Photo of Mark Rasdale

Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.

Worth noting then that with effect from the 1st July 2018, there will be another set regulatory guidelines for financial institutions to consider when outsourcing.

The European Banking Authority Recommendations on Outsourcing to Cloud Service Providers (the Recommendations) confirm that executives and managing bodies of financial institutions must ensure that they have a real understanding of the risks associated with using technology to outsource any aspect of their operations. The Recommendations apply to both competent authorities, such as the Ireland’s Central Bank, and “financial institutions” which are credit institutions and investment firms as defined in EU Regulation No 575/2013.

These Recommendations supplement the Committee of European Banking Supervisors Guidelines on Outsourcing (the CEBS Guidelines). They provide more detail on the practical steps that should be taken by financial institutions when outsourcing to cloud service providers.

1. Materiality Assessment

Outsourcing institutions should, prior to any outsourcing to the cloud, assess which activities should be considered as “material”. Assessments of what amounts to a “material activity” should be performed on the basis of existing CEBS Guidelines and take into account:

  • whether the activities are critical to business continuity/ viability;
  • what the impact of outages would be from an operational, legal and reputational perspective;
  • how significantly revenue would be affected by any disruption to the activity; and
  • what the potential impact of a confidentiality breach or failure of data integrity would be.

Therefore, a detailed risk assessment should form part of any policy for procurement of cloud services and the regulator may look to see that assessment.

2. Duty to Adequately Inform Supervisors

If it is material outsourcing it will need to be notified to the relevant regulator. The Recommendations require that the outsourcing institution should maintain a register of all its material and non-material activities outsourced to cloud service providers. This may require a change in procurement and contract management processes for some financial institutions. A detailed list of the information to be compiled in the register is provided and includes:

  • general information on the type of outsourcing and the parties involved;
  • evidence of the approval for outsourcing by the management body or its delegated committees;
  • an assessment of the cloud service provider’s substitutability; and
  • identification of an alternate service provider, where possible.

This can only be done if an institution is proactively approving, managing and monitoring its use of cloud services. Many are not doing so and certainly not to the same extent as they would for more traditional outsourcing arrangements.

3. Access and Audit Rights

The Recommendations state that outsourcing institutions should obtain a contractual undertaking from cloud service providers to provide:

  • full access to business premises, including the full range of devices, systems, networks and data used for providing services outsourced (right of access); and
  • unrestricted rights of inspection and auditing relating to outsourced services (right of audit)

to the outsourcing institution, its auditors and the relevant competent authorities.

There are real challenges with the negotiation and exercise of access and audit rights when it comes to cloud services. The Recommendations are helpful in that they confirm the outsourcing institution should exercise its rights to audit and access in a risk-based manner. Pooled audits, third-party certifications or internal audit reports may be considered, provided sufficient safeguards are in place.  The outsourcing institution must ensure that the staff performing the audit have the right skills and knowledge to perform effective and relevant audits and/or assessments of cloud solutions.

This puts the onus on the outsourcing institution to ensure its staff properly understand cloud services, negotiate cloud contracts in an informed way to secure meaningful alternatives to traditional audit rights and are organised internally such that it can ensure those rights are put to effective use.

4. Security of Data and Systems

The Recommendations build on existing CEBS Guidelines in relation to security and require that prior to entering a cloud service agreement, the outsourcing institution should:

  • Classify the relevant data and activities involved on the basis of sensitivity and required protections;
  • Conduct a thorough risk based assessment of subject matter of the proposed outsourcing; and
  • Decide on (and build into the contract) appropriate levels of confidentiality, service continuity and data integrity and traceability.

The Recommendations note that the outsourcing institutions must also monitor the agreed standards, ensure the security measures are met and promptly take any necessary corrective actions. Again, this points to the need to proactively manage engagement with cloud service providers.

5. Location of Data and Data Processing

Outsourcing institutions must take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. The Recommendations state that a risk assessment should be completed addressing the potential risk impacts, including legal risks and compliance issues, and oversight limitations related to the countries where the outsourced services are or are likely to be provided and where the data are or are likely to be stored, to ensure that any risks are kept within acceptable limits commensurate with the materiality of the outsourced activity.

Here, GDPR and more general regulatory requirements overlap and we think that consideration ought to be given to GDPR Privacy Impact Assessments for current and future cloud deals which involve the processing of personal data.

6. Chain Outsourcing

Chain outsourcing remains a key focus in these Recommendations. The Recommendations builds on this requirement, noting that the cloud outsourcing agreement should:

  • specify any types of activities that are excluded from potential subcontracting;
  • indicate that the cloud service provider retains full responsibility for services that it has subcontracted; and
  • include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors and include a right for the outsourcing institution to terminate the agreement if a change of subcontractor would have an adverse effect on the risk assessment of the agreed services.

These are not provisions that will feature in many standard cloud contracts (the supply chain may not even be known by the customer) and so will need to be negotiated.

7. Contingency Plans and Exit Strategies

The Recommendations state that outsourcing institutions should make arrangements to avoid service disruption in the event that the provision of cloud services by a service provider fails or deteriorates to an unacceptable degree. To achieve this outsourcing institutions should:

  • develop and implement comprehensive and sufficiently tested exit plans;
  • identify alternative solutions and develop transition plans to enable it to remove and transfer existing activities and data from the cloud service provider; and
  • ensure the outsourcing agreement requires the cloud service provider to provide sufficient support to the outsourcing institution to allow the orderly transfer of the cloud activity or to the to another provider or to be reincorporated into the outsourcing institution.

Agreeing the detail around exit plans is often challenging in outsourcing transactions. Many cloud contracts don’t deal with exit plans other than to provide for the termination of access to the service and/or to confirm that responsibility for taking back data sits with the customer and ought to be done during the contract and/or within a short time period following termination. The Recommendations suggest that financial institutions should perform a business impact analysis commensurate with the activities outsourced to identify what human and material resources would be required to implement the exit plan and how much time it would take. Failure to be able to demonstrate that this has been done may create difficulties where moving away from a cloud provider in the future doesn’t go as smoothly as was suggested at the outset.

Those involved in technology deals express differing views on source code escrow. These views range from resignation that the supplier won’t agree to it to the view that even if we do get it, it will only be available on the provided non-negotiable terms or a fear that even if we could get our hands on the code, we wouldn’t know what to do with it. In our experience, the position is not quite as black and white on any of these points. There is an extra aspect to think about in relation to technology offerings which include software as a service and traditional source code escrow may not always be appropriate here. Public disputes on escrow arrangements are few and far between and that’s why a recent English High Court case is worth a read. The decision in the case, Filmflex Movies Limited and Piksel Limited can be accessed here.

Continue Reading Source Code Escrow – Case Law Developments

The political machinations continue at EU level and predictions for publication of a final form Data Protection Regulation increasingly refer to 2016 as the likely date. But to read behind the headlines continues to be a useful exercise for corporates who need to give real consideration now to what their regulatory landscape might look like in the not too distant future.

A key issue will be determining the place of "main establishment" which in turn will determine the appropriate lead authority.

If that isn’t clear, or there is disagreement, it is being proposed that an EU Data Protection Board (EDPB) would have power to make a binding determination.

Continue Reading Data Protection Reform – One Stop Shop Complexity

There has been much debate during 2014 about the effectiveness of the US Safe Harbour regime. Many EU commentators have queried its effectiveness, pointing in particular to the lack of enforcement over the years by the Federal Trade Commission (FTC), the body which effectively is charged with dealing with complaints that companies are not in compliance with their public representations of adherence to the Safe Harbour principles.

Continue Reading SnapChat Signs Up to 20 Years of Data Protection Audits

Audit provisions are a common feature of a wide range of IP and technology agreements. They can be seen by those seeking the audit right as a practical way to monitor key aspects of a commercial deal. Security standards being applied to data, accuracy of billing, compliance with licence restrictions or, in some cases, general compliance with the agreed contract are often the subject of audit rights.

The general compliance audit right seems useful on the face of it. But a recent English High Court decision illustrates that a broad audit clause can raise more questions than it answers.

The case, 118 Data Resource Ltd v IDS Data Services (2014 EWCH 3629 (Ch), involved 118 seeking an order from the court for specific performance of an audit clause. 118 had licensed a database to IDC for limited commercial use. The limitations included both restrictions on type of use and on the profile and number of sub-licensees.

IDS had agreed to permit any duly authorised representative of 118, on reasonable prior notice, to enter any of its premises where any copies of the licensed database were in use, for the purposes of ensuring the provisions of the contract between them were being complied with.

The decision was given by the court on application for summary judgement so it wasn’t a full hearing on alleged breaches, which are subject to ongoing litigation. It should be considered in that context.

The court refused to give 118 the broad access it was seeking and interestingly made a few notable observations on the audit clause which can be applied to all audit clauses:

• Be explicit about who is entitled to access – there was a valid question here about whether "authorised representative" included employees. IDS argued it should be third party representatives only and there was sensitivity about employees getting access and seeing more commercially sensitive information than they should be. It was found there was nothing to limit the number of type of representative;

• Be clear about location of access – here there was inconsistency between the licence clause (which limited number of permitted copies of the database to one single copy) and the audit clause (which referred to access to any premises where "copies" are used). The court found that reference to "premises" was actually limiting what was to be inspected as much as the location of where the inspection could take place;

• Be clear about exclusions from audit scope – to help ensure an audit clause is effective, it is preferable to list the type of key information which isn’t to be accessed, to avoid resistance to the whole audit later due to that one issue. Here the court suggested that unrelated commercially sensitive information and legally privileged information (in the context of the ongoing litigation) ought to be excluded and suggested that a better clause would have included such carve-outs;

• Be specific about the consequence of the audit – if a breach is found, it would be logical that obligations flow from that finding e.g. if materials are used outside scope of licence, they should be returned, if a breach is detected it should be rectified on time and at no cost. Here the court noted that the clause was silent on the consequences but couldn’t imply terms as that would involve "substantially re-writing the parties bargain".

Of course, another key point to address (which didn’t appear to be at issue in this case) is the cost of audit. Although in our experience, frequency, cost and business impact are less likely to get overlooked in audit negotiations.