U.K. Financial Regulator Offers Guidance on Cloud Services
Hoping to encourage fintech innovation, the U.K. Financial Conduct Authority has issued a 17-page document that offers guidelines for how financial services firm can use outsourced Web-hosted services without running afoul of regulators.
The cloud services guidelines are not binding, but they do offer general and specific advice on legal, technical and data-security topics. Some of the advice will be familiar to many firms or executives charged with overseeing an organization’s technology infrastructure, while other guidelines offer companies a chance to see issues related to the cloud through the eyes of regulators. For instance, among the many bullet points are these guidelines:
- Identify current industry good practice, including data and information security management system requirements, cyber-risks, as well as the relevant regulator’s rules and guidance to then use this to support decision making
- Ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising; and properly manage an exit or transfer from an existing third-party provider
- Stipulate in contracts that a regulator visit to an outsource provider’s business premises will only take place if the regulator deems it necessary and required under applicable legal and regulatory requirements.
The U.K. regulatory agency crafted the guidelines based on feedback from the financial services industry.