Navigating Regulatory Challenges in Cloud Services Agreements

Introduction:

SIFMA, in partnership with Bortstein Legal Group, first developed this paper in 2020 and updated it in early 2024. Since 2020, the use of cloud infrastructure has grown significantly, and the attention of regulators to cloud — and the broader topics of operational risk and technology risk — remains high. In this paper, we examine the regulatory guidance in the United States, the European Union, the United Kingdom, and Canada, relevant to financial institutions’ relationships with providers of cloud services such as ‘Software as a Service’ (“SaaS”), ‘Infrastructure as a Service’ (“IaaS”), ‘Platform as a Service’ (“PaaS”). Providers of cloud services may deliver their services to financial institutions directly, however, they may also deliver their services indirectly, for example, as subcontractors (“Indirect Cloud Providers”). Some financial institutions engage vendors to provide services (other than cloud services). This class of vendors (e.g., managed and professional service providers, consultants, law firms) may significantly rely on third-party cloud services provided by Cloud Providers (as defined below) in delivering their services to financial institutions (“Managed and Professional Service Vendors” or “MPS Vendors”). For the purposes of this paper, MPS Vendors as well as SaaS Vendors, IaaS Vendors and PaaS Vendors are referred to herein as “Cloud Providers” and their services and products as “Cloud Services”. Cloud Services by Indirect Cloud Providers are also referred to herein as “Indirect Cloud Services”.