Cloud contracts in financial services: issues beyond regulation

0

When it comes to service levels, if companies are able to negotiate with the service provider on their standard offering, the main things to consider are the strength of the commitment to meet the service level agreements ( ALS). Companies will want to avoid loose obligations of “objectives” or “reasonable efforts”. In most cases, the SLA the business will care about most is “uptime” – businesses can’t control things like an internet outage, but there are a number of things to consider. These include:

  • The definition of “Available” – clearly indicating that this means that the solution is working according to the specification. Companies should pay attention to ‘grace periods’ before corrective action can be triggered – this may be acceptable to companies, but they will want to ensure that these periods are not so long as to jeopardize the corrective action.
  • Availability exclusions – it is reasonable for there to be ‘scheduled maintenance’, but companies will want to ensure that this work is carried out outside of their normal working hours, except in an emergency. Businesses should be aware that the “normal working hours” of suppliers based in the US will be different from those where they operate in the UK or elsewhere in Europe. Companies should also try, where possible, to negotiate so that planned maintenance is not scheduled during relevant peak periods, such as the end of the year. Companies should additionally pay attention to permitted “holidays” for planned maintenance periods – which can have unintended consequences if the service provider is, for example, based in the United States.
  • Make sure the uptime calculation is simple – include a worked example if needed to ensure everyone is on the same page.
  • Pay attention to customer dependencies – these are likely to trigger a liability waiver for the cloud service provider if not met, so it is important that the financial institution reviews them carefully, ensures that the drafting is specific enough and then ensures operational processes are in place to ensure they are adhered to.

Many service providers will not commit to proactively reporting SLAs, so the financial institution may need to track this themselves and request service credits if necessary.

Responsibility

There is often a real imbalance between the cost of the solution and the risks that would arise if things went wrong. This can complicate liability negotiations.

At its core, it’s about risk sharing and how much risk the service provider is willing to take – their position will often be that they don’t want to be liable for more than the annual fee. It can also be difficult to get service providers to accept liability outside the cap. This seems particularly shocking in the case of loss of data, which we often see completely excluded by providers, in cases where, in our opinion, this is in fact the primary obligation of the provider under the agreement – such as when contracted to host the data.

Provisions governing liability for data loss also require careful consideration. The service provider may state that their obligation is limited to restoring from the latest backup – it is important to know who is actually responsible for backups and how often this happens.

We’re starting to see more and more service providers agreeing to ‘super caps’ for data protection liability – it’s very rare that this is accepted on an unlimited basis in SaaS contracts. Other areas that financial institutions will want to consider for higher liability caps, if not accepted on an unlimited basis, are breach of confidentiality or third party intellectual property rights.

Some service providers ask financial institutions to accept unlimited liability in areas that may not always be seen as “the norm”. A good example of this is breaching the service provider’s acceptable use policy – ​​however, depending on the nature of the SaaS solution, it may be justified for the financial institution to accept this level of liability. We’ve seen this become more common in SaaS vendors providing platforms for customer use.

Termination and suspension

While financial institutions have regulatory obligations to address termination rights in their cloud contracts, service providers will also come to the table with their own “wish list” of termination rights.

We’ve seen service providers try to negotiate broader termination rights than many financial institutions are comfortable with – including termination for convenience. We succeeded in having them removed from the contract and reducing the right of termination only when the customer does not pay the fees.

However, depending on the nature of the services, the service provider may require a right of termination for gross negligence from the financial institution. Companies may try to argue that the customer’s primary obligation is to pay the charges, and that this may be covered by a specific termination right, but some service providers will also be concerned about misuse of proprietary rights intellectual property, for example, and will argue that liquidated damages are not sufficient relief for breach of licensing provisions. If businesses have to accept this, the best way to mitigate the risk is to negotiate longer notice periods and opportunities to remedy the breach before termination rights can be triggered.

The suspension is linked to the termination. Often, cloud contracts contain provisions allowing the service provider to suspend access to the application, typically for triggers that overlap termination rights. One of the most common grounds for suspension is when the financial institution violates the acceptable use policy – ​​this will normally involve the financial institution threatening the security of the service provider or other customers of the service provider.

Suspension rights are likely to be a requirement of the service provider, but it is possible for companies to negotiate recourse options, requirements for the service provider to consider reasonable alternatives to suspension, and commitments to restore service immediately after the problem is resolved.

Acceptable Use Policy

The service provider may require the financial institution to agree to abide by its acceptable use policy. It’s pretty standard and will include things like the financial institution agreeing not to engage in illegal activity, distribute malware or try to gain unauthorized access, for example.

Intellectual property

It is typical, with respect to intellectual property provisions in SaaS or public cloud contracts, that the financial institution is asked by the service provider to guarantee that it owns or has all the necessary rights to use its content and that the content will not violate the Acceptable Use Policy.

It is also common for the financial institution to seek to ensure that the contract specifies that it continues to own the content it uploads to the cloud service, and that the cloud service provider retains ownership of all aspects of its cloud services.

The cloud service provider will also request extensive rights to manage infringement claims against it – including the ability to substitute an alternative solution or terminate the contract. Companies should ensure that substitution rights are qualified by reference to no material loss of functionality.

Warranties

Businesses should expect to get less warranty protection in the context of cloud solutions than they can in other major IT purchases. However, when the cloud system is more critical to the financial institution or more bespoke, higher-than-basic warranty protection would be appropriate.

In all cases, financial institutions should seek to include warranties that the service will comply with applicable law and will operate in accordance with the service description, that the customer’s use of the service will not infringe intellectual property rights from a third party and that the service will not include any malware or viruses etc. Businesses should be careful of statements that the service is provided “as is” or similar – they are paying for the service and therefore should be entitled to at least a basic level of protection.

force majeure

Force majeure provisions in cloud contracts should be carefully considered by financial institutions as part of the agreement. They should:

Share.

About Author

Comments are closed.