Uncategorized

FCA gives green light to financial firms using cloud technologies – but with a caveat

(c)iStock.com/Keith Kiska

The Financial Conduct Authority (FCA) has issued a series of guidelines on how financial firms can migrate to the cloud and provisionally giving the green light to them.

“We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules,” the report notes.

The authority notes that they have successfully supported many firms to use cloud and other IT service solutions, yet the updated guidelines come after concern from organisations over how the term ‘cloud’ should be defined and how it applies to them, as well as operational and supply chain risks.

The FCA insists firms need to review the contract with their outsourcing provider to ensure it meets their standards; in terms of regulations, organisations need to ensure their operational risk is not worsened by cloud migration, as well as identifying all service providers in the supply chain and ensuring compliance through all those steps. The finalised guidance insists that it is keeping in line with these guidelines despite concerns over the supply chain being ‘impractical’ and ‘unduly burdensome’.

Regarding data security, the FCA argues firms should agree a data residency policy with their chosen provider, understand the provider’s data loss and breach processes, as well as comply with the eight principles of the Data Protection Act (DPA). Similarly, the importance of continuity planning – “appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption of the outsourced services” – and an exit strategy were also highly emphasised.

Alongside this, the FCA insists the report, which can be viewed in full here (via FinExtra), should not be read in isolation – citing the Prudential Regulation Authority (PRA) as another important body – nor is exhaustive. “We expect firms to take note of the guidance and, where appropriate, use it to inform their systems and controls on outsourcing,” the report notes.

While industries such as finance, healthcare and manufacturing have been traditional laggards in moving to the cloud, this view, backed up by the FCA paper, is changing. Tony Connor of Datapipe, writing for this publication back in March, argued the shifting view on cloud security but insisted trust was key. “With a trusted partner and careful planning, even the most complex IT ecosystems in a financial institution can be moved to the cloud and start reaping its numerous benefits,” he wrote.