Yes, all regulated entities in the UK must comply with the Financial Conduct Authority ("FCA") Handbook when using cloud services. The FCA recognizes that these requirements should be enforced in a risk-based and proportionate manner considering the scale and complexity of the services.

Chapter 8 of the FCA's Senior Management Arrangements, Systems and Controls sourcebook ("SYSC 8") provides that a firm must ensure that it takes reasonable steps to avoid undue operational risk. Firms cannot outsource operational functions that would impair the quality of internal controls or the regulator's ability to monitor its compliance.

In addition, where the cloud services are considered as the outsourcing of critical or important functions, firms must exercise skill, care and diligence in selecting, managing and terminating those outsourcing arrangements. In particular, the institution must take steps to ensure that the service provider fulfills the following:

• Has sufficient capacity and capability to deliver the outsourced function

• Carries out the services effectively and compliantly, and in a way that the firm can assess on an ongoing basis

• Supervises the outsourced functions and manages risk

• Discloses developments that have material impacts on the service provider's ability to perform the function

• Grants effective audit rights

• Protects confidential information

• Establishes and implements business continuity and disaster recovery plans and appropriate exit arrangements

• Allows the firm to terminate the arrangement where necessary

Where firms are dual regulated (e.g., banks, large investment firms and insurers), the provisions of the FCA Handbook and the Prudential Regulation Authority ("PRA") Rulebook apply.

Similar to the FCA Handbook, the PRA Rulebook specifies a number of high-level "fundamental rules" that firms have to comply with, including obligations to act in a prudent manner, have effective risk strategies and to control their affairs responsibly.

Section 2 of the Outsourcing Part of the PRA Rulebook has rules that are broadly consistent with those set out in SYSC 8.1.1R of the FCA Handbook.

The PRA Rulebook also incorporates Articles 30-31 of Commission Delegated Regulation (EU) 2017/565 (Retained EU Legislation) ("MIFID Organization Regulation") and applies these rules to all firms regulated by the PRA. These obligations broadly reflect the SYSC 8 obligations.

PRA SS2/21 on "Outsourcing and third-party risk management" implementing the EBA Guidelines on Outsourcing 

Despite Brexit, the FCA expects firms to continue to comply with the guidelines on outsourcing (including cloud) that were published by the European Banking Authority ("EBA") in February 2019.

The EBA guidelines apply to a broad range of regulated institutions, including banks and investment firms, but not asset management firms. The EBA guidelines identify the steps that firms must take to conduct outsourcing activity in a compliant manner (e.g., including due diligence requirements, notification to a regulator of material outsourcings and internal governance obligations).

The PRA has published a Supervisory Statement SS2/21 on Outsourcing and third-party risk management, which took effect from 31 March 2022. It complements the requirements and expectations on operational resilience in the PRA Rulebook, seeks to facilitate greater resilience and adoption of the cloud and other new technologies and implements (and expands) the EBA guidelines.

PRA SS2/21 on "Outsourcing and third-party risk management" implementing the EBA Guidelines on ICT and Security Risk Management

The EBA has established information and communication technology and security risk management guidelines that supplement the EBA Guidelines on Outsourcing.

The FCA has confirmed that these continue to apply in the UK. PRA Supervisory Statement SS2/21 implements relevant sections of these ICT guidelines from 31 March 2022.

The ICT guidelines focus on organizational measures that regulators expect firms to have in place. For example, there are requirements to establish sound internal governance processes and an ICT strategy that is aligned with the firm's overall business strategy.

PRA expectations in SS2/21 regarding the cloud

Certain sections of SS2/21 refer specifically to the use of cloud services by regulated firms, setting out the PRA's expectations that regulated firms implement robust controls for data-in-transit, data-in-memory and data-at-rest. Guidance and expectations in respect of outsourcing to cloud services include the following:

• The shared responsibility model — firms are expected to define, document and understand their and the cloud service provider's respective responsibilities.

• The PRA expects all firms to keep records of their outsourcing arrangements.

• In material outsourcing arrangements, the PRA expects firms to retain contractual rights to perform onsite audits at their discretion.

• Firms are expected to assess business continuity for material cloud outsourcing arrangements.

• Outsourcers are expected to take reasonable steps to test exit plans, especially "stressed" exits.

Since 31 December 2021, under the EBA Outsourcing Guidelines banks are expected to maintain a register of their cloud outsourcing arrangements.

In June 2022, HM Treasury issued a policy statement on "Critical third parties to the finance sector." The policy statement proposed a framework to enable financial regulators to manage the risks to financial stability posed by unregulated parties providing critical services to regulated entitles, including cloud-based computing services. Under the proposed regime, HM Treasury will — in consultation with the financial regulators — be able to designate certain third parties that provide services to firms as "critical third parties" ("CTPs"). The financial regulators will then be able to make rules, gather information and take enforcement action, in respect of certain services that CTPs provide to firms of particular relevance to the regulators' objectives (i.e., "material" services). Following publication of the policy paper, the Financial Services and Markets Bill ("FSM Bill") was introduced in parliament on 20 July 2022; the FSM Bill sets out a statutory framework for managing systemic risks posed by CTPs through direct regulatory oversight and operational resilience requirements. At the time of writing, the FSM Bill has not completed its passage through parliament, and there is no timescale for it to receive royal assent.