FCA guidance on outsourcing to the ‘cloud’ and other third party IT services 16/15

22nd August 2016

            FCA guidance on outsourcing to the ‘cloud’ and other third party IT services  08/2016

Introduction

This bulletin will focus on the FCA’s recent guidance on firms outsourcing to the ‘cloud’ and other third-party IT services.

Who it affects

  • Firms that are  currently outsourcing to the cloud and other third party IT services
  • Firms that are  considering outsourcing to the cloud and other third party IT services

The aim here is to advise firms and service providers who are considering outsourcing or currently outsourcing to the ‘cloud’ and other third party IT services on what the FCA’s main expectations and requirements are. The FCA defines outsourcing as when a third party delivers services on behalf of regulated firms and the term  ‘cloud’ includes a range of different IT services over the internet. A firm may choose to use a third party provider for many reasons including the service being cost efficient, having a flexible infrastructure and increased security. Ultimately, the benefits of these services have indeed been recognised by the FCA as a mechanism to promote effective competition.

However, the key issue to noteis that the service may also bring forth associated risks. Therefore,  the FCA are keen to ensure that firms strike a balance between their ability to outsource to innovative developing areas whilst ensuring that risks are appropriately identified. One way in which this is done is by the firm appropriately identifying, monitoring and mitigating risk as much as possible. Moreover, it is important to ensure that the service offered is fit and suitable for the firm and their customers.

The following is a summary on the FCA’s recommended approach to outsourcing to the cloud and other third party services.

The FCA’s current regulatory requirements

The current requirements on outsourcing are detailed in the FCA’s Senior Management Arrangements, Systems and Controls Sourcebook (SYSC).  They largely outline the above concerns relating to identifying and managing risks taking in to account the nature, scale and complexity of a firm’s operations.

Different types of requirements may also apply to different types of firms and the type of function being outsourced.  The function may be:

1)Critical or Important: This is when a defect or failure happening in the outsourcer’s performance would   impair the continuing compliance of a firm including the conditions of its authorisation, obligations under the regulatory system, financial performance and soundness of its relevant services and activities. This can be found in the Senior Management Arrangements, Systems and Controls found in SYSC 8.1.4R.

2)Material Outsourcing: This is when the outsourcing services  are of such importance that weakness or failure of the service would cast serious doubt upon the firm’s continuing satisfactions of the threshold conditions or compliance with the Principles for Business  found in PRIN.

3) Important operational functions: This relates specifically to authorised Electronic Money Institutions and authorised Payment Institutions. An operational function is considered important if a defect or failure in its performance would materially impair:

  • The authorised institution’s compliance with Regulations and any requirements of its authorisation
  • The financial performance of the authorised institution
  • The soundness or continuity of the authorised institution

This can be found under the Electronic Money Regulations 2011 and Payment Services Regulation 2009

The FCA’s guidance: Outsourcing Life cycle

When considering the FCA’s guidance, it is useful for a firm to oversee all aspects of their outsourcing as a life cycle in order to appropriately identify, monitor and mitigate risk. The life cycle will consist of four crucial stages:

1. Making the Decision to Outsource

Before acceptance, the firm should review the contract of the outsource provider to ensure that it complies with the FCA’s legal and regulatory requirements. The firm should:

  • Have a clear and documented rationale in support of the decision to outsource and ensure that the provider is suitable for the firm.
  • Conduct due diligence by assessing various risk factors. This includes ensuring that the outsource agreement would not worsen the firm’s operational risk and consider the relative risks of using one type of service over another. For example, public versus private cloud.
  • Have sufficient information on the service provider including knowing which jurisdiction the service provider is located in and if the contract with the service provider would be subject to the law and jurisdiction of United Kingdom. The firm should also identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout the supply chain.

A firm should also be aware that it will retain full accountability for discharging all of their responsibilities under the regulatory system and it cannot delegate responsibility to the service provider. Therefore, before outsourcing, a firm should:

  • Be clear about the service being provided and where responsibility and accountability between the firm and the service provider begins and ends.
  • Allocate day-to-day responsibility and strategic management should. Staff should also have the skills, competency and resources to oversee, monitor and mitigate any risks and have arrangements for dispute resolution. They should also be able to manage exiting or transferring with the existing service provider.

If the firm will not directly contract with the outsource provider, it still needs to ensure that it continues to comply with regulatory requirements. A firm should:

  • Review subcontracting arrangements, consider security requirements and should ensure that it will still have effective access to data and the business premises.
  • Consider whether the firm or the service provider will take the lead systems integration role and how easily the firm’s internal systems or other third party systems will interface with the outsourcing provider’s services.

2.Selecting an Outsourcing Provider

One adequate method of selecting the right outsourcing provider is ensuring adequate risk identification and management:

  • Carry out a risk assessment and document this process.  The risk assessment can include: identifying current industry good practice and reviewing whether legal and regulatory risks differ due to customers, firms and employees in different geographic or jurisdictions locations.
  • Assess the overall operational risks and ensure contracts are provided for remediation of breaches or any other events.

A firm may also wish to assess the provider’s adherence to international standards. For example:

  • If the provider complies to well understood standards (e.g. the ISO 27000 series)
  • Ensure the part of the service assessed is relatively stable and the service is  the same across the customer base ( not bespoke to the firm outsourcing)

More importantly, the firm should conduct a data security assessment of the service provider. This includes:

  • Understanding the provider’s data loss and breach notification processes and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations.
  • Considering how the data will be segregated, transmitted, stored and encrypted as necessary.
  • Upon commencing a relationship, agreeing on a data residency policy which sets out the jurisdictions in which the firm’s data can be stored, processed and managed. This should then be reviewed periodically.

3. Adequately Monitoring Outsourcing Activities

In order to effectively and efficiently monitor outsourcing activities, firms should:

  • Comply with the eight principles of the Data Protection Act of 1998 and the Information Commissioner’s Office guidance on cloud computing.
  • Have an effective change management process as risks can be introduced when changes are made to processes and procedures.  This includes having a system for the testing of changes and provisions for making future changes.
  • In the event of an unforeseen interruption of the outsourced activity, a firm should have arrangements in place to ensure it meets its regulatory requirements. This includes regularly updating and testing arrangements, documenting its strategy for continuity of operations and ensuring that the regulator has access to the data in the event of any other disruption or insolvency.

More importantly, a firm should have effective access to data and the business premises of the service provider in order to successfully conduct its monitoring. This includes:

  • Ensuring  that notifications on accessing data is reasonable, there are no restrictions of requests from firm, auditor or regulator to access or receive data, data is  not stored in jurisdictions that inhibit effective access for UK regulators.
  • The firm or the auditor should be able to contact the service provider when they cannot disclose data for any reason. The firm should also advice the provider that the regulator will treat information confidentially under obligations in FSMA rather than sign a non-disclosure agreement.
  • When a firm is accessing the business premises it should provide reasonable prior notice and may elect its auditor to undertake the visit. The regulator should also have access to the premises. The regulator will only access if it seems necessary and the outsource provider should cooperate.

4. Exit

It is important for firms to have an effective exit plan in order to minimise disruption of services and still be able to comply with regulations.  Firms should:

  • Be aware of how it would transition to another provider whilst maintaining business continuity, know exactly how data will be removed from the systems of the outsourcer, monitor concentration risk and have a plan in case the outsource provider failed.
  • Have a clearly documented exit and termination arrangement and ensure that the outsourcer is aware of its obligation to cooperate fully with the firm and a new outsourcer for a smooth transition.
  • Ensure that the outsource provider does not disrupt a resolution or orderly wind-down of a firm. The outsourcing provider should also agree not to delete, revoke, alter or change any data for an agreed transitional period following the resolution.
  • In the case  of a firm which has  insolvency procedures, the appropriate service procedures should be set up to support the return of the firm’s deposits or clients assets.

Conclusion

It is important to note that the guidance above is not binding but merely sets out the guidelines in which firms can comply with the rules namely, the FCA’s regulatory requirements. Therefore, it is important for firms to consider this guidance along with the overarching obligations under the regulatory system. However, following this guidance will certainly indicate that a firm has taken the right steps into correctly complying with the relevant FCA outsourcing requirements overall.

Next Steps

Firms that are considering outsourcing should refer to these guidelines as well as understand the different types of function that will be outsourced according to FCA regulations outlined above.

Firm that are currently outsourcing should consolidate their existing procedures with these guidelines to ensure that all risks are adequately identified, mitigated and monitored.

As always, please contact a member of the CPA Compliance team if you have any queries.

© CPA Audit LLP. First edition, 08/2016

Download this article