FCA FG 16/5 Guidance & Third-Party Risk

Hero Image Solutions Compliance Fca Fg 16 5

FCA FG 16/5 and Third-Party Risk Management

The Financial Conduct Authority (FCA) regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom. Their work includes implementing, supervising and enforcing EU and international standards and regulations in the UK. In July 2018, the FCA released its finalized guidance, FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, to help financial firms effectively oversee all aspects of the lifecycle of outsourcing arrangements.

The FCA Guidance 16/5 adds cloud-specific controls in alignment with the general FCA outsourcing requirements found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also requires consistency with GDPR.

The FCA views the proper use of outsourcing to the cloud and other third-party IT services as a way for firms to increase flexibility and enable innovation. However, the FCA also acknowledges that cloud outsourcing can introduce risks that need to be properly identified, monitored and mitigated. This is accomplished through a proper risk assessment.

Relevant Guidelines

Performing proper risk assessments for all outsourcing arrangements
Monitoring outsourced activities on an ongoing basis, and identifying and managing risks

Align Your TPRM Program with 13 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now

Featured resource compliance handbook industry standards

Meeting FCA TPRM Guidelines

Here's how Prevalent can help you address FCA FG 16/5 third-party risk management guidance:

FCA FG 16/5 Guidelines	How We Help
Section 3.4 “A firm appropriately identifies and manages the operational risks associated with its use of third parties, including undertaking due diligence before deciding on outsourcing. Our approach is risk-based and proportionate, considering the nature, scale and complexity of a firm’s operations.”	Prevalent’s Cyber & Business Monitoring solution offers firms the ability to gain insight into a service provider’s potential cyber vulnerabilities or relevant business risks prior to entering into a contract or during a defined business arrangement. Prevalent combines native vulnerability scanning with multiple external sources for cyber threat intelligence to deliver deep insights into the cyber risks of service providers. Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. Examples include: Insider threats Financial problems M&A activity Layoffs Data breach cases Reputational metrics
Risk Management “Accordingly, firms should: carry out a risk assessment to identify relevant risks and identify steps to mitigate them document this assessment	The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the service provider risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.
Oversight of Service Provider “Ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising.”	Third-party risk management is costly and time-consuming when using inefficient and error-prone manual data-gathering and sharing processes. Prevalent’s Assessment solution automates this by collecting, organizing, and presenting service provider data to immediately facilitate decision making and manage vendor risk.
Data Security “Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.”	The Prevalent solution enables automated, standards-based or custom questionnaires to identify and manage third-party risk. Standards-based questionnaires evaluate third parties on various controls, including cybersecurity, IT, privacy, data security, cloud hosting, and business resiliency. The platform also includes bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency.
Effective Access to Data “A firm should: ensure that notification requirements on accessing data, as agreed with the service provider are reasonable and not overly restrictive ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data”	The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

FCA FG 16/5 Guidelines

How We Help

Section 3.4

“A firm appropriately identifies and manages the operational risks associated with its use of third parties, including undertaking due diligence before deciding on outsourcing. Our approach is risk-based and proportionate, considering the nature, scale and complexity of a firm’s operations.”

Prevalent’s Cyber & Business Monitoring solution offers firms the ability to gain insight into a service provider’s potential cyber vulnerabilities or relevant business risks prior to entering into a contract or during a defined business arrangement.

Prevalent combines native vulnerability scanning with multiple external sources for cyber threat intelligence to deliver deep insights into the cyber risks of service providers.

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

Examples include:

Insider threats
Financial problems
M&A activity
Layoffs
Data breach cases
Reputational metrics

Risk Management

“Accordingly, firms should:

carry out a risk assessment to identify relevant risks and identify steps to mitigate them
document this assessment

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the service provider risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

Oversight of Service Provider

“Ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising.”

Third-party risk management is costly and time-consuming when using inefficient and error-prone manual data-gathering and sharing processes. Prevalent’s Assessment solution automates this by collecting, organizing, and presenting service provider data to immediately facilitate decision making and manage vendor risk.

Data Security

“Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.”

The Prevalent solution enables automated, standards-based or custom questionnaires to identify and manage third-party risk.

Standards-based questionnaires evaluate third parties on various controls, including cybersecurity, IT, privacy, data security, cloud hosting, and business resiliency.

The platform also includes bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency.

Effective Access to Data

“A firm should:

ensure that notification requirements on accessing data, as agreed with the service provider are reasonable and not overly restrictive
ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data”

The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

Featured Resources

Blog Post
How to Meet Financial Conduct Authority (FCA) Cloud and Third-Party...

The FCA defines guidance for selecting secure outsourced IT vendors. Discover the key criteria for compliance...
White Paper
The Third-Party Compliance Handbook: Industry Standards

Reveal TPRM requirements in 13 regulations and gain best practices for simplifying compliance.
Blog Post
Know Your Client (KYC): What It Is and 3 Key Steps

Leverage your existing third-party risk processes and technologies to assess and monitor institutional client risk.

Ready for a demo?
Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
Request a Demo

FCA FG 16/5 Compliance

FCA FG 16/5 and Third-Party Risk Management

Relevant Guidelines

How to Meet Financial Conduct Authority (FCA) Cloud and Third-Party...

The Third-Party Compliance Handbook: Industry Standards

Know Your Client (KYC): What It Is and 3 Key Steps