FCA FG 16/5 Guidance

The FG 16/5 Guidance for firms outsourcing to the 'cloud' and other third-party IT services is an addendum to the UK Financial Conduct Authority's (FCA) 2016 Financial Crime Guide (FG) 16/5.

The guidance sets out the FCA's expectations regarding how firms should manage the risks associated with outsourcing to the cloud and other third-party IT services. The guidance provides recommendations on the following key areas:

• Risk assessment: Firms should conduct a risk assessment of the third-party service provider, including its security controls and its ability to meet the firm's security requirements.
• Due diligence: Firms should undertake thorough due diligence when selecting third-party service providers, taking into account factors such as their security controls, financial stability, and reputation.
• Contractual arrangements: Firms should ensure that their contractual arrangements with third-party service providers are appropriate, including provisions relating to security, data protection, and access rights.
• Ongoing monitoring: Firms should monitor the performance of third-party service providers on an ongoing basis, including their compliance with contractual obligations and their security controls.
• Exit planning: Firms should have a plan in place to manage the termination of the outsourcing arrangement and ensure the secure transfer of data and services back to the firm.

The guidance is intended to help firms effectively manage the risks associated with outsourcing to the cloud and other third-party IT services, and ensure that they comply with their regulatory obligations. 

Gatekeeper helps businesses to manage risk assessments, due diligence and ongoing monitoring with MarketIQ Cyber.