Foration Blog

Is Office365 FCA-compliant?

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

[fa icon="clock-o"] 24 August 2016 [fa icon="user"] Paul Weeden [fa icon="folder-open'] Compliance, Office 365, FCA

The most recent Financial Conduct Authority (FCA) guidelines, published in November 2015 highlights specific criteria that needs to be met by financially regulated companies who are migrating their IT systems to the cloud, in whole or in part.

The authority make clear they allow for the use of cloud-based services, including public services such as Office 365, saying:

"We see no fundamental reason why cloud services (including public cloud services) cannot be implemented"This means that, in and of itself, Office 365 is a service allowed under the guidelines, who make it clear that responsibility for data integrity remains with the company rather than the third-party provider. This being the case, it is the the company, rather than the cloud-service, who need to provide evidence that a thorough and diligent risk-assessment has been carried out to ascertain the best and most secure system for their particular needs. With Office 365 offering a range of measures to help address specific compliance concerns in the key areas of data protection.


In relation to public cloud usage, the FCA guidelines stipulates that, for security, providers need to be able to demonstrate, in particular:

  • How data is segregated to avoid access from other parties
  • Storage and encryption methods

In this respect, Office 365 is able to demonstrate the ability to meet each criteria. Data is segregated as a matter of course through Active Directory containers, while Microsoft also offers further data segregation provision as an add-on service. It’s up to each company’s risk assessment to ascertain the level required.

In addition, Office 365 boasts highly robust encryption of data, both resting and in transmission, meeting industry recognised standards as laid out in ISO27001.

Data Protection and Integrity

A key concern in using cloud applications such as Office 365, especially in relation to compliance, is the protection and integrity of sensitive data.

Office 365 has a range of protocols that specifically address these concerns.

The EU Data Protection Act of 1998 stipulates that data should not be taken outside of the territory, unless it can be demonstrated that similarly high standards of security are in place.

Within the terms of Office 365 it points out that all data is stored in your particular territory – in this case, on servers in Dublin and Amsterdam. Thus complying with the regulation.

The obvious question here, of course, is how would Brexit impact this set-up? Earlier in September (2016) Microsoft addressed this issue with the opening of UK Data Centres for UK users.

Added to this regulatory measure is the fact that there’s a high need for confidentiality. Again, Office 365 offers commitments that all data remains totally confidential. Both through its segregation measures as well as a policy of not data mining for advertising.

However, the reality is that individual businesses have ultimate responsibility for the sanctity of the data in their charge. And while Office offer assurances and industry standard security measures to abate the fears, it may be the case in certain instances of highly sensitive data to refrain from submitting it to a third-party and retaining it in-house.


Office 365 is an acceptable cloud-service to use in compliance with FCA regulations. Using industry recognised measures for data protection and security, supported by clear recovery solutions, accessibility and ease of transference (you can cease use at any time while retaining data protection).

Ultimately, though, to be FCA compliant, it is the individual company who bears the responsibility. Using due diligence and risk assessments can ensure that services such as Office 365 are used in such a way that you stay within the rules.

For more information on IT support and services for regulated businesses, click below...

Regulated IT Support

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

Subscribe to our Blog

Recent Posts