• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Outsourcing to the 'cloud' for financial services

The FCA has published its finalised guidance for firms considering outsourcing to the ‘cloud’ and other third party IT services. This follows feedback from stakeholders, including regulated firms and cloud service providers, that there is a lack of clarity about how the FCA applies its rules in connection with outsourcing to the cloud. This ambiguity in FCA rules to date has often been seen as a key barrier preventing regulated firms from using the cloud. The finalised guidance follows on from the guidance consultation (GC15/6) issued in November 2015. We have produced a paper on GC15/6 that can be found here. This paper seeks to outline the changes that the FCA has now decided to include in the final guidance having listened to the feedback submitted in relation to GC15/6.

Changes from GC15/6

The changes the FCA has made to its final guidance are summarised as follows:

Definitions of ‘the cloud’: The FCA maintains a definition of the ‘cloud’ as  a collective term that is much broader than just public cloud and encompasses a range of IT services provided in various formats over the internet including private or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The FCA resisted calls to clarify how the guidelines apply to the use of ‘public’, ‘private’ and ‘hybrid’ clouds specifically.

Critical, important or material outsourcings: A number of respondents sought clarity on what type of functions constitute critical, important or material outsourcing, asking for examples of relevant services, and examples of services that would be considered non-critical, important or material. The FCA stated that it would prefer that firms make an assessment of what services are critical, important or material in the context of their own outsourcing arrangements. The FCA did seek to provide further clarity by referencing MiFID Connect, which provides some non-exhaustive examples of the types of services that may be considered critical or important. A link to MiFID Connect can be found here.

Legal and regulatory considerations: The FCA rejected calls to amend the guidance in respect of operational risk and effective access to data and business premises for the firm, auditor and relevant regulator under contracts governed by UK law. However, it did modify the guidelines as they related to firms identifying all providers in a supply chain. The FCA acknowledges that the requirement to identify providers should only apply to services related to the regulated activity being carried out and will not necessarily include all providers in the supply chain.

Risk management: The FCA clarified that “concentration risk”, in its guidance, refers to its expectation that firms should monitor any reliance they themselves have on a single provider, consider the action they would take if this provider failed, and whether any concentration risk is within their risk tolerance.   

International standards: This section has remained the same with the FCA noting that there were some calls for further clarity but the FCA believes that it should be for firms to consider whether and how external assurance may be obtained when conducting their own due diligence.

Oversight of cloud provider: Despite some calls from respondents to remove the requirement for firms to retain sufficient skills and resources to test the outsourced activity, the FCA reiterated its view that it considers it is appropriate for firms to have the skills and resources to test outsourced activity and that it considers it an important part of a firms oversight of their provider to have sufficient in-house ability to supervise their outsourcing arrangements, and to take control of the relevant functions if things go wrong.

Data security: Following the feedback received from respondents the FCA has amended this section in to take into account the fact that some cloud providers cannot allow firms full control of the jurisdictions in which their data is held. Firms should now agree a data residency policy with the provider, which sets out the jurisdictions where their data can be stored, processed, and managed. Providers should have discretion to store, process and control data in the jurisdictions outlined in this policy which are considered acceptable by the firm.

Data protection: The FCA rejected calls to reference the upcoming EU General Data Protection Regulation in this section stating that it felt this section already signposts the relevant considerations that firms should comply with.

Effective access to data: This section elicited a number of responses from firms and providers in relation to the expectation that firms have “no restrictions” on the number of requests they can make of the provider to access or receive data. The FCA has not altered its guidance on this section, however, it has clarified that the concept of “effective access” is broad and wide-ranging, and it do not consider it appropriate to seek to narrow the scope of this requirement. It is the FCA’s belief that there should not be limits of the number of requests firms make, which could undermine the ability to have effective access. The FCA did clarify that there may be circumstances in which the data cannot be provided, but this is not inconsistent with the wording in the guidelines.

Access to business premises: As with the preceding section, this requirement drew a number of responses due to concerns around the expectation of a firm having physical access to a provider’s business premises. The FCA note that physical access to data centres may not always be necessary to provide effective access, but it also consider there may be circumstances where physical access to data centres is necessary for a firm to meet its regulatory requirements. Consequently it has amended the guidance to make it clear the relevant SYSC rules that firms need to take into account, and to clarify that ‘business premises’ is a broad term which may include head offices, operations centres, but does not necessarily include data centres.

Relationship between service providers: Over half of respondents commented on this section pointing out the burden of expecting firms to review all sub-contracting arrangements as well as the confidentiality issues that would exist between the provider and sub-contractor. As a result the FCA has modified its guidance to the extent that this requirement will only apply to those arrangements relevant to the provision of the regulated activity. 

Exit plan: The FCA has amended this section and now expect that exit plans are “fully tested”. This was as a result of concerns raised in relation to the expectation that exit plans be “regularly rehearsed” which was viewed by many as unduly onerous.

The future?

Whilst we have waited a long time for the FCA to give its views on cloud computing, we have already seen a growing number of companies in the financial services sector adopting cloud solutions. However, despite this guidance from the FCA a key stumbling block still looks likely to remain that there is a lack of certainty as to the appropriate standard in each outsourcing.

Whilst this guidance does clarify a number of issues stemming from the consolation in November 2015, it is still not specific and clear enough to allow firms to 100% confidently outsource critical and important functions to cloud solutions. However, the guidance is not binding and is intended to illustrate ways in which firms can comply with the relevant rules. The FCA expect firms to take note of the guidance and, where appropriate, use it to inform their systems and controls on outsourcing.

Find the full text of the final guidance here.

Contact our experts for further advice

Paul Hinton