In November 2015 we consulted on guidance to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third party IT services. We published the final guidance in July 2016, which has been updated in July 2018 to reflect the publication of the European Banking Authority’s (EBA) recommendations and changes to relevant legislation.
Our finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.
Our guidance does not apply to a bank, building society, designated investment firm or IFPRU investment firm as defined in the FCA Handbook to whom the EBA Recommendations on outsourcing to cloud service providers are addressed. It will be relevant to all other firms that we authorise.
Summary of findings
Our responses to the feedback we received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. We do not consider that the feedback received requires substantial changes to our guidance and proposed approach as set out in GC15/6. However, in some areas we have amended the draft guidance, mostly to clarify our expectations.
The main feedback issues were:
- physical access to business premises, including data centres
- the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
- clarifying expectations around aspects of risk management, including concentration risk
- points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
- the provisions to ensure firms have effective access to data
- specific expectations around exit plans.