The FCA has finalised its new guidance to authorised firms on outsourcing to the 'cloud' and other third party IT services, which is mandatory for some firms but (strongly) advisory for others. Unfortunately, exactly what amounts to 'outsourcing' remains grey and short of examples, as do important issues such as the meaning of 'cloud' (largely a marketing term anyway), whether access to data centres is necessary and so on. Not only does that leave FCA staff and finance firms in doubt, but it leaves service providers exposed to the need for financial firms to suddenly switch providers where the FCA considers that guidelines should have been followed but have not been.
The FCA guidance says that outsourcing is "where a third party delivers services on behalf of a regulated firm". That suggests the service in question must effectively be part of the firm's service to its customers, like answering customer calls on the firm's behalf in a call centre, as opposed to, say, the supply of commercial IT hosting services for web sites, apps or back-office software etc., which the firm is not in the business of providing to customers.
A table in the guidelines sets out an extensive process and related paper trail designed to show that a firm has outsourced a function appropriately.
So lack of clarity on the boundary between outsourcing and normal service provision means that some IT providers may not realise that a financial firm has incorrectly classified the use of its services; and/or the service provider may not be willing or able to help the regulated firm jump through the many hoops laid out in the FCA's guidance.
As a result, service providers risk losing customers who are finance firms that have failed to grind through the FCA's requirements and have to re-run their outsourcing process.
For all practical purposes, this places the burden on IT service providers to clarify the nature of their offering and make sure they are ready to help their finance customers either explain why there is no outourcing or demonstrate compliance with the FCA's outsourcing guidelines.
Some might observe that this represents regulatory 'scope creep', since it effectively subjects outsourcing providers to FCA regulatory requirements even where they are not required to be authorised (and may even be based outside the UK). Whether this is ever challenged as being ultra vires - beyond the FCA's powers - remains to be seen, but it is certainly a cost of doing business with UK financial firms.