The Financial Conduct Authority (FCA) regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom. Their work includes implementing, supervising and enforcing EU and international standards and regulations in the UK. In July 2018, the FCA released its finalized guidance, FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, to help financial firms effectively oversee all aspects of the lifecycle of outsourcing arrangements.
The FCA Guidance 16/5 adds cloud-specific controls in alignment with the general FCA outsourcing requirements found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also requires consistency with GDPR.
The FCA views the proper use of outsourcing to the cloud and other third-party IT services as a way for firms to increase flexibility and enable innovation. However, the FCA also acknowledges that cloud outsourcing can introduce risks that need to be properly identified, monitored and mitigated. This is accomplished through a proper risk assessment.
Performing proper risk assessments for all outsourcing arrangements
Monitoring outsourced activities on an ongoing basis, and identifying and managing risks
Align Your TPRM Program with 14 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Meeting FCA TPRM Guidelines
Here's how Prevalent can help you address FCA FG 16/5 third-party risk management guidance:
FCA FG 16/5 Guidelines | How We Help |
---|---|
Section 3.4 “A firm appropriately identifies and manages the operational risks associated with its use of third parties, including undertaking due diligence before deciding on outsourcing. Our approach is risk-based and proportionate, considering the nature, scale and complexity of a firm’s operations.” |
Prevalent’s Cyber & Business Monitoring solution offers firms the ability to gain insight into a service provider’s potential cyber vulnerabilities or relevant business risks prior to entering into a contract or during a defined business arrangement. Prevalent combines native vulnerability scanning with multiple external sources for cyber threat intelligence to deliver deep insights into the cyber risks of service providers. Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. Examples include:
|
Risk Management “Accordingly, firms should:
|
The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the service provider risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. |
Oversight of Service Provider “Ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising.” |
Third-party risk management is costly and time-consuming when using inefficient and error-prone manual data-gathering and sharing processes. Prevalent’s Assessment solution automates this by collecting, organizing, and presenting service provider data to immediately facilitate decision making and manage vendor risk. |
Data Security “Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.” |
The Prevalent solution enables automated, standards-based or custom questionnaires to identify and manage third-party risk. Standards-based questionnaires evaluate third parties on various controls, including cybersecurity, IT, privacy, data security, cloud hosting, and business resiliency. The platform also includes bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. |
Effective Access to Data “A firm should:
|
The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process. |
The FCA defines guidance for selecting secure outsourced IT vendors. Discover the key criteria for compliance...
Reveal TPRM requirements in 13 regulations and gain best practices for simplifying compliance.
Leverage your existing third-party risk processes and technologies to assess and monitor institutional client risk.