FCA and PRA (UK)

FCA and PRA overview

The Prudential Regulation Authority (PRA) is responsible for the prudential supervision of around 1,500 financial institutions, including banks, insurance companies, building societies, credit unions, and certain large investment firms. As a prudential regulator, the PRA has a general objective to promote the financial soundness of the firms it regulates.

The Financial Conduct Authority (FCA) has responsibility for business supervision of all financial services firms, which includes nearly 60,000 businesses. The FCA has prudential supervision for 49,000 firms and is also responsible for supervising outsourcing arrangements established by firms not supervised by the PRA.

In July 2016, the FCA published the FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services intended to help firms authorized under the Financial Services and Markets Act 2000 (FSMA) oversee all aspects of their outsourcing arrangements. This guidance was subsequently updated to take account of more recent regulatory developments, such as the implementation of the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02) which was enacted in September 2019. The current version of the FCA guidance was published in September 2019 following this development.

In December 2019, the PRA published a consultation paper CP30/19 Outsourcing and third-party risk management, which takes into account both the EBA Guidelines on outsourcing arrangements and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. In March 2021, the PRA published a policy statement PS7/21 Outsourcing and third-party risk management that provides feedback to CP30/19 responses and contains the PRA's final Supervisory Statement SS2/21 Outsourcing and third-party risk management.

Note

Supervisory Statement SS2/21 sets out the PRA's expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management. Firms are expected to comply with the expectations in SS2/21 by 31 March 2022.

For more information, see the PRA's Outsourcing and third-party risk management documentation.

There are additional requirements and guidelines that financial institutions in the United Kingdom should be aware of when moving to the cloud, including the FSMA, Senior Management Arrangements, Systems, and Controls Sourcebook (SYSC) in the FCA Handbook, the European Banking Authority (EBA) Final Report on Recommendations on Outsourcing to Cloud Service Providers EBA/REC/2017/03, and others.

To assist UK financial services firms regulated by the FCA and PRA with cloud adoption, Microsoft has published several documents described in Guidance documents.

Services in scope

Microsoft online services discussed in our FCA and PRA related guidance documents include:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Microsoft Intune

Guidance documents

You can download Microsoft guidance documents relevant for financial services customers in the UK from the Service Trust Portal UK financial services section:

  • Microsoft Cloud - Checklist for Financial Institutions in the UK

Also available is the following FCA-relevant guidance:

Resources