More Authorisation Feedback
One of our clients – a small peer to peer lender – are having a strange conversation with the FCA at the moment over a third party arrangement.
We note from the FCA Senior Management Arrangements Systems and Controls (SYSC) section 8.1.8(9) in relation to Outsourcing that:
“the firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;”
This says that the Regulator (FCA) must have effective access to the business premises of the service provider. I think that in many cases that is an obvious requirement. We operate as a compliance consultant for many of our clients and we can see why the FCA might want to come to our premises and look at the paperwork we have for the client as well as any correspondence we may have.
However, we seem to have reached a stumbling block that makes no sense to us. The FCA have taken issue with one particular third party arrangement, one that will affect most businesses we suspect! The client hosts all of their systems and data with Amazon Web Services. As everyone knows the data is not held at one physical location but distributed around the world (a major benefit of hosted data) and even visiting a site that belongs to Amazon Web Services will not give the FCA any benefit.
Our client has offered to give the FCA complete access to their data and systems through their own log in to the service. Yet this seems to be a stumbling block with the FCA. It seems they are insisting that the client get agreement from Amazon Web Services that the FCA will have unfettered access to a site before the FCA will find this kind of agreement acceptable.
Are they living in the real world?