In November 2015 we consulted on guidance to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third party IT services.
Our finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.
This guidance sets out our view and will be relevant to all firms that we authorise. Dual regulated firms should also confirm the position of the PRA in relation to firms outsourcing to the ‘cloud’ and other third party IT services.
Summary of findings
Our responses to the feedback we received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. We do not consider that the feedback received requires substantial changes to our guidance and proposed approach as set out in GC15/6. However, in some areas we have amended the draft guidance, mostly to clarify our expectations.
The main feedback issues were:
- physical access to business premises, including data centres
- the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
- clarifying expectations around aspects of risk management, including concentration risk
- points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
- the provisions to ensure firms have effective access to data
- specific expectations around exit plans.