Clearing Up Regulatory Obligations in Cloud Services

Cloud services offer faster and more economical scalability of computing power and data storage than alternative locally installed solutions, but many financial institutions have, thus far, limited their adoption of cloud technology — partly due to the industry’s general prudence in integrating new technologies but also due to the challenges posed by the complex network of applicable global regulations and guidance.

Notwithstanding the potential complications, cloud technology will likely occupy an increasingly critical position in financial institutions’ operations. Accordingly, financial institutions should develop methods for navigating regulatory expectations and other potential risks associated with adopting cloud technology and working with vendors providing such services.

When providing services to financial institutions directly or indirectly, financial services regulators expect cloud vendors and their subcontractors to operate and maintain cloud services in accordance with the requirements of the laws, regulations, and regulatory guidance applicable to financial institutions. To reduce the risks inherent in outsourcing, including cloud services, regulators generally require financial institutions to enter into written agreements with their vendors and perform sufficient due diligence and ongoing monitoring.

Regulators also expect service agreements to require vendors to have comprehensive information security and business continuity and disaster recovery programs. Vendors must maintain adequate policies and procedures to ensure the confidentiality, security, integrity, and availability of the data of financial institutions and their clients, employees and others and the vendors’ and their subcontractors’ systems. Service agreements need to specifically address vendors’ administrative, technical, organizational, and physical controls to safeguard customer data and their systems against unauthorized access, use, disclosure, modification, unavailability, and deletion.

Regulators require the service agreements to obligate vendors to extend contractual obligations, including audit rights, down to their subcontractors and to remain fully liable for the acts and omissions of their subcontractors. Vendors are also expected to, among other things, have subcontractors provide compliance and performance information to financial institutions.

There are often gaps between financial institutions’ requirements and what vendors will agree to contractually. Cloud vendors may object to certain regulatory expectations or contractual language preferred by financial institutions, due to the limits of the functionality of a specific cloud service, or because operationalizing such requirements or imposing them upon existing subcontractors can be difficult. While certain regulatory requirements are unavoidable, in certain instances, financial institutions may take a risk-based approach to negotiation of terms, taking into consideration the use case to determine if and when certain requirements may be adjusted or alternative solutions may be employed.

As the financial services industry continues to expand its use of cloud technology, both the financial institutions procuring these services and the cloud vendors supplying them should monitor the regulations and guidance applicable to these relationships, as they continue to evolve, and develop service agreements that balance cloud vendors’ concerns with financial institutions’ needs to comply with increasingly broad and complex global regulations.

To help guide firms, SIFMA, in partnership with Bortstein Legal Group, has released Navigating Regulatory Challenges in Cloud Infrastructure Services Agreements, a white paper developed to examine the legal and regulatory expectations and requirements in the United States, the European Union, the United Kingdom, and Canada, applicable to financial institutions’ use of certain cloud services. Among other topics, the paper reviews the experience of financial institutions in attempting to address these expectations and requirements in their agreements for such cloud services and considers a number of issues that cloud service providers have raised in response to financial institutions’ preferred contracting approaches. The paper aims to provide context and guidance for financial institutions’ efforts to provide better service to their clients, operate more efficiently, augment their compliance efforts, and drive costs down, in part, by utilizing various innovative technologies, including cloud technology.

Melissa MacGregor is Managing Director and Associate General Counsel at SIFMA.