JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

FCA FG 16/5 Compliance

Complying with FCA FG 16/5 Guidance

The Financial Conduct Authority (FCA) regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom. Their work includes implementing, supervising and enforcing EU and international standards and regulations in the UK. In July 2018, the FCA released its finalized guidance, FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, to help financial firms effectively oversee all aspects of the lifecycle of outsourcing arrangements.

FCA FG 16/5 and Third-Party Risk Management

The FCA Guidance 16/5 adds cloud-specific controls in alignment with the general FCA outsourcing requirements found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also requires consistency with GDPR. 

The FCA views the proper use of outsourcing to the cloud and other third-party IT services as a way for firms to increase flexibility and enable innovation. However, the FCA also acknowledges that cloud outsourcing can introduce risks that need to be properly identified, monitored and mitigated. This is accomplished through a proper risk assessment.

Relevant Guidelines

FCA FG 16/5 guidelines help financial firms oversee all aspects of outsourcing arrangements, including:

  • Making decisions to outsource and selecting service providers
  • Performing proper risk assessments for all outsourcing arrangements
  • Monitoring outsourced activities on an ongoing basis, and identifying and managing risks

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Learn More

Meeting FCA FG 16/5 Guidance for Third-Party Risk Management

Here's how Prevalent can help you address FCA FG 16/5 third-party risk management guidance:

FCA FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services

FCA FG 16/5 Guidelines How Prevalent Helps

Section 3.4

“A firm appropriately identifies and manages the operational risks associated with its use of third parties, including undertaking due diligence before deciding on outsourcing. Our approach is risk-based and proportionate, considering the nature, scale and complexity of a firm’s operations.”

Prevalent’s Cyber & Business Monitoring solution offers firms the ability to gain insight into a service provider’s potential cyber vulnerabilities or relevant business risks prior to entering into a contract or during a defined business arrangement.  

Prevalent combines native vulnerability scanning with multiple external sources for cyber threat intelligence to deliver deep insights into the cyber risks of service providers.

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. 

Examples include:

  • Insider threats
  • Financial problems
  • M&A activity
  • Layoffs
  • Data breach cases
  • Reputational metrics

Risk Management

“Accordingly, firms should:

• carry out a risk assessment to identify relevant risks and identify steps to mitigate them

• document this assessment

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the service provider risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.


Oversight of Service Provider

“Ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising.”

Third-party risk management is costly and time-consuming when using inefficient and error-prone manual data-gathering and sharing processes. Prevalent’s Assessment solution automates this by collecting, organizing, and presenting service provider data to immediately facilitate decision making and manage vendor risk. 


Data Security

“Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.”

The Prevalent solution enables automated, standards-based or custom questionnaires to identify and manage third-party risk. 

Standards-based questionnaires evaluate third parties on various controls, including cybersecurity, IT, privacy, data security, cloud hosting, and business resiliency.  

The platform also includes bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency.


Effective Access to Data

A firm should:

  • ensure that notification requirements on accessing data, as agreed with the service provider are reasonable and not overly restrictive 
  • ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data”

The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform provides a complete framework for implementing policy management, auditing and reporting related to the FCA’s FG 16/5 Guidance. The cloud-based Prevalent Assessment Service helps risk management and information security professionals determine vendor compliance with IT security, regulatory, and data privacy requirements. Utilizing a library of over 50 pre-defined assessments, standardized content, and customizable surveys, the Prevalent Assessment Service automates the vendor risk management lifecycle, including the collection, analysis, and remediation.