'Cloud customers should also be aware that they may not be able to control where data is stored and that sub-contracting arrangements may exist without them "initially realising", it said.
The draft guidance outlines ... and ensure regulators have effective access to data.
One of the recommendations the FCA made was for financial services companies to determine whether their cloud contracts are governed by UK law and subject to UK court jurisdiction. It said that even if it is not those cloud customers must ensure that they, their auditor and the FCA have "effective access" to its data as well as the cloud provider's "business premises".'
Given the premise in the first paragraph the other points seem likely to be difficult to achieve. In particular there'd be a need to ensure other court jurisdictions (other than higher EU courts) don't try to push their noses in and that other organisations don't have access to the data.
'It said companies need to have an "exit plan" that is "understood, documented and regularly rehearsed" which allows it to come out of outsourcing arrangements "without undue disruption to their provision of services, or their compliance with the regulatory regime".'
And one that will still work when the cloud operator's administrators walk in?