LATE last year the Financial Conduct Authority (FCA) published its proposed guidance for regulated financial services firms outsourcing IT services to the cloud, writes Robbie Darling.
Firms have been asked for their responses and the period for submitting those responses ends on 12 February.
The proposed guidance does not contain anything particularly ground-breaking (or “innovative”, to use an FCA-approved buzzword). However, it does mark the FCA’s first attempt to formally clarify its general position on the use of cloud-based services. It also indicates that the FCA accepts that cloud-based services are now a fixture of the financial services landscape.
Let’s assume the final published guidance will be broadly similar to the proposed guidance. What will be the likely impact of the FCA’s approach? Well, it’s cloudy.
The key message of the proposed guidance is that the use of a cloud service is, in the FCA’s eyes, similar to any other form of outsourcing. This means that the well-established FCA rules and guidance on outsourcing will apply to firms which use cloud services. The FCA’s requirements for outsourcing (which will be familiar to regulated firms and outsourcing providers alike) are focussed on risk management; due diligence; control and monitoring; access to data and exit planning.
It may seem obvious that cloud services should be treated in the same manner as any other form of outsourcing. However, the nature of the cloud services (and the way in which the market has developed) means not all of the contractual protections found in, say, a contract for managed IT services, are considered standard in a contract for cloud services. This creates a gap between how the proposed guidance wants firms to comply with FCA requirements and how cloud providers (some of whom may not have extensive experience dealing with regulated firms) deliver their services.
For example, the proposed guidance emphasises that firms using cloud services should ensure:
• effective access to data and the cloud provider’s business premises (for both auditors and the FCA); and
• exit plans are in place, including obligations for the provider to co-operate with transition.
These are just two areas in which negotiations with a cloud service provider are likely to proceed in a very different manner to similar negotiations with a traditional outsourcing provider. Practical monitoring of data flows and location of service provision (both matters on the FCA’s radar) are also likely to be a difficult fit with cloud services.
FCA guidance is not strictly binding on firms but following the guidance is seen as the best indicator that a firm is complying with FCA guidelines. So does this mean that the guidance will give weight to regulated firms seeking greater protections in cloud agreements? Or will cloud providers resist, citing incompatibilities between their business models and the requirements? It remains to be seen but I’d wager that any significant change in the contracting model for cloud services will take time.
The final guidance is awaited. Whatever the content, it is at least clear that the FCA has recognised the importance of the cloud.
• Robbie Darling is a senior solicitor with Burness Paull burnesspaull.com