The recommendations approve cloud services but recommend clear policies around where data is held
The Financial Conduct Authority (FCA) has issued its final guidance for financial services firms operating in the UK on the use of cloud-based services, but industry experts said the handbook fails to provide clarity in some key areas.
“This guidance is intended to help all firms to effectively oversee all aspects of the life-cycle of their outsourcing arrangements: from making the decision to outsource, selecting an outsource provider, and monitoring outsourced activities on an ongoing basis, through to exit,” the FCA said in its guidance.
In the document the regulator concludes that there is “no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules”.
While the guidelines are not binding the FCA said it expects firms to take note of and make use of them.
It sets out specific requirements on outsourcing, including a recommendation that firms
agree a data residency policy with their provider at the outset which “sets out the jurisdictions in which the firm’s data can be stored, processed and managed”.
The areas where firms’ data is stored should not include “jurisdictions that may inhibit effective access to data for UK regulators”, the FCA said.
“Considerations should include the wider political and security stability of the jurisdiction; the law in force in the jurisdiction in question (including data protection); and the international obligations of the jurisdiction,” the FCA wrote. “This should include consideration of the law enforcement provisions within a jurisdiction.”
These provisions represent a shift from the FCA’s draft guidance, in which it had said firms should have “choice and control” over where data was stored, processed and managed.
Financial firms and cloud providers argued such provisions were impractical, and as a result the FCA said it had amended its recommendations.
The FCA said it recognises “many cloud providers are not able to allow firms full control” over where data is held, and that requiring such control could limit the field of suitable providers.
Under the final guidance, therefore, firms are recommended to agree an initial policy, and providers are then given “discretion” to store, process and manage data in jurisdictions considered acceptable under that policy, the FCA said.
Industry observers said this approach appears to adhere to the principles of “choice and control” while providing needed flexibility.
Data centre access
But they said the guidance is less clear on how firms can ensure they, auditors and regulators have “effective access” to data and the business premises of service providers.
The FCA acknowledged that in many cases physical access to data centres might not be required, but added that “there may be circumstances where physical access to data centres is necessary for a firm to meet its regulatory requirements”.
The provision is sensitive because, as the FCA itself stated, “service providers may, for legitimate security reasons, limit access to some sites – such as data centres”.
Nevertheless, the guidance appears in practice to require physical access to data centres, a legal expert said.
“If the FCA is saying that on-site access to relevant business premises is required, in most cases the relevant business premises will be the provider’s data centre,” said Craig Callery, a data protection specialist at Pinsent Masons, in a research note.
The FCA also modified a provision that had required financial services companies to identify all service providers in the supply chain, which firms said would be overly onerous where cloud services are involved.
The final guidance says firms need only identify service providers whose activity relates directly to the regulated activity being provided, which “therefore does not necessarily include all providers in the supply chain”.
Security experts have, however, warned that such arrangements introduce an inherent risk, since firms are effectively storing their data on systems operated by third parties.
Are you a security pro? Try our quiz!