Navigation
Search
Change language and content customisation
Find an advisor
Get in touch
Find an office
Search for:
Jump straight to:
Please enter a search term
We can use your selection to show you more of the content that you’re interested in.
Sign-up to follow topics, sectors, people and also have the option to receive a weekly update of lastest news across your areas of interest.
Got an account already?
Search for:
Please enter a search term
Out-Law Analysis | 30 Sep 2022 | 12:15 pm | 7 min. read
Barriers to the adoption of cloud solutions in financial services are diminishing at a time of growing demand for banks and insurers to digitise their operations.
However, while the case for cloud adoption in financial services grows stronger, there are regulatory issues for firms to navigate when seeking to negotiate contracts with cloud computing providers, and other contracting considerations in relation to cloud service arrangements to carefully consider too.
The main regulatory issues to address in cloud contracts concern audit rights, subcontracting, data and security, and termination and exit.
The various regulatory rules to which UK financial institutions are subject require that both the financial institution itself and its regulator has rights to access and audit suppliers. These rights need to include the possibility of on-premises access.
In the early days of cloud contracts, this was a real problem area. Suppliers would push back hard on the right to go on-premises, arguing that this was not practical and would not be of any use to a financial institution anyway – “why do you want to look at a bunch of racks”? This might seem like a fair argument, but the regulatory rules require that rights of access are unrestricted – the “price” of outsourcing is that the financial institution can exercise appropriate oversight at its discretion.
Special Report
Over the years, however, the main cloud service providers realised that they would need to modify their position if they were going to secure market share in the financial services sector. Now, the main cloud service providers will agree to audit rights that comply with the regulatory requirements, for both financial institutions and their regulators.
The general approach tends to be a layered one – the cloud service providers will be keen to try to address the issue giving rise to the request in other ways, with on-site access being a last resort. They will give access to reports and information, including independent certification, they will permit pooled audits, but ultimately they will allow on-site if the issues cannot be satisfied another way, or a regulator requires it.
Cloud providers will be concerned to ensure that the manner in which the audit is conducted does not prejudice their ability to carry on business or compromise the security of other customers in a shared data centre. They therefore have an interest in ensuring there are contractual provisions that govern how the audit will be conducted – for example, that audit officials are supervised at all times, that there is “no touching the kit”, and that the customer does not enter areas relating to third parties.
From the perspective of financial institutions, these types of provisions are fine to incorporate in the contract – it is just important to ensure that they don’t cross the line into restricting the audit rights so that they cannot say they have “unrestricted” audit rights.
The regulatory requirements around subcontracting do not sit easily with the cloud service provider model.
Where the subcontracting arrangement qualifies as a ‘material’ outsourcing then the financial institution needs to have a commitment from the cloud service provider to flow down certain contractual requirements to sub-contractors.
The obligation to comply with applicable law and the key contract provisions is a required provision to be flowed down, and this tends to be negotiable with cloud service providers. It is trickier, however, to flow down audit rights – many cloud service providers argue that this is not practical.
Fortunately, however, while many smaller software-as-a-service (SaaS) providers who rely on cloud infrastructure from the main cloud providers such as AWS or Microsoft tell us that they are not able to flow down audit rights, those cloud service providers do now provide regulatory-compliant audit rights. This means, institutions can often require the SaaS provider to secure an appropriate financial services addendum from its cloud provider and thereby meet the regulatory requirements.
Yvonne Dunn
Partner
Perhaps the biggest challenge in relation to subcontracting is the requirement for the financial institution to approve subcontractors. In large outsourcings, securing that right in the contract is usually fine, but in the commoditised world of SaaS it doesn’t work for the service provider – they will say that they have a one-to-many service and they cannot tolerate a position where one customer stops them using a subcontractor that they want to use for their overall service to customers.
In the UK, the Prudential Regulation Authority rules state that the financial institution must have the right to “object to” a material sub-outsourcing and/or terminate the contract where the sub-outsourcing would have adverse effect on the arrangement. SaaS providers will, therefore, argue that the regulations do not require a financial institution to have “approval” rights over subcontracting. Instead, they will agree to notify subcontracting to the financial institution and, if the financial institution objects, they will sometimes agree to discuss and try to resolve the situation, but failing that they offer the financial institution the option to terminate.
While this approach is compliant from a regulatory point of view in respect of the subcontracting requirements, it doesn’t particularly help in practice. This is because the financial institution faces being left without a solution because they are forced to terminate, which in turn will trigger other regulatory concerns around operational resilience and being able to maintain a service to customers. That also brings into focus provisions around exit assistance, discussed below.
In practice it seems unlikely that a major cloud service provider will engage a subcontractor that will cause such an adverse reaction to a financial institution – and the chances are that if one financial institution feels this way, others will too, which would be likely to encourage a rethink.
In relation to data, there are a number of provisions in cloud contracts that financial institutions should focus on.
Regulatory provisions require that the financial institution is aware of the location of its data at all times. That applies where the data is at rest or in transit. There is a potential tension between cloud providers, keen to be able to be flexible in relation to where data is hosted and processed, and the increasing regulation around data location. Financial institutions need to make sure that the data location regulatory requirements they are subject to are reflected in their contracts with cloud service providers.
Often the contract will contain an agreed “zone” for the data which the service provider will agree to stay within, and the financial institution can then give permission for data to be hosted or processed within that zone.
Another important issue is data sovereignty – the right of the financial institution to control disclosure of and access to its data – in the cloud context, the financial institution needs to understand in what circumstances third parties may be able to require access to its data and to try to control that through the contract.
Special Report
Financial institutions also have regulatory obligations to ensure that data is stored securely, and they have broader obligations under data protection law to ensure that any personal data breaches are notified within the time periods prescribed in legislation – such as the General Data Protection Regulation. Therefore, the cloud contract will need to contain obligations on the cloud service provider to notify breaches in enough time to enable the financial institution to meet the timeframes for notifying data protection authorities, like the UK’s Information Commissioner’s Office.
Firms will also want to be comfortable with the level of security offered by a cloud provider. They should carry out appropriate levels of due diligence on the supplier and back this up with contractual commitments. Firms are unlikely to be able to negotiate bespoke security requirements and so it is important to get comfortable with what the supplier offers, and then put in place contractual obligations requiring the provider not to drop below that level.
Other factors in relation to data security include the need for the financial institution to consider how its data will be segregated in the case of a public cloud solution, while the sensitivity of the data will also need to be assessed. How data will be encrypted is another important consideration, and firms need to ensure that regulators have access to the encryption keys.
Generally, the cloud service provider will be a processor, rather than a controller, for the purposes of data protection law, but care will need to be taken as to when a provider may become a data controller in relation to what they do with the personal data that they hold.
The regulatory rules require financial institutions to have in place termination rights, which can be exercised in particular circumstances, such as where the arrangement presents an unacceptable level of risk to the financial institution. In most cloud service contracts this doesn’t tend to be an issue – they tend to be terminable by the financial institution on relatively short notice. The related issue, though, is managing exit appropriately, and making sure that termination doesn’t cause unacceptable risk or interruption in service to customers.
In most SaaS arrangements the main consideration for a financial institution on exit will be to get its data out from the service provider in a format that allows it to be ported to an alternative place. It will be important to get cooperation from the service provider, in terms of making the data available for an acceptable period of time, and for data security reasons it will also be important to have in place commitments from the service provider to delete any data after that period of time has elapsed. Confirming the format of the data is also important – firms will want to ensure that the data is in a format that is compatible i.e. it is in a standard format and not something bespoke to that service provider.
Written by
Yvonne Dunn
Partner
Out-Law Analysis
30 Sep 2022
Out-Law Analysis
30 Sep 2022
Out-Law News
A legal expert has welcomed the decision of the Court of Justice of the European Union (CJEU) to limit the scope of EU data collection rules designed to fight terrorism and serious crime.
Out-Law Analysis
New regulations issued this week give courts in England and Wales new powers to permit individuals overseas to watch transmissions of ‘hybrid’ court hearings combining both in-person and remote participants.
Out-Law News
The UK government should undertake a net zero tax review to establish how the tax system can best support the transition to net zero, the Climate Change Committee (CCC) has recommended in a report to parliament.
Out-Law Analysis
Pensions disputes: managing member expectations paramount
Out-Law Analysis
UK subsidy control post-Brexit: access to effective judicial remedies
Out-Law News
'Steps of court' settlement was not negligent, court rules
Out-Law News
'Vast majority' of companies not seeking to avoid tax
Out-Law News
'World first' industrial decarbonisation strategy developed in the UK
Out-Law Analysis
3D printing: UK product safety issues
Out-Law News
5G potential for business highlighted in UK funding programme
Out-Law Analysis
A global view of the law applicable to an arbitration agreement
2022 Copyright Pinsent Masons LLP
We use cookies that are essential for our site to work. To improve our website, we would like to use additional cookies to help us understand how visitors use the site, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. Please visit our Cookie Policy for more information. To accept all cookies click 'Accept all'. To reject all optional cookies or choose which optional cookies to allow, click ‘Cookie settings’. This tool uses a cookie to remember your choices.
See our Cookie Policy for more information