The FCA has published a guidance consultation for firms seeking to outsource cloud and other IT services to third party providers.
For Financial Conduct Authority (FCA) regulated firms, a key concern has long been the standards required of them to comply with the FCA’s rules in regards to IT. An important aspect of this is the outsourcing of some or all IT hosting, management and support services to third party providers; this includes public and private cloud hosting services, which can take the form of infrastructure, platform and software as a service.
The FCA have acknowledged that there is uncertainty amongst both firms and their suppliers around what the rules are and how they are applied. In light of this, a guidance consultation was produced in November 2015 which provided an overview of the areas that firms should consider when outsourcing IT services.
In this blog post we will provide an overview of the 13 areas of interest covered in the outsourcing guidance, along with how Capital Support aligns itself to the FCA’s guidelines.
1. Legal and Regulatory Requirements
When outsourcing, it is essential for firms to build a business case that justifies the decision to host IT services with a third party provider. Diligence needs to go into the adoption of a particular service, be that a public or private cloud offering, and the service must be fit for the firm’s purpose. The third party provider contract should also be subject to United Kingdom jurisdiction, as should any contracts that comprise part of the firm’s wider IT provision.
Capital Support’s data centres are all based in the UK, from where we provide services to customers globally. We comply with the Data Protection Act 1998.
2. Risk Management
It is the outsourcing firm’s responsibility to ensure that robust risk management is in place. This includes carrying out a documented risk assessment, as well as including an information security management system (ISMS).
Capital Support is an ISO 27001:2013 accredited company. ISO 27001:2013 is the de facto international ISMS standard, and in order to maintain this accreditation we need to continually develop and follow our framework of security policies.
3. International Standards
Part of a firm’s due diligence should involve assessing the third party provider’s adherence to international standards, such as the aforementioned ISO 27001:2013 accreditation.
Capital Support’s services are continually assessed by third parties, either at the behest of our customers or as part of our own continual service improvement model. We employ third party due diligence firms to carry out assessments on our data centre environment, and penetration tests are regularly carried out on our infrastructure by specialist security firms.
4. Oversight of Service Provider
A firm maintains full accountability for its regulatory responsibilities. This means that a clear understanding of the responsibilities and accountabilities between the firm and the third party provider is essential when outsourcing IT services.
Capital Support provides a tailored master services agreement (MSA) and scope of works (SoW) to every customer. The MSA and SoW help to delineate lines of responsibility and accountability, and we actively engage with our customers on both a day-to-day and a strategic level in order to ensure that the services that we deliver are appropriate to each customer’s needs.
5. Data Security
A firm that outsources IT services – especially to a public or private cloud service – needs to understand where its data is stored, how it is managed, how it is kept separate from other service subscribers, and what measures are in place to protect from data loss.
Capital Support hosts customer data exclusively in UK data centres, and all customers subscribing to our Private Hosted Infrastructure service are provided with their own dedicated virtual environment that is fully segregated from other service subscribers. We maintain robust disaster recovery and offsite backup arrangements to ensure that – in the case of a data loss event – any loss suffered by a customer is kept to a minimum.
6. Data Protection Act 1998
All firms must meet the eight principles of the Data Protection Act 1998, which are distinct from the FCA’s requirements.
Capital Support complies with the Data Protection Act 1998. We have comprehensive data protection and data security policies in place, and – given the sensitive nature of the data managed by our alternative investment management customers – our policies and procedures are built around maintaining the confidentiality, integrity and availability of our data and that of our customers.
7. Effective Access to Data
Some regulated firms are required to provide access to their data for auditors and regulators. These firms must not place undue restrictions on the access they provide, and the data requested can be customer data as well as system and process data.
At Capital Support we provide the regulated firms we support with the ability to offer secure, monitored temporary access to auditors and regulators when required.
8. Access to Business Premises
Auditors and regulators require access to regulated firms’ business premises, which can mean both offices and hosting data centres. As with the access to data, firms need to be open to providing this access given reasonable notice, and auditors may not be appointed by the outsourcing provider.
As a provider of hosting services to a significant number of FCA and U.S. SEC regulated firms, Capital Support regularly arranges for auditors and regulators to inspect and report on both our head office and our data centre facilities on behalf of our customers.
9. Relationship Between Service Providers
Outsourced providers may not necessarily provide the breadth of their services in-house; in many cases, aspects of the services they deliver will be outsourced to other third parties. Regulated firms are responsible for the compliance of the services they contract, and so it is incumbent upon them to ensure that any services contracted out by their outsourced providers comply with regulatory requirements.
The majority of our customer base is made up of regulated firms, and so it is important that the aspects of our services that we outsource to third parties comply with regulatory requirements in the same way that our in-house services do.
10. Change Management
Given the nature of their businesses, alternative investment managers have a low tolerance for risk. Making changes to an IT infrastructure introduces risk to a business, and so regulated firms are expected to have robust change management processes in place.
Capital Support have a documented change management process, which we follow when making changes to customers’ infrastructures. This includes comprehensive planning, testing and documentation in order to minimise risk.
11. Continuity and Business Planning
All businesses need well thought out, relevant, and thoroughly implemented disaster recovery and business continuity provisions; regulated firms are no different. As business continuity plans especially are unique to a business, there is an onus on each firm to be responsible for their own planning; it is not sufficient simply to plagiarise another firms’s business continuity plan.
At Capital Support we have disaster recovery and business continuity plans that we maintain for internal use in the event of a disaster event, be that relating to access to our offices or a cyber-attack on the business. We support our customers with the IT element of their disaster recovery provisions.
When a regulated firm meets resolution, it needs to be able to maintain IT services and retain data during the following transitional period.
Given the nature of our customer base, at Capital Support we are well versed in supporting regulated firms throughout all phases of their lifecycle, from launch through to resolution.
13. Exit Plan
Regulated firms need to ensure that their contracts with outsourced providers have enough flexibility to enable exit agreements to be reached without causing undue disruption to operations. Firms’ regulatory compliance should not be affected when leaving an outsourced provider.
Capital Support have comprehensive exit planning provisions written into the master services agreements that we provide to our customers. This helps to ensure that, should a customer wish to leave us for any reason, this can be handled efficiently, with minimal risk.
The FCA’s guidance consultation has provided more clarity around the regulatory body’s expectations of regulated firms. Although there is certainly an expectation of firms to take active steps to meet the standards summarised in the document, the standards themselves are not onerous or restrictive. By partnering with an outsourced IT provider with experience in delivering services to regulated firms, your firm will be in a position to meet the FCA’s guidelines across all 13 areas of interest.
For more information on Capital Support’s regulatory compliant hosting, support and managed services, please feel free to contact us.