Guidance for firms outsourcing to the ‘Cloud’ and other third-party IT services
The Financial Conduct Authority last year published its FCA Cloud Guidance to help firms meet regulatory obligations when outsourcing their IT systems. The guidance was produced because it was felt that uncertainty about “Cloud” was acting as a barrier to using cloud services and thereby stifling innovation and competition.
The good news is that the crux of the FCA Cloud Guidance is that there is no reason not to use cloud services as long as firms still comply with regulation. The FCA want firms to be able to outsource to innovate as long as risks are identified and managed.
This is an opportunity for cloud service providers, especially the independent providers who are able to be flexible in their approach and to contractual arrangements in order to help firms meet the FCA Cloud Guidance.
This article is written from the standpoint of a cloud service provider to provide some advice and ideas to firms to help with their due diligence when preparing to outsource their IT systems; although it’s worth mentioning that the FCA Cloud Guidance equally applies to firms outsourcing their IT systems to third-party providers even where the system remain on premise and aren’t cloud based.
The FCA Cloud Guidance
The guidance is split into 13 areas that firms should consider in relation to cloud and third-party IT services. These are included below along with ideas, suggestions or advice about how firms can work with their service provider to help comply with regulations.
Legal and Regulatory Considerations
This section is all about the contact that will be in place between the firm and the Service Provider.
- The first step would be to review the standard Terms and Conditions and also Service Level Agreement given by the provider rather than reinventing the wheel. Any areas of doubt should be clarified with the provider.
- If the standard T&C don’t meet your specific needs discuss with the provider any additional clauses you feel should be in place to see if the provider is willing or able to comply with these. Most providers would be happy to accept changes to the contract particularly if they apply to bespoke services being provided for your firm.
- The FCA Cloud Guidance speaks a lot about Jurisdiction i.e. what laws govern the provider or the location of their data centres. Simple advice here, if in any doubt use a UK provider with data centres only based in the UK.
As with many of the guidelines, work with your intended provider to identify risks. A good provider will understand the specific obligations of firms regulated by the FCA and be keen to help you complete your due diligence:
- Create a risk register and discuss with the provider how they and you can mitigate those risks.
- Just as important define your contingency plans should the risks materialise. For example backing up data should be standard for any provider but it is, of course, a mitigation measure to reduce the likelihood of the risk of data loss. You need to ask your provider to work with you to test that you can restore data or entire systems.
- Importantly you can accept some risks as long as you have contingency plans in place. So for example if you are not satisfied that the backups offer sufficient protection consider putting in additional backups to another provider.
- When discussing risks with your provider clearly identify who is responsible for managing those risks or mitigation measures.
- If there are legal and regulatory risks because the provider or data centres are in different jurisdictional locations then consider using a UK only provider. The UK has some of the most experienced cloud computing providers in the world. Why go elsewhere?
- As above review contracts to ensure risks are managed to your needs and if necessary add your own clause or draft your own contract. If the service provider is not willing to sign up to it, find a different provider.
For service providers compliance with international standards means the can demonstrate to firms that they already have in place most of the controls, policies and procedures that the firms need to meet with FCA compliance.
- Look for providers that are certified for ISO 27001 Information Security Management System. Ask to see their latest certificate.
- Some providers will advertise that they operate from ISO 27001 certified data centres but it is important to ensure that the providers themselves are certified as in most cases the data centres are owned and managed by another party.
- Test some of these controls, for example the security in the data centre.
Oversight of Service Provider
The FCA outsourcing guidance reiterates that firms retain full accountability for their regulatory responsibility and cannot delegate that responsibility to a third-party.
- Appoint someone who will be responsible for managing the service provider.
- Ideally train staff to test the outsourced activities against the risks identified before.
You need to know where your data is held and how it is being managed. Ask your provider to explain the architecture of their platform, where it is and whether any other parties are involved.
- If in doubt about jurisdiction insist data is only held in the UK
- Take advantage of their ISO 27001 policies to identify how your data will be stored, processed and managed.
- As part of your due diligence ask the provider to give details on how your data is being secured, especially in public cloud scenarios.
Data Protection Act
These are separate requirements from the FCA outsourcing guidance but again you can look to a UK provider with ISO 27001 certification to get assurance that they will comply with the DPA.
Effective Access to Data
From an FCA outsourcing perspective data isn’t just your documents or database type data it can also include system logs and audit trails
If you need access to logs and audit trails discuss this with your intended provider before going live as they may not keep or archive this data by default. However, they should be willing to put in place processes to do this if needed.
Other things to consider include:
- Request procedures for things like HR vetting
- In your contract request that the provider is willing to allow auditors or regulators to request data.
- You should have unfettered access to your data
Access to Business Premises
Some of the larger cloud providers may not allow access to their data centres by potential customers, but the data centre is where it all happens so you want to be able to assess for yourself that the security and resilience measures meet with your requirements. If in doubt chose a provider who is willing to show you round their data centre.
While the technical stuff happens at the data centre it is equally important that the provider’s offices also comply with security policies; restricted access to premises, locked filing cabinets, locking screens when away from desks for example.
Ensure with the provider that regulators and auditors can also have access.
Relationship between Service Providers
No service provider works in isolation and all will rely on other parties to a greater or lesser extent, even if it is only to provide Internet access. Keep things simple and work with a provider who owns all their own equipment, servers, networking, firewalls etc.
Other things to check are:
- Many providers will use a third party data centre, this is common practice especially for independent providers as this helps the economies of scale that keeps cloud computing costs low. However, check that the data centre is also ISO 27001 certified.
- Also independently check what the data centre’s security and resilience measure are particularly in terms of physical security, fire prevention and detection, flood prevention and power resilience.
- Every cloud service provider will rely on third-party Internet providers, and with the Internet, by its very nature, it is impossible to know where the data is travelling and on whose infrastructure. To mitigate this risk make sure the communication over the Internet is securely encrypted using SSL certificates i.e. you’re connecting using an https:// address.
Changes to any systems are especially risky so choose a service provider who can help and support you with any changes. Ask up front if they are willing to provide test servers or assist with application or data migrations.
Many larger cloud service providers will rely on you providing the technical expertise so consider a provider who can also provide technical consultancy rather than just providing servers in a rack.
Continuity and Business Planning
This is all about the “unforeseen interruption to the outsourced services”. The important thing to remember is that there will inevitably be occasions where the services are interrupted. This may be due to things outside of the control of the provider such as your local Internet service, or just as easily some failure of hardware or software where the fault tolerant systems don’t kick in for some reason.
You will need contingency plans for when the service is interrupted which you should test before you go live and regularly afterwards. Also make sure your provider offers a service level guarantee of something over 99% as this will give them a financial incentive to fix problems as quickly as possible.
How to deal with service providers so that there are no barriers to the resolution or orderly wind-down of a firm.
The same advice applies to firms as it would to consumers, if the firm is in financial difficulty talk to the service provider and agree a way forward. It may be worth drafting something into the contract to deal with resolution upfront. Service Providers will be within their rights to cut you off from your data if you breach the contract i.e. by not paying bills, so talk to them and agree an outcome that is acceptable to both parties.
There can be many reasons why a firm needs to exit an outsourcing agreement should they wish to. Look for a service provider that doesn’t tie you in to long term contracts.
Check your contract or Terms and Conditions to see how much notice you need to give and ensure you can access and back up your data before service is terminated.
Discuss in advance how you can remove your data.
Also it is important to have contingency plans in place should the provider go into administration.
This is just a summary of the FCA Cloud Guidance and thoughts on some of the things you can do to meet the regulatory obligations. Probably the single most important suggestion would be to find a provider who understands FCA outsourcing rules and who are willing to spend the time helping you with your due-diligence, providing answers to your questions and are amenable to changing contracts. Sometimes this may mean looking to independent cloud providers rather than the household names.
Contact Your Office Anywhere
Your Office Anywhere is the trading name of Cardium Outsourcing Ltd and have been providing cloud hosted services to financial and other regulated industries for over 10 years as well as IT consultancy to the same for over 20 years.
Your Office Anywhere provide a secure and resilient bespoke hosted remote desktop solution that enables companies to take advantage of cloud computing regardless of the applications and systems they use. To discuss your specific requirements or any questions regarding how we can help with FCA compliance please call us on 01282 500318 or fill out our online contact form and we will be in touch shortly.