Guidance for firms outsourcing to the Cloud and other third-party IT services

13 May 2017

Revised by Bachir El Nakib, Senior Consultant, Compliance Alert (LLC) 

Financial authorities such as the UK’s Financial Conduct Authority have already accepted the cloud, which on the face of it gives banks the green light to be more ambitious. But not really, because the issued guidance doesn’t bridge the reality gap traditional banks need to get across – in other words, the inadequate service level for scenarios other than data archiving or disaster recovery.

The Financial Conduct Authority's long-awaited guidance is a "welcome development for regulated financial services firms", says Sue McLean, Of Counsel lawyer at international law firm Morrison & Foerster.

In outsourcing deals in the financial services sector service providers are very used to hearing from banks and financial institutions that certain contractual protections are required to meet ‘regulatory requirements’. Now that the FCA has published its final guidance on cloud computing, cloud service providers will need to get used to having similar discussions.

Cloud guidance

This summer (2016) the FCA published its final guidance for UK regulated firms outsourcing to the cloud. In the guidance, which is long overdue, the FCA makes clear that there is “no fundamental reason” why financial services firms cannot use public cloud services, as long as they comply with the FCA’s rules.  This statement and the guidance will certainly be welcomed by those UK financial institutions hesitant to embrace cloud to date due to the lack of regulatory certainty over its use. And it should be good news for the cloud sector too – providing a boost in the uptake of cloud services in the sector.

FCA Approach to Outsourcing

In the UK, the FCA and its predecessors have created longstanding guidance which requires firms to appropriately identify and manage the operational risks raised by outsourcing. The approach is proportionate and risk based, taking into account the nature, scale and complexity of a firm’s operations. The guidance builds on this existing approach. 

Considerations when using cloud

The FCA identifies three risks it believes are specific to cloud-based solutions:

  • customers may have less scope to tailor the service;
  • providers may move customer data around with less visibility and control for the data owner; and
  • providers may contract out part of the service provided to other cloud providers, without visibility for the customer

The cloud guidance lists a number of areas of interest that regulated firms should consider when using cloud-based services, including how firms should discharge oversight obligations:

  1. Legal and Regulatory Considerations
  2. Risk Management
  3. International Standards
  4. Oversight of Service Provider
  5. Data Security
  6. Data Protection
  7. Effective Access to Data
  8. Access to Business Premises
  9. Relationships Among Service Providers
  10. Change Management
  11. Continuity and Business Planning
  12. Resolution (e., treatment during a dissolution or insolvency event)
  13. Exit Plan

Each category is accompanied by a list of bullet points and provides a number of clear statements detailing what the FCA expects in terms of access to data, access to premises and exit planning.

In data archiving and backup applications, the cloud’s appeal hinges on its cost-efficiency, scalability and durability. But durability should not be confused with availability. Even if data is tightly safeguarded, and can be brought back online efficiently after a system crash or other crisis, this adds no value in a live-data scenario. If there is any chance that at some point access may be interrupted, the other merits of cloud don’t matter in this context.

And that’s why banks haven’t made the final leap to using cloud in a production environment – because these otherwise very viable on-demand data centres can’t offer them the very high availability assurances they need.

Lost market opportunity

So banks are stuck. The inability to move core systems and live data into the cloud is costing them competitively in lost market opportunity.

If they could make the leap, it would pave the way for advanced customer analytics, intelligent service automation, complex stock correlations, and predictive fraud detection: data-intensive applications that demand massive computer power – at a scale that their proprietary data centres simply can’t deliver.

But AWS and other mainstream cloud infrastructure providers have designed their services and service level agreements to meet the needs of the majority: where the risk of interrupting a morning’s business, social feeds or even hedge fund activity, though costly, is at least partly offset by huge infrastructure savings.

The financial services sector is one of the prime markets that stands to gain many benefits from cloud computing but, to date, this has proved rather difficult. This is hardly surprising when one considers the heavy regulation within this industry. On top of this there is also a lot of fear from organisations pertaining to potential security risks with the control of data still very much a primary concern. Barely a day goes by without the announcement of the latest outage and no-one wants to be next in the firing line.

The potential benefits that come from the growth of cloud computing in this sector are vast, allowing for real-time execution of business critical activities such as fraud detection, instant lending decisions and extensive risk calculations. Cloud computing has also been a key driver in helping lenders achieve scalability quickly while also helping lower IT costs. When implemented properly, moving to the cloud can drastically reduce the operations and maintenance cost of IT, whilst ensuring that organisational agility is not slowed down by infrastructure. Many providers of financing solutions operate across multiple regions so this agility becomes vital when looking to innovate, launch products and structure deals quickly; they cannot afford to be beholden to legacy technology.

The dynamic nature of cloud however necessitates security and compliance controls that, granted, can be daunting. Issues around mobility and multi-tenancy, identity and access management, data protection and incident response and assessment all need to be addressed. And with multiple modes – SaaS, PaaS, IaaS, public, private, hybrid – creating added complexity in how security and compliance is carried out and by whom, I can certainly understand why IT leaders in the financial services sector may initially think twice about leveraging cloud. 

ISO 27001 is a widely adopted global security standard and framework that sets out requirements and best practices for a comprehensive approach to managing company and customer information. As all companies, including those in the financial sector, race to combat security threats and address evolving compliance requirements, they often struggle to implement and demonstrate the consistent security management that is core to ISO 27001. Proving IT security practices is also key to satisfying the new European Union General Data Protection Regulation before it goes into effect in 2018.

The fact of the matter is, in today’s world, compliance isn’t just about satisfying regulations – it’s about staying ahead of threats and assuring end-customers that their data is safe. And this is never more important than when individuals’ money is at stake.


1) FCA, UK

2) Computerworld, UK

3) Cloud Computing News

Download File