United Kingdom Financial Conduct Authority (FCA)

FCA (UK) overview

The Financial Conduct Authority (FCA), an independent public body that is accountable to the Treasury, regulates 58,000 financial firms and markets in the UK and serves as the prudential regulator for over 18,000 of those organizations. Prudential Regulation Authority (PRA), which also serves as the prudential regulator for the Bank of England and regulates 1,500 of the larger financial services institutions such as banks, building societies, credit unions, insurers, and investment firms. (The FCA picks up prudential regulation for firms that do not fall under the PRA remit.)

The FCA had received feedback that financial institutions and cloud service providers were unclear about how to apply its rules for outsourcing to the cloud, a potential barrier to cloud use. Given that the FCA mandate includes promoting effective competition (for which innovation can be a driver), the FCA wanted to support the use of cloud services, stating “We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.” So the FCA clarified its requirements for outsourcing to the cloud, publishing final guidance in November 2016 in the Guidance for firms outsourcing to the cloud and other third-party IT services intended to help financial firms and cloud service providers understand FCA expectations when firms outsource to the cloud (or plan to do so). Although this guidance is not binding, the FCA expects firms to use it where appropriate. (Note that the PRA has different statutory objectives, so firms it regulates must confirm their approach with the PRA.) This is a detailed document and offers specific guidance for the use, evaluation, and ongoing monitoring of third parties in the delivery of IT services. It divides considerations into 13 areas of interest, ranging from legal, and regulatory considerations and risk management to continuity planning and plans for exiting outsourcing arrangements

Microsoft and FCA (UK)

Microsoft has published a comprehensive guide, Enabling compliance: The Microsoft approach to FCA finalized cloud guidance, detailing how Azure can help financial services customers that are authorized and regulated by the UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) when moving IT operations to the cloud.

The Microsoft guide describes in great detail our compliance with numerous recognized international standards, our transparency around how your customer data is handled to give you control over it, and the contractual provisions that address-specific financial regulatory requirements.

Sections in the Microsoft guide map in depth to each area of interest in the FCA guidance. For example, a key aspect of the regulatory outsourcing requirements is that financial services firms must identify and manage any risks which outsourcing may introduce into their business. Microsoft discusses its approach in carrying out a risk assessment, documenting it, identifying current best practices, and so on. We help you assess the relevant risks and make available a wide range of resources to facilitate your due diligence.

Learn how Azure is enabling FCA compliance in UK banks: Read Microsoft collaborates with ClearBank: Launch of first new UK clearing bank in over 250 years

Accelerate your deployment on Azure

Download Microsoft approach to FCA finalized cloud guidance

Microsoft in-scope cloud services

  • Azure
  • Intune
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Frequently asked questions

Can I use Microsoft responses to this framework in my organization’s compliance process?

Yes. However, although Microsoft responses to this framework are confirmed compliant by third parties, customers are responsible for validating the compliance of solutions they have implemented on Azure or Power BI.

Yes. However, although Microsoft responses to this framework are confirmed compliant by third parties, customers are responsible for validating the compliance of solutions they have implemented on Azure or Power BI.

Resources