FCA argues no “fundamental reason” why financial firms cannot move to the cloud


The Financial Conduct Authority (FCA) has issued a report arguing there is “no fundamental reason” why financial organisations cannot move to cloud-based models so long as the guidelines the body issues are adhered to.

“Our aim is to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed,” the FCA argues. “We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”

The FCA is at pains to stress the guidance it offers is not exhaustive, nor should it be read in isolation, but argues its approach is “risk-based and proportionate”.

First on the list are legal and regulatory considerations for financial firms. A company should have a “clear and documented business case or rationale” to support the decision to outsource to the cloud, do its due diligence – including ensuring the outsourcing agreement does not impair the firm’s operational risk – as well as identifying all service providers in the supply chain and ensure the firm’s requirements are adhered to throughout.

Risk management is also a necessary concern, by noting current industry good practice in terms of data and information security management. International standards, such as the ISO 27000 series, also need to be considered, as well as carrying out a data security risk assessment.

The relationship between service providers is also considered, as well as change management and continuity and business planning. Firms should “consider that disruptions could be caused by intentional cyber attacks, and that these may negate controls focused on delivering system availability”, the report notes.

Back in July, a report from CipherCloud argued the financial industry has an increased confidence in cloud technologies, with 100% of respondents saying they put certain personally identifiable information (PII) in the cloud. This report appears to further give the green light, but with a few provisos.

The FCA is asking its membership to give feedback for the coming three months, with the closing date for comments being February 12. You can read the report here.