....I can only see this ending well.
The Financial Conduct Authority (FCA) has paved the way for banks, insurers and other financial services companies to take advantage of cloud computing services, so long as "appropriate safeguards" are in place, said one commentator. In proposed new guidance on cloud and other IT outsourcing (PDF), the regulator said there is …
I cannot see ANY service provider agree with premise access, because that would mean they contractually agree to harm every other of their customers the moment one of those is investigated by the FCA, which is, well, stupid, and ditto for the open door policy the FCA would like.
I can see what the FCA is trying to do, though, so I would propose a requirement that any cloudy contract contains clauses that require the production of copies of the specific data held by an organisation for the whole of the mandated retention period. It is the regulated entities' job to produce it, so they have to stipulate that in the contract and audit that it is actually possible.
Some of the larger providers have already put in place contracts with several Financial Services companies that meet these FCA guidelines.
It's partly through working out the issues that the FCA has got to the point where it can put forward these proposed guidelines as they know the cloud providers can deliver the access.
'Cloud customers should also be aware that they may not be able to control where data is stored and that sub-contracting arrangements may exist without them "initially realising", it said.
The draft guidance outlines ... and ensure regulators have effective access to data.
One of the recommendations the FCA made was for financial services companies to determine whether their cloud contracts are governed by UK law and subject to UK court jurisdiction. It said that even if it is not those cloud customers must ensure that they, their auditor and the FCA have "effective access" to its data as well as the cloud provider's "business premises".'
Given the premise in the first paragraph the other points seem likely to be difficult to achieve. In particular there'd be a need to ensure other court jurisdictions (other than higher EU courts) don't try to push their noses in and that other organisations don't have access to the data.
'It said companies need to have an "exit plan" that is "understood, documented and regularly rehearsed" which allows it to come out of outsourcing arrangements "without undue disruption to their provision of services, or their compliance with the regulatory regime".'
And one that will still work when the cloud operator's administrators walk in?
I don't actually see why these demands are directed at the service providers.
Surely it is up to the FCA regulated entities to ensure they have contracts in place that ensure they can comply with FCA demands? If they have contracts that do not facilitate access to the records the FCA deems to need, THEY are culpable, not the service provider.
I cannot see any service provider agree to an open door policy for the FCA, physical or electronic, because that would make them liable for all sorts of trouble with other customers and it could even be illegal in the operating nation.