FCA SYSC 8 and Virtual Data Rooms

The UK Financial Conduct Authority (FCA) governs outsourcing by FCA-authorised firms primarily through SYSC 8 (Senior Management Arrangements, Systems and Controls — Outsourcing) and, for insurers, SYSC 13. The PRA Supervisory Statement SS2/21 "Outsourcing and third-party risk management" sets parallel expectations for PRA-regulated banks and insurers.

When a UK-regulated firm uses a virtual data room to handle regulated client data, the relationship typically qualifies as a critical or important outsourcing. The firm must (a) carry out a written risk assessment, (b) sign a written outsourcing agreement granting audit and information rights to the firm and the FCA, (c) put a continuity plan in place, and (d) notify the FCA when the outsourcing is critical.

Last updated: May 2026.

Applicable UK Rule Sets

  • SYSC 8.1 — outsourcing of critical or important operational functions.
  • SYSC 13 — insurance.
  • PRA SS2/21 — third-party risk management for PRA-regulated firms.
  • FCA Handbook FG 16/5 — guidance on outsourcing to the cloud.
  • Operational Resilience PS21/3 — important business services and impact tolerances.

Contractual Elements Under SYSC 8.1

  • Risk assessment before commencement.
  • Written agreement.
  • Defined service levels.
  • Audit and information rights for the firm and the FCA.
  • Continuity / exit planning.
  • Sub-outsourcing transparency.
  • Confidentiality and data-protection clauses.
  • Notification of material changes.

Providers Aligned with FCA Expectations

  • [EthosData](/providers/ethosdata) — UK provider; well-aligned with FCA expectations.
  • [Drooms](/providers/drooms) — DE/CH hosting; FCA-aligned audit rights available.
  • [Papermark](/providers/papermark) — flexible hosting and contracting; suitable for FCA workflows.
  • Datasite / Intralinks — at the largest end.

Frequently Asked Questions

Is a VDR a critical or important outsourcing under SYSC 8?

It depends on the function it supports. A VDR supporting deal-team activity for an investment bank's M&A advisory practice is typically a critical outsourcing under SYSC 8.1; a VDR for an internal compliance audit may be material but not critical.

Does the FCA need to be notified?

For new critical or important outsourcings, yes. The FCA expects pre-notification with a description of the arrangement and the firm's risk assessment.

Does Brexit change SYSC 8 for VDR procurement?

Substantively no. SYSC 8 remains the UK rule set. EU↔UK data flows benefit from the EU adequacy decision; for UK FCA purposes, the contract must still grant FCA audit access regardless of where the provider is hosted.

Further Reading