FCA and PRA (UK)

FCA and PRA overview

The Prudential Regulation Authority (PRA) is responsible for the prudential supervision of around 1,500 financial institutions, including banks, insurance companies, building societies, credit unions, and certain large investment firms. As a prudential regulator, the PRA has a general objective to promote the financial soundness of the firms it regulates.

The Financial Conduct Authority (FCA) has responsibility for business supervision of all financial services firms, which includes nearly 60,000 businesses. The FCA has prudential supervision for 49,000 firms and is also responsible for supervising outsourcing arrangements established by firms not supervised by the PRA.

In July 2016, the FCA published the FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services intended to help firms authorized under the Financial Services and Markets Act 2000 (FSMA) oversee all aspects of their outsourcing arrangements. This guidance was subsequently updated to take account of more recent regulatory developments, such as the implementation of the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02) which was enacted in September 2019. The current version of the FCA guidance was published in September 2019 following this development.

In December 2019, the PRA published a consultation paper Outsourcing and third-party risk management, which takes into account both the EBA Guidelines on outsourcing arrangements and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers.

There are additional requirements and guidelines that financial institutions in the United Kingdom should be aware of when moving to the cloud, including the FSMA, Senior Management Arrangements, Systems, and Controls Sourcebook (SYSC) in the FCA Handbook, the European Banking Authority (EBA) Final Report on Recommendations on Outsourcing to Cloud Service Providers EBA/REC/2017/03, and others.

To assist UK financial services firms regulated by the FCA and PRA with cloud adoption, Microsoft has published several guidance documents described below.

Services in scope

Microsoft online services discussed in our FCA and PRA related guidance documents include:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Microsoft Intune

Guidance documents

Microsoft guidance documents relevant for financial services customers in the UK can be downloaded from the Service Trust Portal Data Protection Resources - Compliance Guides section:

  • Microsoft Cloud - Enabling Compliance - Microsoft's approach to the updated FCA cloud guidance
  • Microsoft Cloud - Checklist for Financial Institutions in the UK
  • Microsoft Cloud - Navigating your way to the cloud in the UK

Also available from the Service Trust Portal Data Protection Resources - FAQ and White Papers section is the following FCA-relevant guidance:

  • Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud