The Financial Conduct Authority (FCA) is currently inviting views on proposed guidance for firms out-sourcing to third party IT services.
Published today (12 November 2015) the proposed guidance for forms outsourcing to the ‘cloud’ and other third party IT services aims to clarify the requirements firms need to meet when outsourcing IT services and how they need to be regulated.
According to the documents all firms involved in out-sourcing IT services are responsible for ensuring that any outsourced contracts comply with FCA rules.
The paper also states firms should identify any risks introduced by outsourcing arrangements including carrying out, documenting and monitoring risk assessments.
The FCA guidance also highlights that in cases where there has been an oversight by the service you can not delegate all responsibilities to the third party.
Upon working together companies must be able to clarify where accountability lies and that suitable arrangements for dispute resolution exist.
Furthermore, firms outsourcing their IT services also need to carry out a security risk assessment that outlines where data can be stored, how the provider’s data loss and make sure breach notification strategies work and that these all align with the eight principles of the Data Protection Act (1998).
The deadline for feedback to the FCA’s proposals is 12 February 2016.
John Salmon, a partner and head of the financial services sector at law firm Pinsent Masons, said it was really positive for the FCA to recognise that the financial services sector can move ahead with plans to use cloud services as long as appropriate safeguards are put in place.
He said the paper was consistent with the regulator’s efforts to promote innovation in the sector and should help more firms benefit from cloud solutions.
Mr Salmon said: “It is good to see the FCA acknowledge that cloud services while similar to traditional outsourcing arrangements are unique in many respects.
“Leaving to one side some of the regulatory issues which remain to be debated through the consultation period, what the FCA has already provided in this document should provide firms with a good roadmap to implement cloud strategies that are effective in matching compliance rules written for traditional outsourcing arrangements to the cloud context.
“The consultation period over the next few months will provide a good opportunity for businesses affected to set out clear views about how existing regulation can be addressed in a way that enables cloud products.”
