How to Meet Financial Conduct Authority (FCA) Cloud and Third-Party IT Services Compliance Requirements

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the Financial Conduct Authority (FCA) FG 16/5 guidance for firms outsourcing to the cloud or other third-party IT services. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.

The Financial Conduct Authority (FCA) is a regulatory body in the United Kingdom operating independently from the UK Government that regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the UK.

In July 2018, the FCA released its finalized guidance, FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, to help financial firms effectively oversee all aspects of the lifecycle of outsourcing arrangements. This includes:

• Making decisions to outsource and selecting a service provider
• Performing proper risk assessments for all outsourcing arrangements
• Monitoring outsourced activities on an ongoing basis, and identifying and managing risks

The FCA Guidance 16/5 added cloud-specific controls in alignment with the general FCA outsourcing requirements found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also requires consistency with GDPR. Although this guidance is not binding and is intended to illustrate ways in which firms can comply with the relevant rules, firms should consider this guidance in the context of their overarching obligations under the regulatory system. Complying with this guidance will generally indicate compliance with the FCA outsourcing regulatory requirements.

Meeting FCA Cloud and Third-Party IT Services Compliance Requirements

The FCA FG 16/5 Guidance helps firms effectively oversee all aspects of the lifecycle of outsourcing arrangements. For the purposes of this blog, we have summarized select FCA requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the FCA requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, The Third-Party Risk Management Compliance Handbook.

According to the FCA FG 16/5, effective third-party IT services outsourcing includes:

• Appropriately identifying and managing the operational risks associated with the use of third parties, including undertaking due diligence before deciding on outsourcing.
• Carrying out and documenting a risk assessment to identify relevant risks and identify steps to mitigate them
• Ensuring staff have sufficient skills and resources to oversee and test the outsourced activities; identifying, monitoring and mitigating against the risks
• Carrying out a security risk assessment that includes the service provider and the technology assets administered by the firm

Prevalent Helps Assess and Monitor Third Parties According to FCA Guidelines

The FCA views the proper use of outsourcing to the cloud and other third-party IT services as a way for firms to increase flexibility and enable innovation. On the other hand, the FCA acknowledges that cloud outsourcing can also introduce risks that need to be properly identified, monitored and mitigated. This is accomplished through a proper risk assessment.

The Prevalent Assessment Service automates the vendor risk management lifecycle – including the collection, analysis, and remediation of third-party risks – offering security, privacy, and risk management professionals a single solution to manage the IT service provider risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. With bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency, the solution ensures that risks are identified and escalated to the proper channels

Prevalent’s Cyber & Business Monitoring solution offers firms the ability to gain insight into a service provider’s potential cyber vulnerabilities or relevant business risks prior to entering into a contract or during a defined business arrangement. The solution combines native vulnerability scanning with multiple external sources for cyber threat intelligence to deliver deep insights into the cyber risks of service providers. Also, Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

These capabilities are centralized into the Prevalent Third-Party Risk Management platform that includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

Prevalent’s Third-Party Risk Management platform provides a complete framework for implementing policy management, auditing and reporting as called for in FCA FG 16/5 Guidance.

Contact us today for a demo to see how.

Our Series Continues…

Next week’s blog examines the third-party risk management considerations inherent in the General Data Protection Regulation (GDPR).