The FCA recently issued a guidance paper providing financial institutions with recommendations on the use of third-party IT services for their business applications. The rise of cloud computing, coupled with the improvements in efficiency obtainable through shared infrastructure and server virtualisation, present a new set of challenges that regulated firms need to address in order to discharge their regulatory obligations in a proper manner.
For example, in an outsourced hosting scenario there are a number of regulations relating to the physical location of data, and it is not always clear when evaluating cloud platform providers where their physical infrastructure is located – everything is obscured by the cloud. This is starting to be recognised in the industry, and indeed Microsoft recently announced the creation of a new Azure hosting zone which guarantees that all data will remain within the UK at all times. Under the new guidelines, firms and their auditors should be granted access to the hosting location when needed.
Information security is another concern, particularly in scenarios where physical infrastructure is being shared by multiple institutions in a ‘multi-tenant’ structure. This means that a single set of physical servers are simultaneously providing application services and storage to more than one financial institution. In these scenarios the hosting provider implements logical isolation between the different systems, but it is not always clear exactly how this is secured and strong it is compared with traditional dedicated hardware. Each firm needs to strike the right balance between the cost and the perceived risk associated with a particular implementation model. There is no doubt that for startups and smaller organisations the opportunity to operate on a lower cost model is compelling.
The FCA paper makes clear that while the information provided does not (for now) constitute new rules, firms will be expected to make sure that the guidance is used to inform their selection of infrastructure services going forward.
The technology landscape continues to evolve at a remarkable pace, and it is encouraging to see that the regulator is taking a progressive view on potential innovations in this area.
