Financial institutions worldwide are increasingly leveraging Amazon Web Services (AWS) to revolutionize their business operations. As regulatory frameworks continue to evolve, AWS is committed to assisting customers in proactively adapting to upcoming rules and guidelines. The AWS Cloud simplifies compliance with various international regulations, making it easier for customers to meet their obligations.
In March 2021, the Financial Conduct Authority (FCA), the Bank of England, and the Prudential Regulation Authority (PRA) released policy statements and rules regarding operational resilience. Additionally, the PRA issued a supervisory statement focusing on outsourcing and third-party risk management. These regulations apply to a range of entities regulated by UK Financial Regulators, including banks, building societies, credit unions, insurers, financial markets infrastructure providers, payment and electronic money institutions, major investment firms, mixed activity holding companies, and UK branches of certain foreign organizations. Other FCA-authorized financial services firms have received prior guidance (FG 16/5) for outsourcing to cloud and other third-party IT services.
The statements are particularly relevant for organizations utilizing cloud services. AWS is dedicated to supporting our clients in fulfilling their compliance requirements and aligning with regulatory expectations. We provide a broad spectrum of services designed to simplify and facilitate adherence to these statements, which took effect in March 2022.
What Do These Statements Mean for AWS Customers?
The primary aim is to enhance operational resilience among UK financial institutions. The PRA’s outsourcing paper specifically encourages the adoption of cloud technologies while implementing the European Banking Authority (EBA) guidelines on outsourcing arrangements and relevant sections of the EBA’s ICT and security risk management guidelines. For more insights on these EBA guidelines, check out this another blog post.
For AWS and its customers, the essential takeaway is that these statements establish a regulatory framework for resilient cloud usage. The PRA’s outsourcing paper outlines conditions that assure PRA-regulated firms can safely and resiliently utilize cloud services for material, regulated workloads. Many UK financial institutions already engage in due diligence, risk management, and regulatory notification practices when considering or using third-party services like AWS—similar to those identified in these statements and in the EBA Outsourcing Guidelines.
Risk-Based Approach
Throughout the statements, the principle of proportionality is emphasized. In terms of outsourcing requirements, this includes a focus on material arrangements and a risk-based methodology that expects regulated entities to identify, assess, and mitigate risks associated with outsourcing. The recognition of a shared responsibility model, as discussed by the PRA and in FCA Guidance FG 16/5, aligns with AWS’s established shared responsibility model.
This proportionality and risk-based framework is applicable in various areas, such as risk assessment, contractual obligations, data location and transfer, operational resilience, and security implementation:
- Risk Assessment: The statements underscore the necessity for UK financial institutions to evaluate the potential impact of outsourcing on their operational risk. The AWS shared responsibility model can aid customers in formulating their risk assessment strategies, as it clarifies how security and management responsibilities vary based on the AWS services utilized. For instance, AWS manages certain controls like data center security, while customers oversee others, such as event logging. AWS helps customers enhance their risk profiles compared to traditional, on-premises environments.
- Contractual and Audit Requirements: The PRA’s supervisory statement, the EBA Outsourcing Guidelines, and FCA guidance FG 16/5 outline expectations for written agreements between UK financial institutions and their service providers, including audit rights. Institutions using AWS for regulated workloads should reach out to their AWS account team to ensure compliance with these contractual needs. We facilitate the required contractual audit rights through the AWS Security & Audit Series, which supports customer audits. Our audit program is designed to meet regulatory expectations based on feedback from UK and EU financial supervisory authorities. Customers interested in learning more about AWS’s audit offerings can consult with their AWS account teams.
- Data Location and Transfer: The UK Financial Regulators do not restrict where institutions can store and process data but advocate for a risk-based approach to data location. AWS continuously monitors changes in the regulatory landscape concerning data privacy to identify necessary tools that can help customers meet compliance standards. For more information on our commitments regarding data access and storage, please refer to our Data Protection page.
- Operational Resilience: Resilience is a shared responsibility between AWS and the customer. It’s crucial for customers to comprehend how disaster recovery and availability, as part of resiliency, function within this shared model. AWS is responsible for the infrastructure that supports all AWS Cloud services, including hardware, software, networking, and facilities. We strive to ensure service availability meets or exceeds AWS Service Level Agreements (SLAs). The extent of the customer’s responsibility will depend on the specific AWS Cloud services they choose. For example, when using Amazon Elastic Compute Cloud (Amazon EC2), the customer is responsible for all necessary resiliency configurations. Conversely, with managed services like Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB, AWS manages the infrastructure, operating systems, and platforms while customers are tasked with data resiliency, including backups and versioning. For further details about our approach to operational resilience in financial services, refer to this excellent resource.
Leave a Reply