FCA Cloud Guidance for Financial Services

Hey you; get off of my (public) cloud

It appears the UK regulator might want to rewrite those famous Stones lyrics. It has truly been refreshing to see the Financial Conduct Authority (FCA) adopt such a progressive attitude towards cloud services.

Regulatory guidance or consultations typically precipitate a collective sigh from the market. But the FCA’s guidance consultation 15/6 issued last November was instead met with universal approval. Many even claimed it would pave the way for financial services companies to take advantage of cloud computing services.

Cloud architectures and delivery models have naturally long been championed by IT professionals. But, with the FCA clarifying that it doesn’t object to the use of a public cloud per se, the floodgates truly have been opened. Of course the guidance comes with a caveat. The regulator insists firms must continue to comply with regulations such as Systems and Controls (SYSC). But, caveats aside, this is pretty progressive. It is also helpful in cementing the regulator’s position as a supporter of innovation.

Our industry has often been hamstrung by decades of technical debt and a desire to maintain the status quo. Surely having a regulator take an active stance in promoting and fostering innovation is to be applauded? This follows in the older news of other financial regulators embracing, publicly approving or even themselves using the public cloud, for example Singapore and FINRA. The European Union Agency For Network And Information Security (ENISA) had a good summary in their recent report, covering also the Dutch and Swiss regulators.

FCA Cloud Guidance – the Risks and Considerations

That said, adopting cloud services is not without risk. It is therefore absolutely right that the published guidance documents a detailed list of factors firms should take into account before doing so. It is imperative that any solution is implemented correctly.

The guidance offers a comprehensive, but by no means a prescriptive list of all those factors that need to be considered. These include: legal and regulatory, risk management, international standards, provider oversight, access to data and business premises, outsourcing supply chains, change management processes, business continuity and resolution plans, and finally vendor risk.

Encouragingly the FCA offers constructive guidance within each of those categories. For example, given that some cloud service providers keep the location of their data centres a guarded secret (for security reasons), the FCA acknowledges that “service providers may, for legitimate security reasons, limit access to some sites – such as data centres.” Even so, not having physical access to a data centre, does not prohibit firms from complying with audit obligations to provide access to certain data sets.

We believe the FCA is showing both a pragmatic and progressive approach towards cloud adoption and is in our opinion a new chapter for financial technology. And it is already materialising on the ground with a wave of recent or imminent announcements of big adoptions of public cloud computing from some established names across the spectrum of financial services.