Out-Law Analysis | 13 Feb 2017 | 9:00 am | 4 min. read
Banks face a number of regulatory obligations around the termination and exit from outsourcing agreements. Those firms have a role to play in helping cloud providers understand and accommodate their needs.
Cloud providers, whose contracts typically do not deal with issues of exit and transition assistance in any great detail, could look at the detailed terms commonly contained in standard non-cloud outsourcing contracts for examples of the provisions and measures they could put in place to help banks meet their obligations.
Difficulties in establishing a compliant termination and exit regime in a public cloud context is one of seven issues identified as the main barriers to banks' adoption of cloud-based services within a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.
Banks' obligations in respect of exit, termination and transition when outsourcing
Moving IT provider is a major challenge for most organisations, but particularly for large financial services firms which are reliant on legacy IT systems at their core.
Migrating to a new technology altogether makes the process even more complicated and risky. The way that data is processed and stored may be different. There will be legal and contractual differences too. The way businesses interact with their IT systems will change, and force changes in practices by staff within the organisation.
In a traditional non-cloud outsourcing context, detailed provisions are usually written into contracts to govern how arrangements can be terminated, what happens at the point of exit, and how transition to another provider would be enabled. Setting out clearly how these sensitive issues will be governed in an outsourcing contract can help avoid potentially costly disputes between customer and service provider at a later stage.
In the banking sector, there is an extra emphasis on putting in place sound arrangements. Financial regulations require banks to ensure that they exercise due skill, care and diligence when terminating an outsourcing arrangement, and guidance issued by the Financial Conduct Authority (FCA) sets out more detail of the regulator's expectations in this regard.
Banks must have documented exit and termination plans. They must also require cloud providers, under contract, to cooperate with them and any new provider to ensure a smooth transition of services. The arrangements must be "fully tested", although not necessarily "regularly rehearsed".
Banks are also required to take steps to have contingencies in place to ensure they can continue providing services if a cloud provider fails, and know how they would recover data from a cloud provider's systems.
The rules and guidance are ultimately intended to ensure that banks that enter into outsourcing contracts are able to maintain continuity and quality of services to their customers.
The current approach taken by cloud providers
Whilst standard non-cloud outsourcing contracts have clauses which account for such issues, cloud contracts are generally more simple documents where exit and transition arrangements are not explained in much detail.
Cloud providers have taken steps in other areas to make their terms more attractive to financial services firms, including more favourable provisions for banks in respect of liability. However, they have yet to reconcile their terms with the challenges banks face around their regulatory obligations on termination and exit.
Some cloud providers will detail their willingness to carry out 'data dumps' at the end of contracts, as a way of banks recovering their data. They also may state that further assistance on termination can be procured from them at commercial rates. However, it leaves the detail open and offers little comfort to banks.
The prospect of competitive advantage for cloud providers
While the issue of exit and termination assistance is a barrier to cloud adoption, it has not proven to always be prohibitive. Banks and other financial institutions have begun to agree public cloud contracts with some cloud providers notwithstanding the comparatively weak exit assistance provisions, A greater commitment from cloud providers to addressing the challenges these clients face would, however, be welcome.
Cloud providers that proactively address this issue and offer more detailed commitments on what assistance they will provide at the point a contract comes to an end or is terminated, including on what steps they will take to smooth transition of services to another provider, stand to gain a competitive advantage in the market.
Those pioneering cloud providers can learn much on how to address these issues from standard outsourcing contracts. They could effectively replicate the exit agreements contained in those contracts. They could offer contractual commitments to offering banks assistance with meeting their duties, by setting out exactly how they would work together with another provider to smooth transition, and by demonstrating their awareness of regulatory or technical issues facing the other parties.
The existing exit, termination and transition provisions within standard outsourcing contracts are well understood by the banks already and accepted by the regulator.
Some cloud arrangements are inherently more complex than others. A simple arrangement may simply involve storage of data. In this regards, basic provisions around data dumps might be sufficient to enable a straight-forward migration of services. However, where services are more integrated, such as in the context of a software-as-a-service offering, that is when exit and transition projects become more challenging. That is because a banks' software, systems and data may be more intertwined with that of the cloud provider.
As a result, there is work that banks can do to help cloud providers understand their regulatory obligations and what they need to be able to demonstrate in relation to delivering continuity of service.
The banking industry could work together to produce a paper to highlight these issues which, in turn, could provide guidance to cloud providers on the technical steps they could take to help. This might give banks, and the regulator, greater comfort that sound exit, termination and transition plans are in place.
Tim Roughton is an expert in cloud outsourcing contracts at Pinsent Masons, the law firm behind Out-Law.com.