Out-Law Analysis 7 min. read
Cloud contracts in financial services: regulatory issues to address
30 Sep 2022, 12:15 pm
Barriers to the adoption of cloud solutions in financial services are diminishing at a time of growing demand for banks and insurers to digitise their operations.
However, while the case for cloud adoption in financial services grows stronger, there are regulatory issues for firms to navigate when seeking to negotiate contracts with cloud computing providers, and other contracting considerations in relation to cloud service arrangements to carefully consider too.
The main regulatory issues to address in cloud contracts concern audit rights, subcontracting, data and security, and termination and exit.
Audit rights
The various regulatory rules to which UK financial institutions are subject require that both the financial institution itself and its regulator has rights to access and audit suppliers. These rights need to include the possibility of on-premises access.
In the early days of cloud contracts, this was a real problem area. Suppliers would push back hard on the right to go on-premises, arguing that this was not practical and would not be of any use to a financial institution anyway – “why do you want to look at a bunch of racks”? This might seem like a fair argument, but the regulatory rules require that rights of access are unrestricted – the “price” of outsourcing is that the financial institution can exercise appropriate oversight at its discretion.
Over the years, however, the main cloud service providers realised that they would need to modify their position if they were going to secure market share in the financial services sector. Now, the main cloud service providers will agree to audit rights that comply with the regulatory requirements, for both financial institutions and their regulators.
The general approach tends to be a layered one – the cloud service providers will be keen to try to address the issue giving rise to the request in other ways, with on-site access being a last resort. They will give access to reports and information, including independent certification, they will permit pooled audits, but ultimately they will allow on-site if the issues cannot be satisfied another way, or a regulator requires it.
Cloud providers will be concerned to ensure that the manner in which the audit is conducted does not prejudice their ability to carry on business or compromise the security of other customers in a shared data centre. They therefore have an interest in ensuring there are contractual provisions that govern how the audit will be conducted – for example, that audit officials are supervised at all times, that there is “no touching the kit”, and that the customer does not enter areas relating to third parties.
From the perspective of financial institutions, these types of provisions are fine to incorporate in the contract – it is just important to ensure that they don’t cross the line into restricting the audit rights so that they cannot say they have “unrestricted” audit rights.
Subcontracting
The regulatory requirements around subcontracting do not sit easily with the cloud service provider model.
Where the subcontracting arrangement qualifies as a ‘material’ outsourcing then the financial institution needs to have a commitment from the cloud service provider to flow down certain contractual requirements to sub-contractors.
The obligation to comply with applicable law and the key contract provisions is a required provision to be flowed down, and this tends to be negotiable with cloud service providers. It is trickier, however, to flow down audit rights – many cloud service providers argue that this is not practical.
Fortunately, however, while many smaller software-as-a-service (SaaS) providers who rely on cloud infrastructure from the main cloud providers such as AWS or Microsoft tell us that they are not able to flow down audit rights, those cloud service providers do now provide regulatory-compliant audit rights. This means, institutions can often require the SaaS provider to secure an appropriate financial services addendum from its cloud provider and thereby meet the regulatory requirements.
Yvonne Dunn
Partner
Perhaps the biggest challenge in relation to subcontracting is the requirement for the financial institution to approve subcontractors
Perhaps the biggest challenge in relation to subcontracting is the requirement for the financial institution to approve subcontractors. In large outsourcings, securing that right in the contract is usually fine, but in the commoditised world of SaaS it doesn’t work for the service provider – they will say that they have a one-to-many service and they cannot tolerate a position where one customer stops them using a subcontractor that they want to use for their overall service to customers.
In the UK, the Prudential Regulation Authority rules state that the financial institution must have the right to “object to” a material sub-outsourcing and/or terminate the contract where the sub-outsourcing would have adverse effect on the arrangement. SaaS providers will, therefore, argue that the regulations do not require a financial institution to have “approval” rights over subcontracting. Instead, they will agree to notify subcontracting to the financial institution and, if the financial institution objects, they will sometimes agree to discuss and try to resolve the situation, but failing that they offer the financial institution the option to terminate.
While this approach is compliant from a regulatory point of view in respect of the subcontracting requirements, it doesn’t particularly help in practice. This is because the financial institution faces being left without a solution because they are forced to terminate, which in turn will trigger other regulatory concerns around operational resilience and being able to maintain a service to customers. That also brings into focus provisions around exit assistance, discussed below.
In practice it seems unlikely that a major cloud service provider will engage a subcontractor that will cause such an adverse reaction to a financial institution – and the chances are that if one financial institution feels this way, others will too, which would be likely to encourage a rethink.
Data and security
In relation to data, there are a number of provisions in cloud contracts that financial institutions should focus on.
Regulatory provisions require that the financial institution is aware of the location of its data at all times. That applies where the data is at rest or in transit. There is a potential tension between cloud providers, keen to be able to be flexible in relation to where data is hosted and processed, and the increasing regulation around data location. Financial institutions need to make sure that the data location regulatory requirements they are subject to are reflected in their contracts with cloud service providers.
Often the contract will contain an agreed “zone” for the data which the service provider will agree to stay within, and the financial institution can then give permission for data to be hosted or processed within that zone.
Another important issue is data sovereignty – the right of the financial institution to control disclosure of and access to its data – in the cloud context, the financial institution needs to understand in what circumstances third parties may be able to require access to its data and to try to control that through the contract.
Financial institutions also have regulatory obligations to ensure that data is stored securely, and they have broader obligations under data protection law to ensure that any personal data breaches are notified within the time periods prescribed in legislation – such as the General Data Protection Regulation. Therefore, the cloud contract will need to contain obligations on the cloud service provider to notify breaches in enough time to enable the financial institution to meet the timeframes for notifying data protection authorities, like the UK’s Information Commissioner’s Office.
Firms will also want to be comfortable with the level of security offered by a cloud provider. They should carry out appropriate levels of due diligence on the supplier and back this up with contractual commitments. Firms are unlikely to be able to negotiate bespoke security requirements and so it is important to get comfortable with what the supplier offers, and then put in place contractual obligations requiring the provider not to drop below that level.
Other factors in relation to data security include the need for the financial institution to consider how its data will be segregated in the case of a public cloud solution, while the sensitivity of the data will also need to be assessed. How data will be encrypted is another important consideration, and firms need to ensure that regulators have access to the encryption keys.
Generally, the cloud service provider will be a processor, rather than a controller, for the purposes of data protection law, but care will need to be taken as to when a provider may become a data controller in relation to what they do with the personal data that they hold.
Termination and exit
The regulatory rules require financial institutions to have in place termination rights, which can be exercised in particular circumstances, such as where the arrangement presents an unacceptable level of risk to the financial institution. In most cloud service contracts this doesn’t tend to be an issue – they tend to be terminable by the financial institution on relatively short notice. The related issue, though, is managing exit appropriately, and making sure that termination doesn’t cause unacceptable risk or interruption in service to customers.
In most SaaS arrangements the main consideration for a financial institution on exit will be to get its data out from the service provider in a format that allows it to be ported to an alternative place. It will be important to get cooperation from the service provider, in terms of making the data available for an acceptable period of time, and for data security reasons it will also be important to have in place commitments from the service provider to delete any data after that period of time has elapsed. Confirming the format of the data is also important – firms will want to ensure that the data is in a format that is compatible i.e. it is in a standard format and not something bespoke to that service provider.
Written by
Latest News
Editor's Pick
