Given the recent trend of financial services companies opting for Software-as-a-Service (SaaS) applications, the Financial Conduct Authority (FCA) has released advice for organisations looking to outsource IT services to third parties. The document, FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, outlines legal considerations, risk management and continuity plans.
[easy-tweet tweet=”What are the risks that come when outsourcing to a third party SaaS application?” hashtags=”tech, SaaS, cloud, IT”]
It is helpful to understand the risks that come when outsourcing to a third party SaaS application. Subscribing to a third-party software company often means placing critical business data in the hands of another organisation. If the service provider experiences any software outage or goes out of business, the data could be lost or certainly at risk, leaving the subscriber unable to carry out its day-to-day operations or comply with its data obligations. Although this is relatively rare, it can quickly cause irreparable reputational and financial damage, so organisations need to have a contingency plan should the worst happen.
Navigating the finer points of the FCA’s new guidelines can be difficult when beginning a new relationship, especially when considering that SaaS providers will have further links to other companies. They are likely to rely on external data centres for the storage of data, adding another layer of complexity.
Monitoring these relationships can be difficult. It is, therefore, wise to enlist a third-party to monitor the SaaS provider’s payments to its cloud service provider or data centres. This means organisations can be pre-warned if the SaaS provider isn’t making payments – a sign which could potentially signal significant financial issues.
Another risk scenario to be addressed is the access to data if the SaaS provider. For example, a system should be in place to enable access to the data centre in which it is stored, independently of the SaaS vendor.
[easy-tweet tweet=”A system should be in place to enable access to the data centre, independently of the SaaS vendor.” hashtags=”cloud, SaaS, tech”]
Since many organisations in the finance sector now rely on SaaS providers for business critical applications, they should also consider how they will restore this service if necessary following unforeseen circumstances. Having a copy of the software source code is certainly a solid foundation to this business continuity plan. Better still, firms can regularly take a snapshot of the application in its runtime environment so that it can be restored in a much more time efficient manner.
Finally, and crucially, financial firms need to check that software providers have the operational resources necessary to meet legislation and other regulations such as the Data Protection Act and to monitor and identify risks to data continuously. This could be easier said than done for smaller SaaS companies and they may need to change their working practices when dealing with a financial services firm. Any contract between an organisation in the financial sector and third-party SaaS provider should outline how the provider will make sure that the data is secure, and that access to this data is managed carefully.
Although these steps may sound time-consuming, they are necessary for financial companies to adapt to the changing technological landscape with minimal risk. With FinTech start-ups on the rise, the way that consumers interact with financial services companies is changing, but caution must still be exercised.
Daniel Liptrott, Managing Director, NCC Group's Escrow division
Daniel Liptrott is responsible for the management and strategic development of the Escrow division globally. Daniel joined the Group in November 2013 from private practice where he had been a corporate partner at a number of international law firms. From 2006 to 2011 he had been the Group's outside counsel at Eversheds LLP and has advised on a range of issues including its move to the Main Market of the London Stock Exchange in 2007 and each of the Group’s subsequent acquisitions.