Cloud outsourcing for regulated entities

The Financial Conduct Authority recently issued proposed guidance for financial services firms considering entering into contracts with providers of cloud-based services and other third party IT services.

This brief article will be of relevance to (1) regulated financial services firms; and (2) providers of cloud-based services to those firms.

The Financial Conduct Authority (FCA) recently issued proposed guidance for financial services firms considering entering into contracts with providers of cloud-based services and other third party IT services. The consultation will end on 12 February 2016.

The guidance recognizes that “uncertainty may be acting as a barrier to firms using the cloud”, and is intended to assist firms to balance the tension between service delivery innovation (off-premise shifting) on the one hand, and regulatory pressure, on the other.

The FCA has clarified that “complying with [the] guidance will generally indicate compliance with the aspects of the FCA rule…to which the guidance relates…”  It is intended to complement existing rules incumbent on regulated firms, including the SYSC and PRA rules.

It is not within the scope of the note to consider the guidance in its entirety; rather, we set out briefly some key aspects you will need to consider.

1. Documented business case. Firms should have a clear and documented business case for placing services in the cloud. This should sit alongside a more general outsourcing policy, and form an integral part of the decision-making process.
2. Public v private. Where financial services firms have deployed third party cloud services (a big cultural shift in itself from legacy in-house systems), they have traditionally opted for private cloud, for reasons of perceived enhanced security. The guidance clarifies that firms must “consider the relative risks of using one type of service over another e.g. public versus private cloud.” It will be interesting to see whether firms opt to place more core services in the public cloud in the near future.
3. Data residency. Firms should have data residency policies in place, setting out where data, including personal data, is permitted to be stored. Contracts should be consistent with those residency rules.
4. Data segregation. Together with data residency, firms must consider how their data will be segregated, for example on shared servers in public clouds.
5. Access to data. The guidance states that there must be “no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data”. Firms must take care that access to data is separate from periodic audits, where access to business premises may be required (see below).
6. Access to business premises. The guidance recognizes that existing rules (for example, SYSC 8.1.8(9)) mandate physical access to business premises for regulated firms, their auditors and regulators. The guidance notes that  “business premises” is a broad term, and the contract should stipulate the premises to which access is needed, in order to ensure the exercise of effective oversight. Specifically, it notes that “service providers may, for legitimate security reasons, limit access to some sites – such as data centres.”
7. No NDAs for the FCA. Many outsourcing contracts have traditionally permitted access to data to third parties only where such third parties enter into non-disclosure agreements (NDAs) with the provider. One – perhaps unintended – consequence of this type of clause has been that the FCA has been asked to enter into NDAs, creating binding contractual relationships with service providers, breach of which could give rise to an actionable claim. Outsourcing contracts should reflect that the FCA has stated that it will not enter into NDAs; rather, the provider can rest assured that information will be treated as confidential by the FCA in accordance with its statutory obligations.
8. Contingency. Aside from a prudent business continuity / disaster recovery arrangement, firms will be required to “monitor concentration risk and consider what action [they] would take if the outsource provider failed”. This sits alongside strengthened exit obligations.
9. Standards. Firms should consider the accreditation of providers, for example, ISO 27000 standards. Many firms already require accreditation as a gateway in tendering processes.
10. Interaction with other data protection legislation. The guidance must be read in conjunction with the current data protection uncertainty: for example, the Schrems case, Safe Harbor, Safe Harbor II, the General Data Protection Regulation and recent announcements by both Amazon (ref. AWS) and Microsoft (ref. Azure) of ring-fenced UK-located data centres to be commissioned and ready in 2016/2017.

The guidance is out for consultation with relevant industry stakeholders. Details of how to respond to the consultation are set out in the guidance itself.