The extent (if any) to which UK industry sectoral regulation may apply to cloud computing will require knowledge and the examination of sector-specific legislation, regulations, guidance and regulatory and statutory codes of conduct. In the UK - and with the exception of the NIS Regulations referred to in question 9 and the following example - at the time of writing this chapter there is no regulation that applies specifically or directly to cloud computing as such. Where regulation is found to apply to a cloud computing project, the approval, licence or consent - or at least the informal go-ahead - of a regulator may be required. Common sense and best practice dictate that, where applicable, the regulated entity should consult its regulator as soon as practicable and as fully as possible. This should also be of concern to a CSP expecting to enter a cloud arrangement with a regulated customer.
Only in the UK financial services sector has cloud computing been specifically addressed. Operational resilience, including outsourcing to the cloud, has been identified as a cross-sector priority in the Financial Conduct Authority (FCA),’s annual regulatory business plans for the past several years. The FCA, Bank of England and Prudential Regulation Authority (PRA) issued a joint Discussion Paper (18/4) in July 2018 on operational resilience, which stressed the importance of understanding and mapping important third party providers. Issues identified in the Discussion Paper will be developed into joint policy proposals later in 2019.
In July 2016, the FCA issued its finalised FG 16/5 - ‘Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services’ (www.fca.org.uk/publications/finalised-guidance/fg16-5-guidance-firms-outsourcing-%E2%80%98cloud%E2%80%99-and-other-third-party-it; www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf (FCA Cloud Guidance)). In July 2018, the FCA Cloud Guidance was modified as mentioned below. While some regulatory objectives are issued by the FCA and the PRA as ‘guidance’ (as opposed to rules), it would be a foolhardy regulated financial services organisation that disregarded such guidance or diluted it too far in application.
Before outlining the FCA Cloud Guidance, it must be put in its sectoral regulatory context. When financial services organisations (firms) regulated under FSMA (see question 12) by the FCA and PRA engage in any IT, business process or other outsourcing, they must have regard to and, if applicable, comply with, the regulatory guidance and rules governing that outsourcing. The PRA supervises banks, insurance companies, building societies, credit unions and certain large investment entities. The FCA regulates the conduct of business of all financial services organisations within its statutory jurisdiction, including those prudentially supervised by the PRA. Some outsource providers (who, incidentally, are also CSPs) are themselves authorised and regulated by the FCA.
The PRA and FCA rules are complex and their application to outsourcing will depend on the nature of the firm (the outsourcing customer), the financial services and related activities to be outsourced, and the impact of the proposed outsourcing. The main rules and guidance governing outsourcing by regulated firms are contained in the FCA Handbook and PRA Rulebook. There is also more general FCA guidance on outsourcing to meet FSMA compliance. These are the main sources of prudential and operational provisions regulating outsourcing by financial services firms and regulated outsource providers in the UK. There are also specific outsourcing-related obligations on insurance and reinsurance companies under the Solvency II Directive (2009/138/EC) and related subordinate rules and guidelines (https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1563889385175&uri=CELEX:02009L0138-20190113 and https://www.bankofengland.co.uk/prudential-regulation/key-initiatives/solvency-ii).
The detailed rules governing outsourcing under the PRA Rulebook, FCA Handbook, Solvency II Directive and Solvency 2 Regulations 2015 are beyond the scope of this section. In essence, though, the rules provide for what should be regarded as sensible outsourcing practice, having regard to systemic risk, initial diligence and ongoing operational risk affecting the conduct of regulated business and the interests of business and consumer end-customers, and the needs of the regulators to supervise and intervene if necessary (for a fuller statement, see the FCA Handbook, Systems and Controls (SYSC), chapters, 3, 4, 8, 13 and 14: www.handbook.fca.org.uk/handbook/SYSC/).
The Markets in Financial Instruments Directive (MiFID) II (2014/65/EU), which repealed and recast the MiFID Directive (2004/39/EC) and (largely) entered into force on 3 January 2018, together with the Delegated Regulation (2017/565/EU) (commonly referred to as the MiFID Organisation Regulation or the MiFID Org Regulation), imposes on regulated firms a wide range of conduct of business and organisational requirements. These include requirements relating to outsourcing, as well as more general record keeping and business continuity issues. The FCA handbook was updated to reflect these requirements.
The European Banking Authority (EBA) published finalised Guidelines on Outsourcing Arrangements (EBA Guidelines) on 25 February 2019: https://eba.europa.eu/documents/10180/2551996/EBA+revised+Guidelines+on+outsourcing+arrangements. The EBA Guidelines apply from 30 September 2019, and firms must amend existing outsourcing arrangements to comply with the EBA Guidelines by 31 December 2021. They apply to credit institutions and investment firms, as well as to authorised payment institutions and e-money institutions.
The EBA Guidelines are divided into five sections, or Titles: (I) Proportionality: group application and institutional protection schemes (setting out a principle of proportionality in application of the EBA Guidelines, and requiring transparency within groups); (II) Assessment of outsourcing arrangements (defining ‘outsourcing’ and ‘critical or important’ functions); (III) Governance framework; (IV) Outsourcing process (setting out aspects to be included in an outsourcing agreement at a minimum for a critical or important function); and (V) Guidelines on outsourcing addressed to competent authorities. The governance framework in Title III requires: a holistic risk management framework, a written outsourcing policy, management of conflicts, business continuity plans, internal audit and a register of information on all outsourcing agreements. EBA Guidelines on internal governance published in March 2018 should also be taken into account.
The EBA Guidelines replace the Committee of European Banking Supervisors Guidelines on Outsourcing published in 2006, and incorporate the EBA Recommendations on Outsourcing to Cloud Service Providers (which were applicable from 1 July 2018). The FCA Cloud Guidance was updated in July 2018, to confirm that the FCA Cloud Guidance does not apply to a bank, building society, designated investment firm or IFPRU investment firm to whom the EBA Recommendations are addressed: https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf. The FCA has confirmed that it will keep its Cloud Guidance under review to assess what, if any, changes are required, including as a result of Brexit. In the interests of space, this section now focuses on the FCA Cloud Guidance.
The FCA Cloud Guidance is addressed to such firms (see previous paragraph) ‘when outsourcing to the “cloud” and other third party IT services’. As is evident from the FCA Cloud Guidance, for the FCA, not only is cloud computing equivalent to outsourcing in its potential impact on regulated firms, their operations and end-customers, but also it sees the cloud ‘as encompassing a range of IT services provided in various formats over the Internet’ (paragraph 1.4 FCA Cloud Guidance). Accordingly, the FCA sees no distinction between private, public or hybrid cloud deployment (paragraph 1.4 FCA Cloud Guidance). And it says that ‘[from] a regulatory perspective, the exact form of the service used does not, in itself, alter the regulatory obligations placed on firms’. So, where a third party (including a CSP) delivers services on behalf of a regulated firm, this is considered outsourcing. Firms therefore need to consider the relevant regulatory obligations and how they comply with them.’ (Paragraph 3.3 FCA Cloud Guidance.)
The stated aim of the FCA Cloud Guidance is to facilitate adoption of cloud computing in the regulated financial services sector, recognising the benefits of cloud computing and innovation in the sector. It came about because firms and CSPs had told the FCA that they were unsure about how to apply its Handbook outsourcing rules to the cloud: this uncertainty may have been acting ‘as a barrier to firms using the cloud’ (paragraph 1.3 FCA Cloud Guidance).
Apart from the regulated firms themselves, the FCA Cloud Guidance is stated to be of interest to third-party IT providers, trade associations and consumer groups, professional advisers and the auditors of regulated firms.
In outline and focusing below on the most important aspects of the FCA Cloud Guidance for cloud computing, the regulated firm in scope of the FCA Cloud Guidance must have regard to the following.
Criticality or materiality of the cloud service
Whether the function being processed under the cloud service is ‘critical or important’ or ‘material’ and (for authorised payment institutions and authorised electronic money institutions) if it relates to ‘important operational functions’. Each of these terms is defined in the FCA Handbook and the Electronic Money Regulations 2011 (www.legislation.gov.uk/uksi/2011/99/contents/made and Payment Services Regulations 2009: www.legislation.gov.uk/uksi/2009/209/contents/made; paragraph 3.6 FCA Cloud Guidance); and see also the EBA Guidelines section 4, and paragraph 20 of the accompanying EBA Final Report. Overall, if the above kinds of functions are ‘outsourced’ to the cloud, firms in scope of the FCA Cloud Guidance will have more stringent duties with regard to management of operational risk in the transaction, as will CSPs in enabling firms to comply with their obligations. In addition, firms must notify the FCA when entering into or significantly changing material or critical cloud services arrangements (paragraph 3.7 FCA Cloud Guidance).
In some cases, dual-regulated firms subject to the PRA’s preferred resolution strategy will also have to consider resolution arrangements when entering into cloud services projects. These arrangements are designed to ensure continuity in distressed economic circumstances or insolvency to ensure that ‘critical economic functions’ are maintained (paragraph 3.8 FCA Cloud Guidance and https://www.bankofengland.co.uk/financial-stability/resolution).
Legal and regulatory considerations
These include having a business case or rationale for the decision to outsource to the cloud and the use of one or more CSPs for the delivery of critical or important operational functions, or a material outsourcing; due diligence risk assessment of the proposed project; relative risks of each type of cloud service or deployment model (eg, private versus public cloud); knowing where the CSP service and other relevant locations are situated; and the need to identify all service providers in the cloud supply chain - to ensure that the regulatory requirements are met throughout the supply chain.
Including: conducting and documenting a risk assessment of the proposed cloud project; monitoring concentration risk, to avoid too great a dependency on any one CSP; and understanding what action to take if the CSP failed.
Including: as part of due diligence, assessing the CSP’s adherence to accepted international IT and service standards; and applying greater standards of assurance when the functions concerned are critical or important or a material outsourcing.
Including: clarity about the allocation of responsibilities between the firm and the CSP; the firm having an internal function responsible for the strategic and day-to-day management of the CSP; and ensuring that the firm’s staff have sufficient skills and resources to oversee and test the cloud services and properly manage an exit or migration from the existing CSP. In other words, this would mean firms having and retaining specific cloud service management expertise.
Including: conducting a specific risk assessment; agreeing data residency terms with the CSP, setting out contractually the locations in which the firm’s data can be stored, processed and managed; considering how the firm’s data will be segregated (for public cloud); assessing the sensitivity of data and how the data will be transmitted, stored and encrypted, where necessary - noting that encryption keys or other forms of authentication must be accessible to the FCA or PRA.
Including: continuing compliance with data protection laws. Firms are, of course, required separately to comply with UK data protection law (now the GDPR, as supplemented by the Data Protection Act 2018). In that sense, though the data protection laws are separate, the FCA Cloud Guidance forms part of the firm’s compliance with its duties as a regulated firm. Firms should consider the UK Information Commissioner’s guidance concerning the transmission of personal data outside the European Economic Area (EEA).
Effective access to data
‘Data’ is used here in its widest meaning. Firms should ensure that the cloud computing arrangement has addressed the following: access for the firm, their auditors, the regulators and other competent authorities to the firm’s data; contractual ability for the regulators to contact the CSP directly where the firm cannot for any reason disclose the data; ensuring that the data is not stored in jurisdictions that may prevent or inhibit effective access for UK regulators; geopolitical stability as it concerns the data; whether the CSP’s jurisdiction provides for data protection; the law enforcement provisions of the relevant jurisdiction or jurisdictions where data is to be processed, for example, whether and how easily the authorities in the CSP’s jurisdiction may intervene in accessing the firm’s data.
Access to business premises
‘Premises’ here include head offices and operations centres, but not necessarily data centres. The guidance includes: knowing which CSP or supply chain premises are relevant for the cloud services and effective oversight of them (the FCA recognising that CSPs may have legitimate reasons for limiting access to some sites, eg, data centres); providing for the unrestricted contractual and legal ability for the firm or its auditors to request an onsite visit to the business premises - on reasonable prior notice, except in the case of an emergency or crisis; enabling visits by the financial services regulators or other competent authorities as they deem necessary and required by law or regulation, without any conditions being imposed; having the CSP commit contractually to cooperating with all reasonable requests of the regulators during such visits; affording the regulators the right to observe the provision of the cloud services to the firm or any of its affiliates (although the regulators may commit to minimising disruption to the CSP’s operations).
Relationship between service providers
Including: considering how the cloud supply chain is constructed and operates; enabling the firm to review subcontracting and other supply chain arrangements to ensure that they facilitate the firm’s compliance with its regulatory requirements, including security, effective access to data and business sites; understanding the roles of CSPs within the supply chain; knowing how a CSP’s services will interface with the firm’s own systems or other necessary third-party systems (eg, agency banking arrangements for payments).
Including: ensuring that contractual and operational provision is made for changes to the cloud services; and establishing how changes will be tested.
Continuity and business planning
Including: providing contractually and operationally for appropriate arrangements for the continuity of functions and the ability of the firm to meet its regulatory obligations in the event of an ‘unforeseen interruption’ of the cloud services; having a plan documenting the continuity, business interruption and recovery arrangements; regular testing of the business continuity plan; and putting in place contractual and operational measures to ensure regulatory access to data in an insolvency or other disruption of the cloud services.
This guidance will only apply to certain firms (see ‘Criticality or materiality of the cloud service’ above). In this context, the main aspect of the resolution and recovery arrangements and the Bank of England’s ‘stabilisation’ powers that will concern firms, CSPs and providers within the cloud supply chain is this: neither financial distress or insolvency leading to resolution, nor the change of ownership or control of the firm following that event, will enable the CSP or a cloud supply chain provider to terminate the contract or the provision of cloud services. Moreover, the CSP and its supply chain may have to provide the cloud services to the resolution successor entity or firm for a transitional period. The CSP (and by implication providers in its supply chain) must agree not to delete, revoke or change the firm’s data in the case of resolution.
Including: firms having contractually documented exit plans and termination assistance arrangements to ensure continuity, and these plans being ‘fully tested’; firms understanding how they would migrate the cloud services to an alternative CSP and maintain business continuity; contractually requiring the CSP (and by implication its supply chain) to cooperate fully with the firm and the incoming CSP to ensure a smooth transition; the firm understanding how it could and would remove its data from the CSP’s systems on exit.
The aim of the FCA Cloud Guidance is to help overcome the barriers created by the perceived regulatory uncertainty in the adoption of cloud computing by UK financial services firms. As the FCA says: ‘We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.’ (Paragraph 1.6 FCA Cloud Guidance.)
The UK banking sector trade body, UK Finance, sponsored the creation of a public cloud computing framework in February 2019. The framework consists of 44 controls, with each control mapped to one of nine domains and one of 11 risks associated with the management of cloud computing as a service. The controls are derived from analysis of UK Finance members’ control sets and in collaboration with CSPs, cross-checked for compliance against various industry standards as well as the EBA Guidelines. My own experience and that of my colleagues shows that, despite laudable efforts by the regulators and industry bodies to help firms around financial services regulatory hurdles in adopting the cloud, there are still significant concerns about the compatibility of cloud computing with regulatory compliance. In February 2017, the British Bankers’ Association (now UK Finance), identified seven barriers to cloud adoption:
- the regulatory approach to ‘important’ and ‘critical’ functions;
- supervision and oversight;
- the risk framework;
- access to CSP sites and services by regulators;
- data residency;
- termination; and
- data breaches and monitoring.
Most of these concerns will be identifiable from the FCA Cloud Guidance summarised above and look likely to remain of concern to the financial services sector in the immediate future.
Back to top