Podcast: Clearing Up Regulatory Obligations in Cloud Services 2.0

Melissa MacGregor, Managing Director and Associate General Counsel at SIFMA, sat down with Larry Bortstein, Founder of Bortstein Legal Group, and Lou Trotta, Senior Counsel at BLG, to talk about the new white paper SIFMA wrote in collaboration with Bortstein Legal Group, Navigating Regulatory Challenges in Cloud Infrastructure Services Agreements.


Edited for clarity 

[Melissa] Thanks for joining us for this episode in SIFMA’s podcast series. I’m Melissa MacGregor, Managing Director and Associate General Counsel at SIFMA, and I’m here today to talk about the new white paper we wrote in collaboration with Bortstein Legal Group entitled, Navigating Regulatory Challenges in Cloud Infrastructure Services Agreements.

I’m joined by Larry Bortstein, Founder of Bortstein Legal Group, and Lou Trotta, Senior Counsel at BLG. Larry founded BLG in 2008 and previously worked at Lehman as Global Head of Technology and Law. Lou worked at Goldman Sachs for 17 years as Head of Technology and IP Law. Lou and Larry are also former members of the SIFMA Technology and Regulation Committee, which I have been a longtime staff advisor to.

Welcome Larry and Lou!

To start off, Larry, could you speak about the cloud provider eco-system and why FIs would want to use cloud?

[Larry] Absolutely Melissa, and thank you again for inviting us to work with you on writing this paper and thank you for the invitation to speak today. So, there are three main players in this ecosystem. The first, obviously, is the financial institution. Two is the cloud provider, and three are the regulators.

I think it goes without saying, and to state the obvious, financial institutions want to be innovative users of technology. And it turns out that cloud service providers, often help provide better client service, more scalability and computing power, and also potentially could help financial institutions save some money.

Second are the providers, and there are really two main flavors. One is infrastructure as a service provider, and the second is software as a service provider. Those are the two main flavors of cloud providers. Infrastructure, as a service provider, provide enormous computing power and innovation directly to financial institutions and, importantly, indirectly to financial institutions as sub-contractors to software as service providers. It’s worth noting Melissa that many FinTech firms that financial institutions rely on are status providers.

And then the third piece are the regulators. I know it goes without saying again, but their mission is to support the safety and soundness of the financial systems, which of course extends to the financial institutions’ use of technology and third-party service providers.

[Melissa] Great. As well, could you walk us through the risks the regulations seek to mitigate with respect to vendors, and what global regulators say about vendor management?

[Larry] Absolutely. So, when I think about what the regulators are trying to manage against, there are three main pieces. One is concentration risk, which the paper tries to address; two is operational risk; and three is security. There are other components but those are the big three.

On the concentration risk, obviously the regulators are looking at the entire ecosystem, and right now there are only a handful of infrastructure as a service provider that are supporting financial institutions, either directly or indirectly, through the use of software as a service provider.

On the operational certainty side, again very-well known but the regulators are focused on ensuring that financial institutions and their clients have access to data and also on the continuity of services.

And then the third component, security, again very well-known but regulators are focused on helping to ensure that there’s an effort to prevent un-authorized access to and use of financial institution data and system, which includes the personal data and material nonpublic information that financial institutions have access to.

So, those are the three main risks that regulators are focused on. Really it’s interesting, I’ve reviewed most of the global regulations in this space, and they all sort of say the same thing in their attempts to manage this risk. One is that they want to ensure there’s an overall vendor risk management program in place. Again, very well understood.

And then ensuring that each financial institution does a risk assessment to really understand the use case- is it outsourcing, is there personal data involved, is there material nonpublic information involved? So, understanding your use case. Once you understand your use case, you do not need to treat all vendors the same way.

Once you do the risk assessment, almost without fail, all of the regulations around the globe want financial institutions to do appropriate due diligence on the vendor and on the use case, put appropriate contracts in place, and then do appropriate ongoing monitoring. So, those are the risks, and generally, at a very high level, what the regulations say.

[Melissa] Now Lou this paper covers the contractual expectations from regulators for cloud services agreements. Why did SIFMA and BLG write about this specific point, and who might benefit from reading it?

[Lou] Well, it’s written primarily to help guide financial institutions in negotiating service agreements with cloud service providers. The financial institutions are trying to resolve the tension between their own preferred terms that conform with the regulatory requirements and guidance and the terms that cloud service providers are willing to accept. There’s often a disconnect there, but beside the financial institutions, the paper offers insights and suggestions that could benefit the cloud service providers themselves.

They obviously have an interest in avoiding protracted contract service negotiations. Lastly, as Larry mentioned, I expect the paper would be of interest to the regulators in understanding how financial institutions and the cloud vendors are working through these issues, and perhaps, in considering what sort of guidance would be helpful going forward.

[Melissa] So, how would you describe the tensions in negotiations between cloud providers and FIs, especially regarding audit rights by FIs and subcontracting by cloud providers?

[Lou] Well it’s the usual tension in any negotiation between two parties, but it’s certainly exacerbated when the regulatory expectations are added to the mix. So, the result is enough a disconnect between what the financial institution feels is required and what the cloud services providers are willing to accommodate.

You touched on the two best examples, that being subcontracting and audit. These are common provisions in any service contract, but the longstanding strategy for negotiating these provisions that parties have adopted over the years are now complicated by the additional overlay of these regulatory expectations.

So, for example, in subcontracting, the regulator sort of expects that the financial institution will diligence vendor subcontractors. That we will actually not only diligence the vendor but the subcontractors, and this is in tension with the vendor’s concern with the difficulties for managing an approval process across numerous financial institutions without creating a veto power in any single financial institution. A very practical concern by the vendors.

The same is true with respect to audit. The regulatory requirements impose requirements for access to vendor facilities and systems, and this is in tension with the vendor’s operational and security concerns and the difficulties of managing simultaneous audits across potentially numerous parties and the regulators.

So, the tension comes about, because the regulatory element sort of constrains the financial institution’s flexibility in negotiations and also because the vendors really have little incentive to waver from their past practices.

[Melissa] Larry, infrastructure as a Service provides talk about a “shared responsibility” model. What does that mean and what does that mean for FIs?

[Larry] Well, thanks for asking that question Melissa. You know, in some ways things have changed, and in other ways, things haven’t changed all that much. In the old days, people like Lou and I would do traditional outsourcing agreements, and our contracts would very clearly lay out the roles and responsibilities between the customer, financial institutions, and an outsourcing provider.

So, in the case of cloud providers, what’s slightly different is that it is the job of the infrastructure as a service provider to provide the features, functionality, and tools to configure the infrastructure services directly to the financial institutions. It is the responsibility of the financial institutions to do that configuration in a way that meets the regulatory obligations.

In many cases, financial institutions are hiring managing service providers and professional service providers to do that configuration. Just like in the old days, it’s important to know what the responsibilities of the financial institutions are, what the responsibility of the managing service providers are, and what the responsibilities of the infrastructure as service providers are.

Also, with a slightly different focus, as I mentioned earlier, many infrastructure as service providers are acting as subcontractors many of the software as a service providers that financial institutions are relying on. In that case, it is the responsibility of the financial institution to have appropriate oversight responsibility and controls in place to make sure those status providers themselves are configuring the infrastructure services appropriately to make sure that the financial institutions are in compliance with applicable regulations.

So, just to round that out, what’s slightly different here is that a lot of the responsibility falls on the financial institutions or the other providers that the financial institutions are engaging to help them.

[Melissa] Thanks Larry. Finally, Lou on the topic of security breach notification, why is it so important for FIs to receive prompt notice and information, including on a provider’s remediation efforts? As well, can you address the tension between FIS and cloud providers?

[Lou] Sure. The first part of the question, I mean financial institutions labor under a number of security breach reporting and notification requirements, particularly as they relate to customer data. So, they have their own sort of compliance reporting and notification obligations that they have to be responsive to. And these requirements all apply to breaches regarding data that is processed or stored by the financial institutions’ service providers, including cloud vendors and their subcontractors.

So, there are a lot of levels of potential events and reporting that can happen here. The tension is largely around the timing and scope of the notice. Financial institutions, in part because of the regulatory pressures, but also in part because it’s just good business practice, want notice as soon as possible.

So, they’ll often say in the contracts they want notice immediately of any suspected breach, along with sort of a wide range of details that may help them figure out how to mitigate a situation and how to meet their regulatory reporting requirements.

On the other hand, the vendors are concerned about having time to confirm what you may call a suspected breach is actually a non-event. So, they want to fudge that language a bit, so they have time to make a judgement in that regard. And, as with the subcontracting and audit issues, they are again concerned with the operational difficulties and the added security issues involved around notifying numerous financial institutions and regulators simultaneously and providing details that may expose their own security concerns. So, that’s the essential point of tension there.

[Melissa] Well, I think all of this makes clear that these are incredibly complex issues and incredibly complex arrangements. So, I would like to say thank you so much again to Larry and Lou for joining me today and all of your hard on the white paper. It was a pleasure chatting with you and always a pleasure working with you.

To learn more about SIFMA and our work to promote effective and resilient capital markets, please visit us at www.sifma.org.

Melissa MacGregor is Managing Director and Associate General Counsel at SIFMA