FCA and PRA (UK)
FCA and PRA overview
The Prudential Regulation Authority (PRA) is responsible for the prudential supervision of around 1,500 financial institutions, including banks, insurance companies, building societies, credit unions, and certain large investment firms. As a prudential regulator, the PRA has a general objective to promote the financial soundness of the firms it regulates.
The Financial Conduct Authority (FCA) has responsibility for business supervision of all financial services firms, which includes nearly 60,000 businesses. The FCA has prudential supervision for 49,000 firms and is also responsible for supervising outsourcing arrangements established by firms not supervised by the PRA.
In July 2016, the FCA published the FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services intended to help firms authorized under the Financial Services and Markets Act 2000 (FSMA) oversee all aspects of their outsourcing arrangements. This guidance was subsequently updated to take account of more recent regulatory developments, such as the implementation of the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02) which was enacted in September 2019. The current version of the FCA guidance was published in September 2019 following this development.
In December 2019, the PRA published a consultation paper CP30/19 Outsourcing and third-party risk management, which takes into account both the EBA Guidelines on outsourcing arrangements and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. In March 2021, the PRA published a policy statement PS7/21 Outsourcing and third-party risk management that provides feedback to CP30/19 responses and contains the PRA's final Supervisory Statement SS2/21 Outsourcing and third-party risk management.
Supervisory Statement SS2/21 sets out the PRA's expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management. Firms will be expected to comply with the expectations in SS2/21 by 31 March 2022.
For more information, see the PRA's Outsourcing and third-party risk management documentation.
There are additional requirements and guidelines that financial institutions in the United Kingdom should be aware of when moving to the cloud, including the FSMA, Senior Management Arrangements, Systems, and Controls Sourcebook (SYSC) in the FCA Handbook, the European Banking Authority (EBA) Final Report on Recommendations on Outsourcing to Cloud Service Providers EBA/REC/2017/03, and others.
To assist UK financial services firms regulated by the FCA and PRA with cloud adoption, Microsoft has published several documents described in Guidance documents.
Services in scope
Microsoft online services discussed in our FCA and PRA related guidance documents include:
- Dynamics 365
- Microsoft 365
- Microsoft Intune
Microsoft guidance documents relevant for financial services customers in the UK can be downloaded from the Service Trust Portal Data Protection Resources - Compliance Guides section:
- Microsoft Cloud - Enabling Compliance - Microsoft's approach to the updated FCA cloud guidance
- Microsoft Cloud - Checklist for Financial Institutions in the UK
- Microsoft Cloud - Navigating your way to the cloud in the UK
Also available from the Service Trust Portal Data Protection Resources - FAQ and White Papers section is the following FCA-relevant guidance:
- Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Financial Conduct Authority (FCA)
- FCA Handbook
- Senior Management Arrangements, Systems, and Controls Sourcebook (SYSC) in the FCA Handbook
- SYSC 8 Outsourcing
- FCA FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services
- Prudential Regulation Authority (PRA)
- PRA Outsourcing and third-party risk management
- European Banking Authority (EBA)
- EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)
- Microsoft Cloud for financial services
- Microsoft financial services resources on Service Trust Portal
- Azure solutions for the finance industry
- Microsoft Cloud financial services compliance program
- Compliance map of cloud computing regulatory principles and Microsoft online services
- Risk assessment and compliance guide for financial institutions in the Microsoft Cloud