On 7 July 2016, the UK’s Financial Conduct Authority (FCA) issued finalised guidance for authorised UK financial institutions use of cloud services. In a marked contrast to some other jurisdictions’ approach, this guidance is issued against a policy backdrop of FCA’s ‘Project Innovate’ which is an initiative to foster innovation and competition. The FCA say:

 

We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”

 

Cloud just another type of outsourcing

The FCA’s guidance makes it clear that wherever a third party delivers services to a regulated firm that comprises outsourcing and so relevant regulatory obligations apply – in particular appropriate management of risk.

Cloud is a type of outsourcing so rules applicable to outsourcing (e.g. see SYSC 8) will apply to cloud. In assessing applicable rules, key issues to consider include whether the function being outsourced (i.e. supplied from the cloud) is:

(i) critical or important;

(ii) constitutes a material outsourcing; and/or

(iii) whether it relates to an important operational function.

Checklist of areas for regulated firms using the cloud to consider

Finally, the FCA guidance provides a helpful checklist (with notes) of areas for regulated firms to consider:

  • Legal and regulatory considerations
  • Risk management
  • International standards
  • Oversight of service provider
  • Data security
  • Data protection
  • Effective access to data
  • Access to business premises
  • Relationship between service providers
  • Change management
  • Continuity and business planning
  • Resolution
  • Exit plan