Out-Law / Your Daily Need-To-Know

The Financial Conduct Authority's (FCA) guidance on outsourcing to the cloud no longer applies to banks.

The change was confirmed in an update the UK regulator made to its guidance (18-page / 434KB PDF) late last month.

The guidance had applied to banks since 2016, but they have now been told to ignore the FCA's cloud guidance and adhere to the recommendations on cloud outsourcing that the European Banking Authority (EBA) has set instead. Those recommendations were finalised in late 2017, but only took effect on 1 July this year.

"This guidance does not apply to a bank, building society, designated investment firm or IFPRU investment firm as defined in the FCA Handbook to whom the EBA recommendations on outsourcing to cloud service providers are addressed," according to the FCA's revised guidance.

Other changes the FCA has made to its cloud guidance are predominantly technical in nature. The regulator said the guidance is still "relevant" to all other firms authorised under the Financial Services Markets Act.

Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said the FCA made the change without much fanfare and that some people within the banking industry in the UK may not have picked up on it as a result.

"Many banks will have based their cloud policies and general approach to cloud on the FCA guidance and will now need to rethink their positions," Scanlon said.

He also flagged that the EBA is in the process of replacing its cloud recommendations – despite them newly taking effect – with new guidance on outsourcing that will apply more generally. Its consultation on proposed new Committee of European Banking Supervisors (CEBS) guidelines on outsourcing was opened in June and is due to close on 24 September.

"Banks need to be careful not to place too much reliance on the wording of the EBA's cloud recommendations as they are being repealed," Scanlon said.

"Unfortunately, the draft new CEBS guidelines fail to resolve some of the uncertainties that have arisen around banks' regulatory duties when engaging cloud providers which have stemmed from wording in the EBA's cloud recommendations. Uncertainties persist in relation to how banks meet their duties on audit rights and in respect of subcontracting, as we have previously highlighted. It is vital that banks engage with the EBA's CEBS consultation to ensure those issues are addressed in the final version of the guidelines," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.