A.16.2 – Additional considerations for third-party IT suppliers

The rules and principles which apply

The FCA originally published guidance in July 2016 for firms which are outsourcing to the ‘cloud’ and other IT service providers. This guidance remains relevant today and is referenced in the FCA’s high level guidance for firms in relation to outsourcing and operational resilience.

General guidance on managing risks and the oversight of third party outsource arrangements can be found in Section A.16.1.

However, firms should also note that the FCA expects firms to manage the amount of data being stored, processed or transmitted by third party providers on behalf of the firm, and understand how critical to operations that data is. This includes how firms configure and monitor their services to reduce security and compliance incidents.

Firms should implement an appropriate level of security to protect outsourced data processing, including for relevant data protection requirements that are separate from the FCA Handbook (See Section K.2 for more information on Data Protection requirements, including information for firms using Artificial Intelligence).

How this may affect firms

With significant advances in technology, it is becoming increasingly likely that firms may be utilising various technologies for a range of purposes to improve efficiency and communications. Not least, advancements in the area of Artificial Intelligence are leading to an increased number of firms who may find that that they are entering into supplier arrangements with third-party IT service providers. It is important to note that not all providers will be UK based and in particular may transfer and hold data on servers which are based outside of the UK.

We provide more information on the risk and compliance issues that a firm should be considering in the deployment of Artificial Intelligence in Section K.1 of this Manual. This includes the need for firms to complete a Data Protections Impact Assessment for any high-risk processing or when new technologies are deployed.

Firms may place significant reliance on third-party IT providers in order to access relevant skills, tools and platforms which enable technological advancement within their operations. As such, these may fall under the definition of material, critical or important outsource arrangements (defined in Section A.16). Such arrangements may require notification to the FCA and will require the firm to exercise appropriate risk control and oversight over those arrangements, as well as ensuring that personal data is safeguarded at all times.

Therefore firms should also take note of the below considerations, in addition to those generally outlined in Section A.16.1.

Legal and regulatory considerations

Before entering into an outsource arrangements with a third-party IT supplier, a firm should:

Have a clear and documented business case or rationale in support of the decision to use one or more service providers for the delivery of critical or important operational functions or material outsourcing.
Ensure the service is suitable for the firm and consider any relevant legal or regulatory obligations, including where a firm is looking to change their existing outsourcing requirements.
As part of the due diligence exercise, ensure that in entering into an outsource agreement, it does not worsen the firm’s operational risk.
Consider the relative risks of using one type of service over another e.g. public versus private ‘cloud’.
Maintain an accurate record of contracts between the firm and its service provider(s).
Know which jurisdiction the service provider’s business premises and servers are located in and how that affects the firm’s outsource arrangements (including data protection obligations).
Know whether its contract with the service provider is governed by the law of and subject to the jurisdiction of the United Kingdom. If it is not, it should still ensure effective access to data and business premises for the firm, auditor and relevant regulator (see Section A.16.1 for information on access to data and business premises).
Consider any additional legal or regulatory obligations and requirements that may arise such as through the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).
Where relevant, identify where any services may be sub-contracted and ensure that the requirements on the firm can be complied with throughout the supply chain. Similarly, where multiple providers form part of an overall arrangement (as distinct from a chain) the requirements should be complied with across the arrangement.

Risk management

A fundamental principle of the rules and guidance on outsourcing is that firms identify and manage any risks introduced by their outsourcing arrangements. Accordingly, firms should:

Carry out a documented risk assessment to identify relevant risks and identify steps to mitigate them.
Identify current industry good practice, including data and information security management system requirements, cyber risks, as well as the relevant regulator’s rules and guidance to then use this to support its decision making.
Review whether the legal and regulatory risks differ if the customers, firms and employees involved in providing or using the services are in different geographic or jurisdictional locations (e.g., inside or outside of the UK).
Assess the overall operational risks associated with the regulated service for which the firm is responsible and assign responsibility for managing them.
Monitor concentration risk and consider what action it would take if the outsource provider failed.
Require prompt and appropriately detailed notification of any breaches or other relevant events arising including the invocation of business recovery arrangements.
Ensure the contract(s) provide for the remediation of breaches and other adverse events.

International standards

In conducting its due diligence on potential third-party providers, and as part of ongoing monitoring of service provision, a firm may wish to take account of the provider’s adherence to international standards as relevant to the provision of IT services.

Assurance obtained from international standards for the delivery of critical or important operational functions or material outsourcing is unlikely to be sufficient on its own. Nevertheless, firms should take account of any external assurance that has already been provided when conducting their own due diligence. External assurance may be more relevant to a firm’s consideration where:

It complies to well-understood standards (such as, for example, the ISO 27000 series).
The part of the service being assessed is relatively stable (such as physical controls in the data centre or staff vetting).
The service is uniform across the customer base (i.e. not particular or bespoke to the firm’s outsourcing).
The scope of the third-party audit is specific to the service a firm proposes to use (i.e., the audit is against the data centre you are using – not a similar data centre in another jurisdiction).

Data security

Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm. Typically this means that firms should:

Agree a data residency policy with the provider upon commencing a relationship with them, which sets out the jurisdictions in which the firm’s data can be stored, processed and managed. This policy should be reviewed periodically.
Understand the provider’s data loss and breach notification processes and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations.
Consider how data will be segregated (if using a public cloud).
Take appropriate steps to mitigate security risks so that the firm’s overall security exposure is acceptable.
Consider data sensitivity and how the data is transmitted, stored and encrypted, where necessary.

A firm must ensure that it can comply, at all times, with the DPA and the GDPR. Data protection requirements are separate from FCA Handbook requirements, and each must be met separately.

The DPA and GDPR are overseen and regulated by the Information Commissioner’s Office (ICO). Firms should therefore follow the ICO’s Guide to Data Protection and Guide to the GDPR which is covered in more detail in Section K.2.3 of this manual, as well as other relevant guidance including ICO guidance on cloud computing.

High risk data processing or any deployment of new technology which will involve the processing of personal data will require completion of a Data Protection Impact Assessment (DPIA) – for more information on DPIAs see Section K.1.2 ).

Access to data

A firm should ensure that notification requirements on accessing data, as agreed with the service provider, are reasonable and not overly restrictive; for example they should ensure that:

There are no restrictions on the number of requests the firm, its auditor or the Regulator can make to access or receive data.
They advise the service provider that the regulator will not enter into a non-disclosure agreement with the service provider but will treat any information disclosed in accordance with the confidentiality obligation set out in the Financial Services and Markets Act (FSMA), sections 348 to 349.
Ensure that, where a firm cannot disclose data for any reason, the contract enables the regulator or the firm’s auditor to contact the service provider directly.
Ensure that data is not stored in jurisdictions that may inhibit effective access to data for UK regulators.

Considerations should include the wider political and security stability of the jurisdiction, both the law in force and law enforcement provisions in the jurisdiction, and the international obligations of the jurisdiction.

Change management

Risks can be introduced or increased when changes are made to processes and procedures – even where these are well established. The FCA expect firms who are outsourcing to have in place a comprehensive change management process, but particular note should be taken of the following points:

establishing what provision has been made for making future changes to technology service provision; and
establishing how the testing of changes will be carried out.

Relationships between service providers

Outsourcing supply chains for IT related services can sometime be complex. If the regulated firm does not directly contract with the outsource provider, it should review sub-contracting arrangements relevant to the outsource activity to determine whether these enable the regulated firm to continue to comply with its regulatory requirements. Firms should consider, for example, security requirements and effective access to data and business premises.

The regulated firm must be able to comply with these regulatory requirements even if it does not directly contract with the outsource provider.

The Contracts (Rights of Third Parties) Act 1999 may be relevant to these considerations. The regulated firm should consider how service providers work together, for example, will the firm or one service provider take the lead systems integration role? Firms should consider how easily a service provider’s services will interface with a firm’s internal systems or other third-party systems.

We have included the following documents to support firms with outsourcing IT arrangements including:

CORE37 – Proof of Concept template (Artificial Intelligence)
CORE26 – Information Asset register and DPIA guidance

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

UKGI Compliance Manual

Compliance Manual