There has been much speculation on the use of Cloud computing for Financial Services organisations.
Concerns raised have been due to security and data privacy concerns by Compliance departments and various audit bodies.
The IT community have continued to stress that Financial Services, as one of the biggest global computer users, must use Cloud to be able to survive.
The situation is now clear. The FCA will support the use of Cloud services, in the same way that they support Outsourcing services. Under the final guidelines issued on July, 7th, FG 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services, the FCA are effectively allowing the use of Cloud, with similar restrictions as any Outsourcing.
In the main the use of Cloud will need to follow the same guidelines and rules as for the use of Outsourcing, and be controlled by following the FCA SYSC Systems and Controls guidelines 3.1 covering the use of all IT systems within Financial Services, and includes Outsourcing details.
As with all IT, the FCA FG 16/5 guidelines are quite clear that moving compute capacity to the Cloud does not remove a firm’s responsibility for that compute environment. Like the Outsourcing rules, company representatives still need to be responsible for the use and controls of a Cloud service.
With the Outsourcing options already available from the FCA, for non EEA hosting and services, these facilities need specific checks and balances to be put into place. The Cloud regime allows for the same options. So non-EEA facilities can be utilised, with the right controls.
This is a brave and foresighted decision by the FCA, and one that is critical for the future of the industry.
Data centres run directly by organisations cannot scale quickly enough. And only the biggest firms can afford to own and run their own. Data Centres are now facilities that are hired. Cloud is the next logical step from this, without the concerns about physical access.
As the Cloud continues to expand, and the big IT services companies, build acres of compute facilities, purchasing physical servers that fit “individual financial services firms” standards is becoming increasingly difficult.
Fewer IT vendors are building proprietary servers as the Cloud virtualisation removes this specific requirement, and profitability drops out of this sector in the industry.
Choice of physical servers is reducing, choice of Cloud suppliers providing virtual servers, using generic kit is increasing. Financial Services need to embrace the Cloud, and the regulators allowing this critical step, is a big leap forward.
Security, always a bug bear within the huge IT Security departments within Banks and Asset Management firms becomes easier, and more secure. The big Cloud providers, Amazon, IBM, Microsoft and the specialist niche firms are security experts, employ huge teams of specialists, and make sure all their servers are patched. Most break-in’s and Virus attacks in financial firms are simply caused by the fact that their internal teams are simply not this good.
If anything moving to Cloud, levels the playing field, reduces cost, improves security and allows for the massive expansion that is still being driven by financial services growth in volumes and regulatory calculation demand.
The sticking point will continue to be Data Privacy. Whilst the FCA have allowed Cloud as they allow Outsourcing, the use of Cloud and Outsource is still hampered by the exposure of Client data to non-resident analysis of the data. For example the US looking at EU client data, Swiss clients being exposed outside Switzerland.
The exception list is long, and often a local requirement by a local regulator, protectionist maybe, and always argued as protecting Clients in their jurisdiction.
The declaration that the Safe Harbour process was not valid by the EU in October 2015 made this situation more difficult.
The rushed replacement of this by the Privacy Shield initiative between the EU and the US in February 2016, plugs the gap, at least short term.
To be clear, even with this Data Privacy issue hanging over the Cloud process, and indeed Outsourced facilities outsides a firms’ core jurisdiction, there are many processes in Financial Services that contain no client data whatsoever.
These include overnight Regulatory compute, pricing mechanisms, much of the Reg Reporting requirement, and indeed many of the Desktops sat physically in numerous locations could all safely be moved to the Cloud.
There is an expectation that Privacy Shield and other initiatives will continue to close the gap in what can be put into the Cloud, and the Cloud providers themselves are working very actively to bring Financial Services on board by guaranteeing the location of data used, and specific data sets within that data.
All in all the FCA 16/5 Cloud announcement is a huge step forward for the Financial Services industry, and indeed is entirely the right move by the FCA. Now let’s move the over complex and heavily exposed facilities within these Financial Services firms to a more flexible, secure, cost-effective Cloud environment, and focus on building a business, not an IT stack.
We have worked with Cloud services for several years, and manage much of our services in both public and private cloud environments. If you want advice on the approach here please do contact us, informally or formally.
FCA Cloud Guidelines: https://www.fca.org.uk/news/fg16-5-guidance-for-firms-outsourcing-to-cloud-and-third-party-it-services
FCA SYSC Handbook: https://www.handbook.fca.org.uk/handbook/SYSC/