FCA Guidance for Outsourcing to the 'cloud' and other third party IT Services
Introduction
On 7th July 2016, the Financial Conduct Authority (“FCA”), the primary regulator in the UK for financial services organisations, published some guidance to clarify the requirements for regulated businesses (“Firms”) when outsourcing to the ‘cloud’ and other third party IT services (“FCA Guidance”). The FCA Guidance can be found here.
The FCA Guidance is not legally binding. However, Firms are expected to take note of it and, where appropriate, use it to inform their systems and controls on outsourcing. The FCA has said that complying with the FCA Guidance will generally indicate compliance with the applicable FCA rule. In practice therefore Firms will, we believe, treat compliance with the FCA Guidance as being mandatory even though some aspects of the required standard are still uncertain.
Who does the FCA Guidance affect?
The FCA Guidance will be of particular interest to:
- Firms interested in outsourcing to the cloud and considering other third party IT services agreements; and
- third party IT service providers, including cloud service providers, seeking to provide services to customers in the financial services sector.
What does the FCA mean by ‘cloud’ and ‘outsourcing’?
The FCA sees the ‘cloud’ as encompassing a range of IT services provided in various formats over the internet including private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
Where a third party delivers services on behalf of a regulated Firm, including a cloud service provider, this is considered ‘outsourcing’.
The FCA Guidance itself
Set out below are extracts from the FCA Guidance which are perhaps of most relevance to provisions of any potential contract for cloud services. Our comments are in italics.
Area | FCA notes for Firms |
Legal and regulatory considerations | Firms should:
- know which jurisdictions the service provider’s business premises are located in (including all locations from which data may be accessed) and how that affects the Firm’s outsourcing arrangements. Firms may wish to consider placing limitations on countries from which the service may be provided and potentially reserve the right to object to any changes or to require changes if political circumstances in a particular country change adversely, thereby increasing risk; - identify all service providers related to the regulated activity being provided in the supply chain and ensure that the regulatory requirements on the Firm can be complied with throughout the supply chain; - monitor ‘concentration risk’ (ie the risk presented by many competitors using the same service provider and technology) and consider what action it would take if the Firm’s service provider failed. |
Oversight of service provider and data security
|
Firms should: - be clear about the service being provided and where responsibility and accountability between the Firm and its service provider begins and ends; - consider how data will be segregated (if using a public cloud); - take appropriate steps to mitigate security risks so that the Firm’s overall security exposure is acceptable; - consider data sensitivity and how the data is transmitted, stored and encrypted, where necessary; - follow the Guidance on the use of cloud computing from the Information Commissioner’s Office (“ICO”); - where relevant, also consult the ICO’s Guidance on sending personal data outside the European Economic Area; - comply with the Data Protection Act 1998 (“DPA”). Although not set out in the FCA Guidance, note in particular:
|
Effective access to data
|
Firms should ensure that: - notification requirements on accessing data are reasonable and not overly restrictive; - there are no restrictions on the number of requests the Firm, its auditor or the regulator can make to access or receive data; - ensure that data is not stored in jurisdictions that may inhibit effective access to data for UK regulators. |
Access to business premises/rights of audit
|
Firms should ensure that: - contracts allow for access by the Firm, including physical assess, to business premises which are relevant for the exercise of effective oversight of the service provider. This right should not be restricted. Such access does not necessarily include access to all business premises but may include head offices and operations centres. Service providers may, for legitimate security reasons, limit access to some sites – such as data centres. However, the business premises most likely to be relevant to the exercise of effective oversight will be the service provider’s data centre(s), many of which will be used for several customers who will all want to ensure their data is secure. It has been suggested this could therefore be onerous and impractical for the service provider to comply with but the FCA does not consider it appropriate to seek to narrow the scope of this requirement and by specifying a Firm should be able to request an ‘onsite’ visit, the FCA does not appear to be willing to accept remote access to data as meeting the regulatory duty. So providing physical access to data centres could well be a contentious issue to resolve when negotiating contract terms;- regulator access to the service provider’s premises is permitted if the regulator deems it necessary and it is required under applicable legal and regulatory requirements. Note: - A Firm can be required to provide reasonable prior written notice of a visit but not when there is an emergency or crisis situation (ie notice cannot be required in all circumstances). - A Firm may elect for its auditor to undertake the visit. This must not be an auditor appointed by the service provider. Service providers can make sure that they reserve the right to object to the identity of the auditor on reasonable grounds. - The service provider should commit to cooperate with the reasonable requests of the regulator during such a visit. - The regulator can commit to visits occurring during business hours and at a time specified by the service provider or with reasonable notice, except in an emergency or crisis situation. - The regulator should be permitted to view the provision of services to the Firm. - The regulator can commit to minimising disruption to the service provider’s operations. - The FCA Guidance does not contain the same provision as in the ICO’s Guidance referred to above regarding a single independent audit organised by the service provider. However, even if it did, it is likely (given the broad nature of the statements above and the lack of clarity over the inter-relationship between the FCA Guidance and that from the ICO), that the Firm would still want to reserve additional audit rights both for itself and its regulators where ‘necessary’, particularly in an ‘emergency or crisis’ (eg if it has suspicions about a loss of, or unauthorised access to, data). |
Continuity and business planning
|
Firms should: - document their strategy for maintaining continuity of their operations, including recovery from an event, and their plans for communicating and regularly testing the adequacy and effectiveness of this strategy; - regularly update and test arrangements to ensure their effectiveness; - put in place arrangements to ensure the regulator has access to data in the event of insolvency or other disruption. Note: In practice this means that similar obligations must be imposed in contracts with service providers. There must also be a commitment from service providers to update and test their business continuity plans relevant to the services in issue (and report back to the Firm on the outcome of such tests) on a regular basis. |
Resolution (where applicable)
|
The ‘resolution’ regime applies when a Firm is failing (ie insolvent) or is likely to fail. Assessment of this is made by the FCA. The Bank of England has a framework available to it to ‘resolve’ failing Firms. This includes using so-called ‘stabilisation powers’ which could mean that part or all of the business of a Firm could be compulsorily transferred to a solvent third party. For Firms where stabilisation powers may be applied, the service provider:- and any subcontractor should agree that neither the entry into ‘resolution’ nor a subsequent change in control arising from the Firm’s entry into ‘resolution’ will constitute a termination event; - should agree to continue to provide services to the Firm (or such other entity as necessary) for an appropriate transitional period following the ‘resolution’. Note: Effectively these provisions place a constraint on the ability of a service provider to object in such circumstances to an assignment or to seek to terminate the contract early. Presumably the intent is that the service provider would be limited to a claim for damages. It is unclear what an ‘appropriate’ transitional period might be but arguably in most cases we suspect it would be at least six months. Presumably any contract could provide for the service provider to be able to claim any additional costs it incurs as a result of any such change or assignment. |
Exit plan
|
Firms should: - ensure that they are able to exit outsourcing plans, should they wish to, without undue disruption to their provision of services or their compliance with the regulatory regime; - have exit plans and termination arrangements that are understood, documented and fully tested; - know how they would transition to an alternative service provider and maintain business continuity; - have a specific obligation on the service provider to cooperate fully with both the Firm and any new service provider(s) to ensure there is a smooth transition; - know how they would remove data from the service provider’s systems on exit. Note: A contractual requirement on the service provider to develop an exit plan at an early stage in the contractual relationship and update the same periodically is not untypical. Presumably any contract could entitle the service provider to compensation for any time spent providing co-operation. |
Why is the FCA Guidance relevant to service providers?
Service providers need to understand that their customers who are Firms are subject to the regulatory regime established by the FCA Guidance which is ultimately to protect their end-user customers. Whilst Firms will retain full responsibility and accountability for their regulatory obligations and these cannot be delegated to third parties, they will look to ensure regulatory compliance by adequately flowing down these obligations to their service providers by including corresponding provisions in their contracts. However, the terms of many service providers’ standard agreements will be far removed from these corresponding provisions, which will not routinely offer the required access to data and premises and audit rights, for example.
Service providers who wish to supply cloud services to Firms therefore need to be cognisant of the regulatory background, what provisions they will be asked to accept and appreciate that Firms have little flexibility when complying with the FCA Guidance. Negotiating agreements in this area to fulfil both parties’ expectations is likely to be more complicated and time-consuming than previously but knowledge of the FCA Guidance will help service providers understand the reasons why Firms request certain changes, or require additional provisions to be added, to their contract terms.
28th September 2016