FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services

In November 2015, we consulted on guidance to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third party IT services. We published the final guidance (FG16/5) in July 2016.

Our finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.

Read FG16/5 (PDF)

We updated FG16/5 in July 2018 to reflect the publication of the European Banking Authority’s (EBA) final report on cloud recommendations (EBA/REC/2017/03) and changes to relevant legislation.

In February 2019, the EBA published its final report on outsourcing arrangements (EBA/GL/2019/02). The Final Report on outsourcing arrangements subsumed the EBA’s cloud recommendations (EBA/REC/2017/03). We have notified the EBA of our intent to comply with the EBA guidelines on outsourcing (EBA/GL/2019/02) and we have updated FG16/5 to reflect the publication of (EBA/GL/2019/02) and changes to relevant legislation.

The EBA outsourcing guidelines (EBA/GL/2019/02) apply to credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU) i.e. banks, building societies and IFPRU investment firms as defined in the FCA Handbook as well as payment institutions and electronic money institutions. They do not apply to Account Information Service Providers that only provide the service in point 8 of Annex I of PSD2.  

The EBA guidelines applied from 30 September 2019 in respect of all outsourcing arrangements entered into, reviewed or amended on or after this date. There are also transitional arrangements extending up to 2021 relating to co-operation agreements, a register of outsourcing and the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019. In scope firms must make every effort to comply with the guidelines.

The FCA’s FG16/5 remains relevant to all other firms that we authorise.

Summary of findings

Our responses to the feedback we received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. We do not consider that the feedback received requires substantial changes to our guidance and proposed approach as set out in GC15/6. However, in some areas we have amended the draft guidance, mostly to clarify our expectations.   

The main feedback issues were:

  • physical access to business premises, including data centres
  • the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
  • clarifying expectations around aspects of risk management, including concentration risk
  • points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
  • the provisions to ensure firms have effective access to data
  • specific expectations around exit plans.

More information

Page updates

01/10/2019: Information added regarding EBA outsourcing guidelines