FCA guidelines: Clear skies for financial services’ cloud migration?
In July, the UK Financial Conduct Authority (FCA) issued guidance for firms seeking to make use of cloud providers and other, similar, third-party IT services. The FCA’s remit covers the operations of the financial services sector in the UK. But their guidance is often viewed as best practice by other regulated industries too; for example, FCA advice on business continuity is often referenced as best-practice beyond the finance vertical.
These FCA guidelines are an important, forward-looking step that shows the regulator making moves towards an honest and open-minded assessment of the advantages of this technology. The advice seems to acknowledge that the cloud is now at a stage of maturity where when implemented with forethought, it can be as secure (if not more so) than on-premise infrastructure. An overall thumbs-up from a body like the FCA may mean that some financial services organisations will now begin to green-light cloud initiatives that had previously been held back due to lack of clear signal from the regulator.
The FCA says that IT strategy is an area that continues to evolve rapidly and that now, more than ever, the advantages of cloud and related services are many, including, “cost efficiencies, increased security, and more flexible infrastructure capacity.” It says there is, “no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”
You will, however, have noted the qualification “with appropriate consideration” in the quotation above. As is the case with any good guidelines, there will be new considerations for some businesses and providers alike to factor into their cloud strategies before its clear skies ahead.
In many areas, the guidelines mirror our own thoughts on sensible practice. They argue that before moving “critical or important operational functions” to the cloud, a solid business case should be established, combined with a thorough risk assessment. They also state that transparency is a key trait to look for in a service provider, including the ability to audit and enter cloud hosting data centres.
In establishing trust with your cloud services provider, at Navisite we have long felt that visibility – both physically and delivered through remote monitoring tools – is crucial. Navisite has long welcomed clients’ own auditors and regulators to visit our data centre facilities, to give peace of mind that their sensitive data is secure and safely stored. That’s why we believe the FCA instruction that a firm seeking to make use of cloud services should expect to obtain access to any data being stored, whenever they want, as well as equivalent access for its auditors and regulators is sensible.
However some of this guidance is already being viewed are more extensive than may be practical or reasonable for some of the businesses concerned. The hyper-scale public cloud providers will obviously argue against the guidance on securing access to facilities and gaining certainty around the location of workloads. And whilst recommendations for firms to identify all the service providers in the supply chain have been softened, many still believe that IT services are often necessarily very complex and any more than one or two links down that chain and you’re looking at very many specialised suppliers of solution components.
In other guidance, firms are expected to continuously evaluate cloud services providers and to manage service using staff with “sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising.” This is a sensible request, but a reason to adopt managed services or cloud provision is that the kinds of advanced, broad-ranging IT skills stipulated above are rare and expensive to hire. This wide collection of skillsets and trusted expertise is not always feasible in-house, though of course it is something we find particularly important to be able to offer our clients at Navisite. A major factor in the whole attraction of cloud providers is that we do the preparation, maintenance, monitoring, testing and risk-mitigation, leaving our clients to get on with their direct line of business.
Ultimately, these are all guidelines: not legally binding for financial services organisations under the FCA’s purview. It will continue to be important for firms to work closely with their IT services and cloud providers to understand exactly how well-maintained provisions work, where the risks actually exist and what their specific needs are.