Financial Regulator Publishes Final Cloud Rules

The Financial Conduct Authority (FCA) has issued its final guidance for financial services firms operating in the UK on the use of cloud-based services, but industry experts said the handbook fails to provide clarity in some key areas.

“This guidance is intended to help all firms to effectively oversee all aspects of the life-cycle of their outsourcing arrangements: from making the decision to outsource, selecting an outsource provider, and monitoring outsourced activities on an ongoing basis, through to exit,” the FCA said in its guidance.

Cloud shift

In the document the regulator concludes that there is “no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules”.

While the guidelines are not binding the FCA said it expects firms to take note of and make use of them.

It sets out specific requirements on outsourcing, including a recommendation that firms
agree a data residency policy with their provider at the outset which “sets out the jurisdictions in which the firm’s data can be stored, processed and managed”.

The areas where firms’ data is stored should not include “jurisdictions that may inhibit effective access to data for UK regulators”, the FCA said.

“Considerations should include the wider political and security stability of the jurisdiction; the law in force in the jurisdiction in question (including data protection); and the international obligations of the jurisdiction,” the FCA wrote. “This should include consideration of the law enforcement provisions within a jurisdiction.”

These provisions represent a shift from the FCA’s draft guidance, in which it had said firms should have “choice and control” over where data was stored, processed and managed.

Jurisdiction control

Financial firms and cloud providers argued such provisions were impractical, and as a result the FCA said it had amended its recommendations.

The FCA said it recognises “many cloud providers are not able to allow firms full control” over where data is held, and that requiring such control could limit the field of suitable providers.

Under the final guidance, therefore, firms are recommended to agree an initial policy, and providers are then given “discretion” to store, process and manage data in jurisdictions considered acceptable under that policy, the FCA said.

Industry observers said this approach appears to adhere to the principles of “choice and control” while providing needed flexibility.

Data centre access

But they said the guidance is less clear on how firms can ensure they, auditors and regulators have “effective access” to data and the business premises of service providers.

The FCA acknowledged that in many cases physical access to data centres might not be required, but added that “there may be circumstances where physical access to data centres is necessary for a firm to meet its regulatory requirements”.

The provision is sensitive because, as the FCA itself stated, “service providers may, for legitimate security reasons, limit access to some sites – such as data centres”.

Nevertheless, the guidance appears in practice to require physical access to data centres, a legal expert said.

“If the FCA is saying that on-site access to relevant business premises is required, in most cases the relevant business premises will be the provider’s data centre,” said Craig Callery, a data protection specialist at Pinsent Masons, in a research note.

Supply chain

The FCA also modified a provision that had required financial services companies to identify all service providers in the supply chain, which firms said would be overly onerous where cloud services are involved.

The final guidance says firms need only identify service providers whose activity relates directly to the regulated activity being provided, which “therefore does not necessarily include all providers in the supply chain”.

Cloud-based services are currently seeing sharp growth, including in sensitive areas such as the public sector.

Security experts have, however, warned that such arrangements introduce an inherent risk, since firms are effectively storing their data on systems operated by third parties.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

10 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

11 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

12 hours ago