FCA green lights cloud technologies
Cloud technology has been around for years now and we are all using it in some ways. If you have an iPhone, then you are using the iCloud all day every day without even realising it. Your DropBox, your Google Drive, your Amazon account are all using cloud computing. At work, it’s your Microsoft One Drive or your Evernote application on your tablet that uses the cloud.
We are constantly connected to it and yet, in financial services, the adoption has been tremendously slow. In part, this is due to a lack of guidance from regulators, especially where cloud-based regulation technology is concerned.
Finally there is forward progress. The Financial Conduct Authority (FCA) in the UK has taken a real step forward to embrace innovation in its recent paper looking at cloud technology, which gives firms clear guidance in the procurement and monitoring of cloud technology providers.
Despite the usual concerns around costs and feasibility, the FCA has done a good job at highlighting the benefits of cloud services, guiding the firms through “all aspects of the life cycle of their outsourcing arrangements”, from making the decision to outsource, selecting an outsource provider, and monitoring outsourced activities on an ongoing basis, through to exit.
To quote my colleague Paul Soltis in his blog post “When good intentions go bad”, for a long time regulators have been looking at the cloud as if it was a “cybersecurity boogeyman, conjuring up an undeserved image of evil, long-haired, goatee-sporting hackers gleefully rolling around in a bed full of ill-gotten client data”. Through good-intentioned cybersecurity monitoring, regulators have in the past discouraged the use of the cloud, especially by the big third-party administrators.
While the financial services industry has been very wary in moving to the cloud, this reluctance is changing and is backed by guidance such as that from the FCA.
The detailed regulatory guide has therefore been very welcomed among third-party administrators and technology providers. It reassured industry players, uncertain of the watchdog’s ruling for outsourcing to the cloud, and encouraged firms to make the move, affirming that using the cloud can provide “more flexibility to the service that firms receive, enable innovation and bring benefits to firms, their consumers, and the wider market”.
“We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”
The paper gives firms a framework for understanding operational and supply chain risks and insists on the need to review contracts with outsourcing providers to ensure they meet the internal standards.
Ensuring compliance throughout the supply-chain is the most contentious item with concerns raised over supply-chain oversight being impractical and unduly burdensome. The FCA recommends firms agree to a data residency policy with their chosen providers, understand the data provider’s data loss and breach processes, as well as comply with the eight principles of the Data Protection Act (DPA).
The FCA stresses the importance of continuity planning – asking firms for “appropriate arrangements to ensure that it can continue to function and meets its regulatory obligations in the event of an unforeseen interruption of the outsourced services”. Developing a viable exit strategy is also highly emphasized.
Those high-level guidelines are far from being exhaustive, but they should give financial institutions, traditionally slow adopters when it comes to moving to the cloud, enough guidance to start reaping the numerous benefits of the cloud. And trust me, there are many.
Thomas Pfister, head of regulatory reporting solutions at Confluence