FCA FG 16/5 and Third-Party Risk Management
The FCA Guidance 16/5 adds cloud-specific controls in alignment with the general FCA outsourcing requirements found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also requires consistency with GDPR.
The FCA views the proper use of outsourcing to the cloud and other third-party IT services as a way for firms to increase flexibility and enable innovation. However, the FCA also acknowledges that cloud outsourcing can introduce risks that need to be properly identified, monitored and mitigated. This is accomplished through a proper risk assessment.