Outsourcing guidance to the ‘cloud’ and other third party IT services.

In November 2015 the Financial Conduct Authority (FCA) consulted on guidance to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third party IT services.

FCA finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.

FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services

This guidance sets out the FCA’s view and will be relevant to all firms that they authorise. Dual regulated firms should also confirm the position of the Prudential Regulation Authority in relation to firms outsourcing to the ‘cloud’ and other third party IT services.

Summary of findings

FCA responses to the feedback they received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. They do not consider that the feedback received requires substantial changes to guidance and proposed approach as set out in GC15/6. However, in some areas they have amended the draft guidance, mostly to clarify the regulators expectations.

The main feedback issues were:

  • physical access to business premises, including data centers
  • the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
  • clarifying expectations around aspects of risk management, including concentration risk
  • points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
  • the provisions to ensure firms have effective access to data
  • specific expectations around exit plans.

More information:

GC15/6: Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services

Source: FCA Website


Use the comments box below if you would like to share your thoughts on the content of this blog post, we would like to hear from you.