FCA - Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
Response to the consultation
ABCUL supports and appreciates the rationale behind producing the guidance on outsourcing for regulated firms. Credit unions, like other types of firm, are increasingly looking at ‘cloud’ and other outsourced solutions for their business needs and therefore guidance as to the applicability of SYSC 8 is a very welcome addition.
In general our members have no great opposition to the principles which sit behind SYSC 8 and the guidance as it elaborates upon this. However, we do have crucial concerns as regards the proportionality of their applicability.
Credit unions are small firms which tend to operate on tight margins due to their social mission to provide inclusive financial services to those in low income communities. As small firms, a failure of their outsourcing arrangements has much less potential to cause consumer detriment. Likewise, supporting credit union growth through proportionate application of the outsourcing requirements is in keeping with the FCA’s objective to promote competition.
Requiring the same level of due diligence, access, risk management and oversight by credit unions as that expected of large firms subject to SYSC 8 is, in many cases, an impossible expectation to meet due to their limited resources and therefore places credit unions at a competitive disadvantage. This would be contrary to FCA’s statutory competition objective and its requirement to apply regulation proportionately.
We would like the guidance to be clearer in its affirmation of proportionality as an abiding principle across the requirements under SYSC 8 – this is both in respect of the criticality and materiality of the outsourced function and also in respect of the firm’s scale, complexity and potential to cause consumer detriment. While we recognise that the guidance does allude to the principle of proportionality, it would be helpful if it could go further in delineating how this might be enacted in practice.
A key area in which this is pertinent is that of new start credit unions. The experiences of recent new start credit unions has been that requirements around satisfying the regulators’ expectations on IT outsourcing has added hundreds of thousands of pounds to the cost of gaining authorisation. This is a significant outlay for very small organisations starting life with strictly limited capital resources. In at least two recent cases, these issues almost prevented the credit union from gaining authorisation at all.
Another key issue here, both for new start and established credit unions, is that of effective access to business premises. Under SYSC 8.1.8, common platform firms are required to ensure effective access to data and outsourced-providers’ business premises for both themselves and the regulator. This is a requirement found in MiFID and is relatively inflexible as it relates to common platform firms. However, credit unions are subject to these requirements only as guidance. It is our contention, therefore, that where an outsourced provider is unwilling to provide access to business premises but may permit authorised third parties access to premises, this ought to be considered by FCA as potentially meeting the spirit of the requirement as laid out in the guidance.
It is a significant shortcoming of the guidance under consultation that it makes no reference specifically to the expectations of FCA around access to data and business premises for firms to which these requirements do not apply as rules. The guidance is clear in its expectations of those to whom the requirements do apply as rules, implying that the FCA recognises a distinction here in expectation, but what this might mean in practice is not established.
There is clear evidence from recent cases within the credit union sector that applying this guidance as a de facto rule for our sector has the potential to, either, significantly increase the costs associated with cloud-based suppliers by eliminating the lowest-cost providers and / or to significantly reduce the quality of solution available to credit unions since, those suppliers who are able to comply with SYSC 8 at a competitive price are substantially inferior in quality, security and risk management terms than are those that do not. This is a perverse outcome that cannot represent the best outcome for consumers, firms or the FCA’s statutory objectives.
In its recent consultation on reforms to their regulatory framework for credit unions, the Prudential Regulation Authority has confirmed in its Policy Statement – PS 4/16 – Reform of the legacy Credit Unions sourcebook that it will no longer require access to business premises for credit unions’ outsourced providers provided it does have effective access to data stored therein. Similarly, the government of the Netherlands has permitted arrangements whereby third party assurance can be accepted as meeting the MiFID requirements for access to premises. Both of these approaches seek to marry legitimate concerns for data security and integrity with a proportionate and common sense approach to not unduly limiting firms’ scope of action and raising costs of compliance to the disadvantage, particularly, of smaller firms.
We urge the FCA to reconsider its omission in making clear in the guidance its expectations where firms are subject to access requirements only as guidance, as is the case for credit unions. These expectations ought to reflect a proportionate approach which does not make mandatory physical access to premises where alternative methods of assurance and risk management can be agreed and identified. The rationale behind limiting these requirements to common platform firms and applying only as guidance elsewhere is precisely to allow for proportionate responses to the needs of credit unions.
We worry that that FCA’s focus on cloud solutions and issues of access could have perverse outcomes whereby inferior products and suppliers are favoured due to the costs of securing cloud-based solutions which meet the FCA’s demands on access. These inferiorities could well, for example, undermine the business continuity aims of the requirements or reduce data security standards.
The full response is available to download as a PDF on the right-hand side.