The FCA has published its final “guidance for firms outsourcing to the cloud and other 3rd-party IT services“.
The guidance is generic in two senses: it “aims to help firms and service providers understand [the FCA’s] expectations where firms are using, or are considering using, the cloud and other third-party IT services“. It also includes “areas for firms to consider in outsourcing, including how they should discharge their oversight obligations”. But it’s not complete, it will have a different status in the hands of different types of authorised firm, and it can’t be read or relied upon on its own, especially by dual-regulated firms.
The guidance also introduces what might be a 3rd FCA definition of “outsourcing”. In some parts of the FCA’s Handbook, “outsourcing” means “the use of a person to provide customized services to a firm“; whilst in others, it means “an arrangement of any form between a firm and a service provider, by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the firm“. The guidance doesn’t expressly refer to either of these definitions; but it does say that, “It is important to note that where a third party delivers services on behalf of a regulated firm – including a cloud provider – this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them”. This might sound academic, but it matters in practice. Firms sometimes ask us whether a proposed contract is an “outsourcing contract” ; and they do this because the status of the contract will affect its terms. That status can also (a) increase the cost of preparing the contract, and the fees the firm will have to pay under it; and (b) trigger regulatory reporting and other obligations. It’s too early to know whether this 3rd definition (if that’s what it is) will help with this – or not.
These things aside, the guidance is helpful. In particular, it lists 13 “areas for firms to consider“, and each “area” includes a set of bullet-point issues of its own. The areas are:
- Legal and regulatory considerations
- Risk management
- International standards
- Oversight of service provider
- Data security
- The Data Protection Act
- Effective Access to data
- Access to business premises
- Relationship between services providers
- Change management
- Continuity and business planning
- Resolution (where applicable)
- Exit plan