Cloud contracts in financial services: issues beyond regulation

Outside of contracting for the regulatory rules, issues around licensing, liability, service levels and intellectual property are among those that need careful consideration when banks, insurers and other financial services firms seek to derive the benefits of cloud solutions.

Consideration should also be given to who needs to access the service – groupwide rights should be secured where necessary and rights for third party service providers who do things on a firm’s behalf may also need to be secured.

The purpose for which a firm can use the service and underlying licence should be made clear too – thought should be given to whether “internal business purposes” covers the intended use, or whether a broader scope of use is needed.

Service provider obligations and service levels

Financial institutions can expect cloud providers to offer their standard service offering rather than anything bespoke. However, firms may be able to negotiate out unilateral rights for the service provider to amend the service offering – or at least secure provisions that say the provider will not amend the service offering in a way that degrades it, or where they do that the firm has a right to terminate the contract.

In relation to service levels, if firms are in a position to negotiate with the service provider over its standard offering, the main things to consider are how firm the commitment is to meet the service level agreements (SLAs). Firms will want to avoid loose “targets” or “reasonable endeavours” obligations. In most cases, the SLA the firm will care about most is “availability” – firms cannot control things like an internet network outage, but there are a number of things to consider. These include:

• The definition of “available” – making clear that this means that the solution is operating in accordance with the specification. Firms should watch out for “grace periods” before remedies can be triggered – this may be ok for firms to accept, but they will want to ensure these periods are not so lengthy that they prejudice the remedy.
• The exclusions from availability – it is reasonable for there to be some “planned maintenance”, but firms will want to ensure that this work is carried outside of their normal working hours, unless there’s an emergency. Firms need to be aware that the “normal working hours” of US-based suppliers will be different to theirs where they are operating in the UK or elsewhere in Europe. Firms should also try, where possible, to negotiate that planned maintenance is not scheduled to take place during any relevant peak periods, such as year-end. Firms should further watch out for “public holidays” being permitted planned maintenance periods – that can have unintended consequences if the service provider is, for example, based in the US.
• Make sure that the availability calculation is straightforward – include a worked example if necessary to make sure everyone is on the same page.
• Look out for any customer dependencies – these are likely to trigger relief from liability for the cloud service provider if not met, so it is important that the financial institution reviews these carefully, ensures that the drafting is appropriately specific and then ensures that operationally processes are put in place to ensure they are met.

Many service providers will not commit to proactively reporting on SLAs, so the financial institution may have to track this themselves and make claims for service credits if necessary.

Liability

Often there is a real imbalance between the cost of the solution and the risks that would arise if things went wrong. This can make negotiations over liability difficult.

At its most basic, this is about risk sharing and how much risk the service provider is prepared to take – their position will often be that they don’t want to be liable for any more than the annual charges. It can also be difficult to get service providers to accept liability outside of the cap. This feels particularly jarring in the case of loss of data, which we often see excluded altogether by suppliers, in cases where in our view it is actually the supplier’s primary obligation under the arrangement – such as where it is contracted to host the data.

Provisions governing liability in relation to loss of data also need careful scrutiny. The service provider may state that their obligation is limited to restoring from last backup – it is important to know who is actually responsible for taking backups, and how frequently this happens.

We are starting to see more service providers agreeing to ‘super caps’ for data protection liability – it is very rare for this to be accepted on an unlimited basis in the context of SaaS contracts. Other areas that financial institutions will want to consider for higher liability caps, if not accepted on an unlimited basis, are breach of confidentiality or third party intellectual property rights.

Some service providers are asking financial institutions to accept unlimited liability in areas that perhaps are not always felt to be “the norm”. A good example of this is breach of the service provider’s acceptable use policy – however, depending on the nature of the SaaS solution, it may be justifiable for the financial institution to accept this level of liability. We have seen this becoming more common in the provision by SaaS providers of platforms for use by customers.

Termination and suspension

While financial institutions have regulatory obligations to address termination rights in their cloud contracts, service providers will also come to the table with their own ‘wish list’ of termination rights.

We have seen service providers try to negotiate broader termination rights than many financial institutions are comfortable with – including termination for convenience. We have had some success in getting those removed from the contract and the right to terminate pared down to only where the customer does not pay the charges.

However, depending on the nature of the services, the service provider may insist on a right to terminate for the financial institution’s material breach. Firms can try to argue back that the primary obligation of the customer is to pay charges, and that this can be covered with a specific termination right, but some service providers will also be concerned about misuse of intellectual property rights, for example, and say that damages are not a sufficient remedy for a breach of licensing provisions. If firms have to agree to this, the best way to mitigate the risk is by negotiating longer notice periods and opportunities to remedy the breach before termination rights can be triggered.

Linked to termination is suspension. Often cloud contracts will contain provisions allowing the service provider to suspend access to the application, usually for triggers that overlap with the termination rights. One of the more common grounds for suspension is where the financial institution is in breach of the acceptable use policy – this will normally relate to the financial institution threatening the security of the service provider or other customers of the service provider.

Suspension rights are likely to be a requirement of the service provider, but it is possible for firms to negotiate opportunities to remedy, requirements on the service provider to consider reasonable alternatives to suspension, and commitments to reinstate the service immediately upon resolution of the issue.

Acceptable use policy

The service provider is likely to require the financial institution to agree to adhere to its acceptable use policy. This is pretty standard, and will include things like the financial institution agreeing not to engage in illegal activities, distribute malware, or try to gain unauthorised access, for example.

Intellectual property

It is typical, in relation to intellectual property provisions in SaaS or public cloud contracts, for the financial institution to be asked by the service provider to warrant that it owns or has all necessary rights to use its content and that the content will not breach the acceptable use policy.

It is also standard for the financial institution to seek to ensure that the contract specifies that it continues to own content it uploads to the cloud service, and for the cloud service provider to retain ownership of all aspects of its cloud services.

The cloud service provider will also seek broad rights to manage claims for infringement against it – including being able to substitute an alternative solution or terminate the contract. Firms should seek to ensure that substitution rights are qualified by reference to there being no material loss of functionality.

Warranties

Firms should expect to obtain less warranty protection in the context of cloud solutions than they can do in other large IT procurements. However, where the cloud system is more crucial to the financial institution or more bespoke, more than basic warranty protection would be appropriate.

Either way, financial institutions should look to include warranties that the service will comply with applicable law and operate in accordance with the service description, that use of the service by the customer will not infringe the IP rights of any third party, and that the service will not include any malware or viruses etc. Firms should watch out for statements that the service is provided on an ‘as is’ basis or similar – they are paying for the service, and so should be entitled to a basic level of protection at least.

Force majeure

The force majeure provisions in cloud contracts should be scrutinised carefully by financial institutions in the context of the arrangement. They should: