FCA issues guidance on cloud-related risk
26 July 2016 London
Image: Shutterstock
Financial services firms remain responsible for their own regulatory compliance, and should conduct appropriate due diligence when using ‘cloud technology providers, according to new guidance from the UK Financial Conduct Authority.
The guidance also applies to any other third-party IT service providers, and noted that the term ‘cloud’ itself “encompasses a range of different IT services”.
It outlined areas that firms should consider before outsourcing to such companies, including legal and regulatory considerations, such as ensuring thorough due diligence and making sure that the mandate does not contribute to operational risk.
The guidance said: “Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.”
Risk management should include a risk assessment and early identification of industry good practice in data security and management. Firms should also review whether the risks differ for different types of clients.
Other things to consider, according to the FCA, include the extent to which the service provider adheres to international standards; how they will maintain accountability; and how they will ensure adequate access and oversight.
With regards to a security risk assessment, the FCA advised that firms agree a “data residency policy” at the beginning of the relationship, to be periodically reviewed, setting out the jurisdictions in which data can be stored, processed and managed.
Firms should understand the provider’s data loss and breach notification processes, ensuring they’re aligned with their own risk appetites, and consider the ways in which data is encrypted, transmitted and stored.
They should be allowed access to data, particularly for compliance and auditor access, however the FCA specified that access to premises applies only to head offices and operations centres, not necessarily data centres.
In response to the guidance, Phil Bindley, chief technology officer at The Bunker, and outsourced infrastructure and data storage provider, suggested that there is no reason why financial services firms shouldn’t use cloud services, as long as appropriate security assessments are carried out.
He agreed, however, that failure to do so will result in increased data security risks.
Bindley said: “Cloud is here to stay and it is experiencing increasing adoption due to the major benefits it brings. However, the issue of security is one that remains at the forefront of the cloud debate.”
“Putting appropriate guidance in place and acknowledging the potential risks are two integral steps when it comes to ensuring that the security risks associated with the cloud are minimised.”
He added: “These guidelines should be embraced as they encourage firms to do their due diligence to make sure they understand the ways in which their data is stored, processed and managed.”
The guidance also applies to any other third-party IT service providers, and noted that the term ‘cloud’ itself “encompasses a range of different IT services”.
It outlined areas that firms should consider before outsourcing to such companies, including legal and regulatory considerations, such as ensuring thorough due diligence and making sure that the mandate does not contribute to operational risk.
The guidance said: “Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.”
Risk management should include a risk assessment and early identification of industry good practice in data security and management. Firms should also review whether the risks differ for different types of clients.
Other things to consider, according to the FCA, include the extent to which the service provider adheres to international standards; how they will maintain accountability; and how they will ensure adequate access and oversight.
With regards to a security risk assessment, the FCA advised that firms agree a “data residency policy” at the beginning of the relationship, to be periodically reviewed, setting out the jurisdictions in which data can be stored, processed and managed.
Firms should understand the provider’s data loss and breach notification processes, ensuring they’re aligned with their own risk appetites, and consider the ways in which data is encrypted, transmitted and stored.
They should be allowed access to data, particularly for compliance and auditor access, however the FCA specified that access to premises applies only to head offices and operations centres, not necessarily data centres.
In response to the guidance, Phil Bindley, chief technology officer at The Bunker, and outsourced infrastructure and data storage provider, suggested that there is no reason why financial services firms shouldn’t use cloud services, as long as appropriate security assessments are carried out.
He agreed, however, that failure to do so will result in increased data security risks.
Bindley said: “Cloud is here to stay and it is experiencing increasing adoption due to the major benefits it brings. However, the issue of security is one that remains at the forefront of the cloud debate.”
“Putting appropriate guidance in place and acknowledging the potential risks are two integral steps when it comes to ensuring that the security risks associated with the cloud are minimised.”
He added: “These guidelines should be embraced as they encourage firms to do their due diligence to make sure they understand the ways in which their data is stored, processed and managed.”
NO FEE, NO RISK
100% ON RETURNS If you invest in only one asset servicing news source this year, make sure it is your free subscription to Asset Servicing Times
100% ON RETURNS If you invest in only one asset servicing news source this year, make sure it is your free subscription to Asset Servicing Times