I’ve been using cloud services for over seven years now and have recently spent some time interpreting the FCA’s guidance on material outsourcing with respect to public cloud. I want to share my thoughts because some people are under the impression that the regulator is advocating multi-cloud and multi-region to mitigate risk, but it’s not that black and white, more like shades of grey.
I’ve successfully run multiple production workloads for a challenger bank using a single cloud provider, and more recently have consulted on this topic for organisations, including a big UK oil company that is regulated by the FCA and a well-known retail bank. The general consensus from these engagements is that multi-cloud, multi-region is not always the right model.
What the FCA guidelines say
But let’s step back a bit. It’s worth looking at the FCA’s guidance paper on outsourcing to the cloud, which covers everything from selection and business case through to ongoing monitoring and exit strategy. The aim is to promote effective competition and innovation that benefits the consumer at a time when traditional banks are facing intense competition from challenger banks – aka tech businesses with a banking licence, according to one of their ilk, Starling Bank!
The FCA’s guidance paper covers private, public and hybrid cloud, as well as IaaS, PaaS, and SaaS, and is designed to ensure that the risks of running cloud services are clearly identified, mitigated and managed appropriately.
The FCA is very clear that its guidance on cloud services “is not binding and is intended to illustrate ways in which firms can comply with the relevant rules.” It’s worth noting that the PRA has different statutory objectives, so check out its guidance too if your firm is governed by both regulators.
You need to start by determining whether the actual workloads you are looking to outsource are critical or important enough to be considered a material outsource. The FCA defines this as services of such importance that weakness or failure would materially impair the continuing compliance of a firm.
The FCA details legal and regulatory considerations when moving to public cloud. It’s important to know which jurisdiction the cloud service provider’s (CSP) premises are in, and how that affects the outsourcing. Not all CSPs offer all their services in all the regions they cover, but thankfully most do; and in most cases you are fully in control of where you choose to host your data.
Managing and monitoring cloud risk
You won’t be surprised to hear that the FCA is keen on risk management. It is is essential to monitor your provider concentration risk and consider what action to take if they fail. I suspect this is where you might be tempted to jump straight to a multi-cloud solution! But it’s not that clear cut. You need to think about: whether the specified workloads are classed as critical or important; the impact and likelihood of a failure (which should be defined within your internal service levels); and also the recovery time objective and recovery point objective from your supplier.
For me, the impact and risk are absolutely key here: at ECS we recommend you Start Small and Think Big. That way you’re not deploying critical services on day one. Plus this approach will allow you to gain confidence in your CSP and make a far more balanced judgment when it comes to risk assessment.
My colleague Chris Plank wrote recently about the importance of maintaining your Reference Architecture (well worth a read), which is a great way to ensure you continually review your risk appetite against an ever-changing cloud landscape. In fact, I recommend that you continually assess your provider and cloud use cases from a supplier management perspective.
Simple architectures are the best
Finally, to ensure FCA complicance, continuity and business planning should not be overlooked. As Werner Vogels says, “Everything fails all the time”. This is a great architecture principle: designing with failure in mind. And it illustrates why cloud service providers offer multiple failure zones within each region to contain any outages.
So if your current data centre model is single region with multiple data centres, think very hard before imposing a more complex and costly multi-cloud and multi-region on your business as it is often not required for compliance. After all, the business will be the one paying the bill! In my experience, I find that the best architectures are generally the simplest ones.