The extent (if any) to which UK industry sectoral regulation may apply to cloud computing will require knowledge and the examination of sector-specific legislation, regulations, guidance and regulatory and statutory codes of conduct. In the UK - and with the following exception - at the time of writing this edition there is no regulation that applies specifically or directly to cloud computing as such. Where regulation is found to apply to a cloud computing project, the approval, licence or consent - or at least the informal go-ahead - of a regulator may be required. Common sense and best practice dictate that, where applicable, the regulated entity should consult its regulator as soon as practicable and as fully as possible. This should also be of concern to a CSP expecting to enter a cloud arrangement with a regulated customer.
Only in the UK financial services sector has cloud computing been specifically addressed. In July 2016, one of the UK’s financial services regulators, the Financial Conduct Authority (FCA), issued its finalised FG 16/5 - ‘Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services’ (www.fca.org.uk/publications/finalised-guidance/fg16-5-guidance-firms-outsourcing-%E2%80%98cloud%E2%80%99-and-other-third-party-it; www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf (FCA Cloud Guidance)). While some regulatory objectives are issued by the FCA and the other of the UK’s main financial services regulators, the Prudential Regulation Authority (PRA), as ‘guidance’ (as opposed to rules), it would be a foolhardy regulated financial services organisation that disregarded such guidance or diluted it too far in application.
Before outlining the FCA Cloud Guidance, it must be put in its sectoral regulatory context. When financial services organisations (firms) regulated under FSMA (see question 12) by the FCA and PRA engage in any IT, business process or other outsourcing, they must have regard to and, if applicable, comply with, the regulatory guidance and rules governing that outsourcing. The PRA supervises banks, insurance companies, building societies, credit unions and certain large investment entities. The FCA regulates the conduct of business of all financial services organisations within its statutory jurisdiction, including those prudentially supervised by the PRA. Some outsource providers (who, incidentally, are also CSPs) are themselves authorised and regulated by the FCA.
The PRA and FCA rules are complex and their application to outsourcing will depend on the nature of the firm (the outsourcing customer), the financial services and related activities to be outsourced, and the impact of the proposed outsourcing. The main rules and guidance governing outsourcing by regulated firms are contained in the FCA Handbook and PRA Rulebook. There is also more general FCA guidance on outsourcing to meet FSMA compliance. These are the main sources of prudential and operational provisions regulating outsourcing by financial services firms and regulated outsource providers in the UK. There are also specific outsourcing-related obligations on insurance and reinsurance companies under the Solvency II Directive and related subordinate rules and guidelines (eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0138 and www.bankofengland.co.uk/pra/Pages/solvency2/default.aspx).
The detailed rules governing outsourcing under the PRA Rulebook, FCA Handbook, Solvency II Directive and Solvency 2 Regulations are beyond the scope of this section. In essence, though, the rules provide for what should be regarded as sensible outsourcing practice, having regard to systemic risk, initial diligence and ongoing operational risk affecting the conduct of regulated business and the interests of business and consumer end-customers, and the needs of the regulators to supervise and intervene if necessary (for a fuller statement, see the FCA Handbook, Systems and Controls (SYSC), chapters, 3, 4, 8, 13 and 14: www.handbook.fca.org.uk/handbook/SYSC/). The Markets in Financial Instruments Directive (MiFID) II (2014/65/EU), which repealed and recast the MiFID Directive (2004/39/EC) and (largely) entered into force on 3 January 2018, imposes on regulated firms a wide range of conduct of business and organisational requirements. These include requirements relating to outsourcing, as well as more general record keeping and business continuity issues. The FCA handbook has been updated to reflect these new requirements.
Why are the outsourcing rules and guidance relevant to cloud computing? The FCA Cloud Guidance is addressed to all firms authorised under FSMA ‘when outsourcing to the ‘cloud’ and other third party IT services’ (my emphasis). As will be evident from the FCA Cloud Guidance itself, for the FCA, not only is cloud computing equivalent to outsourcing in its potential impact on regulated firms, their operations and end-customers, but also it sees the cloud ‘as encompassing a range of IT services provided in various formats over the Internet’ (paragraph 1.4 FCA Cloud Guidance). Accordingly, the FCA sees no distinction between private, public or hybrid cloud deployment (paragraph 1.4 FCA Cloud Guidance). And it says that ‘[from] a regulatory perspective, the exact form of the service used does not, in itself, alter the regulatory obligations placed on firms’. So, where a third party (including a CSP) delivers services on behalf of a regulated firm, this is considered outsourcing. Firms therefore need to consider the relevant regulatory obligations and how they comply with them.’ (Paragraph 3.3 FCA Cloud Guidance.)
The stated aim of the FCA Cloud Guidance is to facilitate adoption of cloud computing in the regulated financial services sector, recognising the benefits of cloud computing and innovation in the sector. It came about because firms and CSPs had told the FCA that they were unsure about how to apply its Handbook outsourcing rules to the cloud: this uncertainty may have been acting ‘as a barrier to firms using the cloud’ (paragraph 1.3 FCA Cloud Guidance).
Apart from the regulated firms themselves, the FCA Cloud Guidance is addressed (for information in this case) to CSPs and other third-party IT providers, trade associations and consumer groups, professional advisers and the auditors of regulated firms.
In outline and focusing below on the most important aspects of the FCA Cloud Guidance for cloud computing, the regulated firm must have regard to the following.
Criticality or materiality of the cloud service
Whether the function being processed under the cloud service is ‘critical or important’ or ‘material’ and (for authorised payment institutions and authorised electronic money institutions) if it relates to ‘important operational functions’. Each of these terms is defined in the FCA Handbook and the Electronic Money Regulations 2011 (www.legislation.gov.uk/uksi/2011/99/contents/made and Payment Services Regulations 2009: www.legislation.gov.uk/uksi/2009/209/contents/made; paragraph 3.6 FCA Cloud Guidance). Overall, if the above kinds of functions are ‘outsourced’ to the cloud, regulated firms will have more stringent duties with regard to management of operational risk in the transaction, as will CSPs in enabling firms to comply with their obligations. In addition, firms must notify the FCA when entering into or significantly changing material or critical cloud services arrangements (paragraph 3.7 FCA Cloud Guidance).
In some cases, banks, building societies, investment firms and central counterparties (those institutions covered by the UK resolution and recovery regime) will also have to consider resolution arrangements when entering into cloud services projects. These arrangements are designed to ensure continuity in distressed economic circumstances or insolvency to ensure that ‘critical economic functions’ are maintained (paragraph 3.8 FCA Cloud Guidance and www.bankofengland.co.uk/financialstability/Pages/role/risk_reduction/srr/resolution.aspx).
Legal and regulatory considerations
These include having a business case or rationale for the decision to ‘outsource’ to the cloud and the use of one or more CSPs for the delivery of critical or important operational functions, or a material outsourcing; due diligence risk assessment of the proposed project; relative risks of each type of cloud service or deployment model (eg, private versus public cloud); knowing where the CSP service and other relevant locations are situated; and the need to identify all service providers in the cloud supply chain - to ensure that the regulatory requirements are met throughout the supply chain.
Including: conducting and documenting a risk assessment of the proposed cloud project; monitoring concentration risk, to avoid too great a dependency on any one CSP; and understanding what action to take if the CSP failed.
Including: as part of due diligence, assessing the CSP’s adherence to accepted international IT and service standards; and applying greater standards of assurance when the functions concerned are critical or important or a material outsourcing.
Including: clarity about the allocation of responsibilities between the firm and the CSP; the firm having an internal function responsible for the strategic and day-to-day management of the CSP; and ensuring that the firm’s staff have sufficient skills and resources to oversee and test the cloud services and properly manage an exit or migration from the existing CSP. In other words, this would mean firms having and retaining specific cloud service management expertise.
Including: conducting a specific risk assessment; agreeing data residency terms with the CSP, setting out contractually the locations in which the firm’s data can be stored, processed and managed; considering how the firm’s data will be segregated (for public cloud); assessing the sensitivity of data and how the data will be transmitted, stored and encrypted, where necessary - noting that encryption keys or other forms of authentication must be accessible to the FCA or PRA.
Including: continuing compliance with data protection laws. Firms are, of course, required separately to comply with UK data protection law (now the GDPR, as supplemented by the Data Protection Act 2018). In that sense, though the data protection laws are separate, the FCA Cloud Guidance forms part of the firm’s compliance with its duties as a regulated firm. Firms should consider the UK Information Commissioner’s guidance concerning the transmission of personal data outside the European Economic Area (EEA).
Effective access to data
‘Data’ is used here in its widest meaning. Firms should ensure that the cloud computing arrangement has addressed the following: access for the firm, their auditors, the regulators and other competent authorities to the firm’s data; contractual ability for the regulators to contact the CSP directly where the firm cannot for any reason disclose the data; ensuring that the data is not stored in jurisdictions that may prevent or inhibit effective access for UK regulators; geopolitical stability as it concerns the data; whether the CSP’s jurisdiction provides for data protection; the law enforcement provisions of the relevant jurisdiction or jurisdictions where data is to be processed, for example whether and how easily the authorities in the CSP’s jurisdiction may intervene in accessing the firm’s data.
Access to business premises
‘Premises’ here include head offices and operations centres, but not necessarily data centres. The guidance includes: knowing which CSP or supply chain premises are relevant for the cloud services and effective oversight of them (the FCA recognising that CSPs may have legitimate reasons for limiting access to some sites, eg, data centres); providing for the unrestricted contractual and legal ability for the firm or its auditors to request an onsite visit to the business premises - on reasonable prior notice, except in the case of an emergency or crisis; enabling visits by the financial services regulators or other competent authorities as they deem necessary and required by law or regulation, without any conditions being imposed; having the CSP commit contractually to cooperating with all reasonable requests of the regulators during such visits; affording the regulators the right to observe the provision of the cloud services to the firm or any of its affiliates (although the regulators may commit to minimising disruption to the CSP’s operations).
Relationship between service providers
Including: considering how the cloud supply chain is constructed and operates; enabling the firm to review subcontracting and other supply chain arrangements to ensure that they facilitate the firm’s compliance with its regulatory requirements, including security, effective access to data and business sites; understanding the roles of CSPs within the supply chain; knowing how a CSP’s services will interface with the firm’s own systems or other necessary third-party systems (eg, agency banking arrangements for payments).
Including: ensuring that contractual and operational provision is made for changes to the cloud services; and establishing how changes will be tested.
Continuity and business planning
Including: providing contractually and operationally for appropriate arrangements for the continuity of functions and the ability of the firm to meet its regulatory obligations in the event of an ‘unforeseen interruption’ of the cloud services; having a plan documenting the continuity, business interruption and recovery arrangements; regular testing of the business continuity plan; and putting in place contractual and operational measures to ensure regulatory access to data in an insolvency or other disruption of the cloud services.
This guidance will only apply to certain firms (see ‘Criticality or materiality of the cloud service’ above). In this context, the main aspect of the resolution and recovery arrangements and the Bank of England’s ‘stabilisation’ powers that will concern firms, CSPs and providers within the cloud supply chain is this: neither financial distress or insolvency leading to resolution, nor the change of ownership or control of the firm following that event, will enable the CSP or a cloud supply chain provider to terminate the contract or the provision of cloud services. Moreover, the CSP and its supply chain may have to provide the cloud services to the resolution successor entity or firm for a transitional period. The CSP (and by implication providers in its supply chain) must agree not to delete, revoke or change the firm’s data in the case of resolution.
Including: firms having contractually documented exit plans and termination assistance arrangements to ensure continuity, and these plans being ‘fully tested’; firms understanding how they would migrate the cloud services to an alternative CSP and maintain business continuity; contractually requiring the CSP (and by implication its supply chain) to cooperate fully with the firm and the incoming CSP to ensure a smooth transition; the firm understanding how it could and would remove its data from the CSP’s systems on exit. While there is no record of recent CSP insolvencies affecting UK financial services institutions, those situations show that, in the context of cloud services and cloud contracts, understanding and operating such contingency processes is at best difficult (see http://diginomica.com/2015/01/06/cios-worst-nightmare-cloud-provider-goes-bankrupt/; see also question 14).
As noted above, the aim of the FCA Cloud Guidance is to help overcome the barriers created by the perceived regulatory uncertainty in the adoption of cloud computing by UK financial services firms. As the FCA says: ‘We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.’ (Paragraph 1.6 FCA Cloud Guidance.) And the FCA points out that it has supported both new and existing firms to use the cloud and achieve regulatory compliance (paragraph 1.7 FCA Cloud Guidance; for an example of a new ‘challenger’ bank adopting the cloud, see www.ft.com/content/36c4eba2-2280-11e6-9d4d-c11776a5124d?mhq5j=e1).
In its UK Software and IT Services Market Trends & Forecasts 2017 (subscription-only), the UK research and analytics firm TechMarketView observed ‘continued growth in spending on cloud-based systems’ in the UK financial services markets (page 15). However, in reporting on the 2017 drivers and trends in the UK financial services market, TechMarketView’s data shows that, while the move to cloud is certainly growing, it is not a dominant trend in these markets (page 16).
Other research - and my own and colleagues’ experience - shows that, despite the FCA’s laudable efforts to help firms around financial services regulatory hurdles in adopting the cloud, there are still significant concerns about the compatibility of cloud computing with regulatory compliance. In an article in Finextra on 27 June 2017, Tim Brazier wrote: ‘Financial firms have cited regulation and compliance as the biggest challenges to overcome in cloud migration. In a paper published in February 2017, the UK banking sector trade body, the British Bankers’ Association (BBA, now UK Finance), identified seven barriers to cloud adoption’ (www.finextra.com/blogposting/14231/public-cloud-adoption-in-financial-services-challenges-and-opportunities (footnote omitted). The barriers financial firms identified were:
- the regulatory approach to ‘important’ and ‘critical functions;
- supervision and oversight;
- the risk framework;
- access to CSP sites and services by regulators;
- data residency;
- termination; and
- data breaches and monitoring.
Most of these concerns will be identifiable from the FCA Cloud Guidance summarised above. And readers will note that the BBA’s report was finally published five months after the publication of the FCA Cloud Guidance - in other words, it appears that the FCA Cloud Guidance had not yet achieved its objective. Readers will reach their own conclusions.
On 28 March, the European Banking Authority (the EBA) issued its final recommendations on outsourcing to cloud service providers. These follow a period of public consultation. The final recommendations are available here and came into force as of 1 July. Pursuant to the recommendations, competent authorities, including the FCA, and financial institutions (defined as credit institutions and investment firms under article 4(1) of the EU’s Capital Requirements Regulations, 2013/36/EU) must make every effort to comply. The FCA Cloud Guidance largely addresses the requirements in the EBA’s recommendations, so reflect minimal change for financial institutions in the UK that are compliant with the FCA Guidance. On 25 July 2018, the FCA published its updated Cloud Guidance to reflect the EBA’s recommendations www.fca.org.uk/publications/finalised-guidance/fg16-5-guidance-firms-outsourcing-cloud-and-other-third-party-it. Note that the policy contained in the FCA’s Guidance reflects the existing UK and EU regulatory framework. The FCA has confirmed that it will keep its Guidance under review to assess what, if any, changes are required, including as a result of Brexit.
Back to top