Financial services firms should take chance to shape cloud policy, say experts

Because it is an information business financial services can be transformed more fully and more quickly by new and emerging technologies than most. But it also faces much more detailed regulation than most, which can act as a brake on innovation.

The FCA is currently considering one of the technologies with the greatest scope to change the way financial services firms work: the cloud. In November it said that there was "no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules".

Proposed new guidance on cloud and other IT outsourcing (15-page / 151KB PDF) could eliminate much of the uncertainty that has held financial services providers back from using cloud technology to its full potential.

Financial services firms should respond fully to the parts of the consultation which could make the biggest difference to their ability to be more efficient, accountable and innovative.

There are some particularly important principles set out in the guidance, and some opportunities to shape FCA policy.

Cloud follows the normal rules, and then some

The guidance is clear: outsourcing to a cloud environment is subject to the same rules and guidance which govern any outsourcing activities and there is no intention on the part of the FCA to change these underlying rules at this stage.

But the FCA has made it clear that there are extra considerations when it comes to the use of cloud technology. Some added risks mentioned include the potentially limited scope which customers have to tailor cloud services; the limited extent to which customers can exercise control over their data at any one time in a cloud context and the greater likelihood of unforeseen supply chain complications occurring.

The guidance also reminds regulated businesses that different rules apply depending on the kind of information being processed. 'Critical or important' data, 'material' data and 'important operational functions' will have to be treated differently.

Identify and manage risk

The FCA reminds firms of the need to focus on outcomes and establish and maintain risk control functions and processes that not only identify risks but also ensure that they are adequately managed and monitored. Legal and regulatory risks should not only be considered from the perspective of one segment of customers, or type of supplier or employee, but take into account specific circumstances and the risks that can arise as a result, such as those created by the need to comply with the regulatory regimes of more than one geographical location.

The FCA further recommends that clear assignments of responsibility for managing operational risk, monitoring concentration risk and ensuring appropriate contractual protections are in place all need to be made and documented, and change management processes must be comprehensive. The FCA has made it clear that it expects firms to be able to demonstrate that they are planning ahead for changes in technology and have effective testing processes in place in order to mitigate disruption.

Keep information safe, and prove it

As has always been the case, the FCA has made it clear that firms will be responsible for their data and processes no matter where they occur. The guidance is clear that it is not enough to rely solely on certification regimes gained under international standards as evidence of regulatory compliance with its framework, although it will assist.

Where compliance with an international standard is part of a supplier's compliance regime, any third party auditing and certification of a supplier's services or functions must be specific to the service or function the regulated business is actually using. The concern of the FCA is that some suppliers are agreeing to 'third-party audits of data centres' without any commitment that the audited centre is one to be used by a particular customer.

Firms should undertake extensive risk assessments covering the specific issues raised by processing data in different countries; should make sure that business recovery and data breach notification arrangements work, and that contractual protections are in place requiring remediation of breaches.

Focus on the supply chain

The FCA acknowledges that supply chains can often be complex and directs firms to review sub-contracting arrangements and consider how each part of the chain will work together. Firms should take note of 'how easily' their systems interface – perhaps an indication that the FCA expects firms to demonstrate to some level that they are future-proofing against interoperability problems.

Firms are also reminded that they remain fully accountable for the actions of their service providers and should: work towards clarity in terms of allocating responsibilities; ensure that they have the internal skills, expertise and resources necessary to effectively oversee and 'test' outsourced activities; and implement effective mechanisms for dispute resolution.

Exit arrangements

Contractual arrangements and operational processes need to ensure enable firms to exit an outsourcing without undue disruption to the provision of the firm's services or interference with its ability to comply with the regulatory regime. As is the case with business continuity and crisis management arrangements, the FCA directs firms to regularly rehearse exit plans. A business regulated by the FCA could not enter into an agreement with a cloud or other outsourcing provider without insisting on a term that requires full cooperation from the provider upon exit.   

Opportunity to shape policy

A barrier to the use of cloud in financial services has long been the demand that business premises be accessible for inspection by the FCA. If you outsource to a cloud operator who might route your information through any one of tens of data centres throughout the world, this may present a problem.

The draft guidance confirms that data centres can be 'business premises', but it crucially says that a service provider may "for legitimate security reasons, limit access to some sites – such as data centres".

The consultation does not clarify how widely that exception should be drawn, but does say that auditors and regulators should be able to access "business premises [that] are relevant for the exercise of effective oversight".

This is one of the areas in which financial services providers could really help the FCA to put the right policy in place. Firms should provide examples of what "legitimate security reason[s]" might reasonably limit access to premises.

Firms will want to know whether the limitation will extend to issues of commercial sensitivity and national security. Businesses with experience of these circumstances could help the FCA by discussing those issues with it.

Responding to the consultation

The guidance specifically requires 'physical access' but there should be no reason why remote or virtual access to cloud facilities cannot be considered sufficient. The EU legal basis upon which the FCA's rules in this regard are built is often seen as the stumbling block, but there is nothing in those rules which mandate actual physical access. The consultation provides an opportunity for firms to indicate to the regulator that they support this approach.  If firms contribute to the consultation there is a greater chance that the regulator will address the important uncertainties around the extent to which auditor and access rights can be met by virtual means, the status of industry standards and certification frameworks, and details around customer oversight of services, supply chain governance and exit arrangements.

These issues will have a serious impact on regulated businesses and their suppliers and if this firms contribute to the consultation effectively it may help the UK financial sector gain a significant competitive advantage.

John Salmon and Luke Scanlon are financial services experts at Pinsent Masons, the law firm behind Out-Law.com