As financial institutions worldwide increasingly turn to Amazon Web Services (AWS) to enhance their operational capabilities, it’s crucial to stay informed about evolving regulations. In the UK, the Financial Conduct Authority (FCA), the Bank of England, and the Prudential Regulation Authority (PRA) issued important guidelines regarding operational resilience in March 2021. Additionally, the PRA provided a supervisory statement focused on outsourcing and managing third-party risks. These regulations apply to various entities under the purview of UK Financial Regulators, including banks, insurers, and payment service providers. For FCA-authorized firms, previous guidance (FG 16/5) has addressed outsourcing to the cloud and other IT services.
AWS is committed to supporting our customers in meeting compliance requirements and addressing regulatory expectations. With a diverse range of services designed to streamline compliance efforts, AWS aims to aid customers in navigating these regulations, which became effective in March 2022.
Implications of UK Financial Regulators’ Statements for AWS Users
The primary goal of these regulatory Statements is to enhance the operational resilience of UK financial institutions. The PRA’s guidance on outsourcing particularly encourages the adoption of cloud technologies while adhering to the European Banking Authority’s (EBA) outsourcing guidelines. This framework assists AWS customers in utilizing cloud services safely and effectively, especially when managing significant workloads. Many financial institutions in the UK already follow due diligence and risk management protocols similar to those outlined in these Statements, the EBA Outsourcing Guidelines, and FG 16/5. AWS provides a suite of security and compliance tools to help meet regulatory standards for resilience and assurance.
A Risk-Based Approach to Compliance
The Statements emphasize the principle of proportionality, particularly in outsourcing requirements. This involves a focus on material outsourcing arrangements and employing a risk-based methodology for identifying and mitigating outsourcing risks. The shared responsibility model acknowledged by the PRA aligns with AWS’s own model, where both parties have defined responsibilities. This perspective is crucial across various compliance aspects, including risk assessments, contractual obligations, data handling, and overall operational resilience.
- Risk Assessment: The Statements underscore the necessity for UK financial institutions to evaluate how outsourcing could impact operational risks. AWS’s shared responsibility model assists customers in tailoring their risk assessment strategies, detailing how security duties shift based on specific AWS services. For instance, AWS manages certain security controls, while customers handle others, enhancing their risk profile compared to traditional on-premises setups.
- Contractual and Audit Requirements: The PRA’s supervisory statement, along with the EBA guidelines and FCA guidance, specifies expectations for written agreements between institutions and service providers, including audit access. For institutions utilizing AWS for regulated workloads, it’s advisable to engage with your AWS account team to ensure contractual compliance. AWS also offers an Audit Program designed to help customers meet their audit requirements in accordance with regulatory expectations, incorporating insights from UK and EU supervisory authorities.
- Data Location and Transfer: The UK Financial Regulators advocate for a risk-based approach to data location rather than imposing restrictions on where institutions can store or process data. AWS is actively monitoring the regulatory landscape to adapt our services and tools to support customers effectively in achieving compliance. For details about our data protection commitments, please refer to our Data Protection page.
- Operational Resilience: Both AWS and customers share the responsibility for maintaining operational resilience. Understanding the dynamics of disaster recovery and service availability within this shared model is essential. AWS ensures the resilience of the underlying infrastructure supporting its cloud services, while customers must configure their services to meet their resilience needs. For instance, when using Amazon Elastic Compute Cloud (Amazon EC2), customers are responsible for implementing necessary configurations, whereas managed services like Amazon Simple Storage Service (Amazon S3) require less direct management from the customer.
For more insights on operational resilience, you can check out another blog post here that might interest you. Additionally, for authoritative perspectives on this topic, consider visiting CHVNCI. For anyone looking to enhance their skills and knowledge in this area, this resource from AWS is an excellent option.
Leave a Reply