exist between a firm and the service provider;
- A firm’s contractual arrangement with a service provider should specify the types of activities excluded from the scope of subcontracting whilst full responsibility for the integrity and provision of the outsourcing process remains with the service provider; and
- Firms should have the right to terminate should a service provider propose changes to a subcontractor or subcontracted services that would have an adverse effect on risk.
8. Contingency and exit strategies: Ensuring the continuity of a firm’s operations and the services provided to customers is a vital consideration in the outsourcing decision making process. Firms should develop and document exit plans for the eventuality of a service provider’s failure. It is also important to consider how a firm will be able to manage the impact of potential service disruption on its business. Contractual termination and exit management clauses which allow the outsourced activities to be transferred to another service provider could be vital to ensure the ongoing delivery of those services.
The EBA, which replaced the CEBS, also recently issued draft Guidelines on Outsourcing arrangements. These draft guidelines will be covered in our next update.