Aside from a paper last year on ‘off-the-shelf’ banking solutions, the FCA has not been particularly vocal on information systems and their attendant security in the past. However, with the publication of GC 15/6 ”Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” this month, this stance looks set to change.
In this guidance consultation document, the FCA approaches the subject from an outsourcing and due-diligence angle, and has included “other third party IT services” within its scope.
In a world where consumer access to IT services in the cloud through mobile phones, tablets and home PCs is growing fast, expectations of universal access to work resources are also growing. This is countered by IT’s responsibilities toward information security and control.
More and more firms are finding a solution to these requirements through various levels of cloud provision ranging from full outsource, through hybrid solutions to internal private cloud provisions, with smaller, less resourced firms tending toward the former.
The FCA states; “the exact form of the service used does not, in itself, alter the regulatory obligations placed on firms”. The guidance is primarily concerned with setting out areas of risk firms should consider when evaluating service provisions.
Primary FCA concerns are that firms may cede more control than they expect or realise over the functionality a service provides, the geographic location of data storage and any further outsourcing chains on the other side of their chosen provider. Additionally, the FCA points out that data legislation is still fluid and that the landscape in which a particular provider operates may well change in the near to medium future.
Bearing in mind the dynamic nature of the technologies fielded in the cloud and the necessary fluidity surrounding legislative frameworks addressing privacy and data security, the need for ongoing monitoring of the suitability of providers and solutions is also stressed.
Areas that the FCA describes as requiring consideration are set out in a straightforward tabular section.
Although the FCA’s approach on outsourcing is risk-based and proportionate, as mentioned above firms retain full responsibility and accountability for discharging all of their regulatory obligations; the maxim that one can delegate the task but not the responsibility remains true.
Whilst GC15/6 is IT-centric, any firm considering outsourcing of any function should also bear in mind the requirements set out in SYSC 8 (‘General outsourcing requirements’). Strictly speaking the rules in SYSC 8.1 are (only) applicable to common platform firms although we are told – e.g. SYSC 8.1.1A – that other firms should look upon them as guidance.
The consultation period lasts three months from publication and will close on 12 February 2016.