Navigating Regulatory Challenges in Cloud Infrastructure Services Agreements

SIFMA, in partnership with Bortstein Legal Group, developed this paper to examine the general regulatory and guidance requirements in the United States, the European Union, the United Kingdom, and Canada, applicable to financial institutions’ use of IaaS Services, review the experience of financial institutions in attempting to address those expectations and requirements in their agreements for IaaS Services, and consider some of the issues that the IaaS Vendors have raised in response to financial institutions’ preferred contracting approaches, including how those requirements may conflict with IaaS Vendors’ “shared responsibility” model and the capabilities of IaaS Services. In addition, this paper will identify contractual approaches that have been employed by IaaS Vendors and financial institutions to accommodate the IaaS Vendors’ objections while satisfying the financial institutions’ regulatory obligations.

See also: P&W Blog: Clearing Up Regulatory Obligations in Cloud Services

 

Excerpt

Introduction

Financial institutions adopt innovative technology to provide better client service, improve operational efficiency, enhance compliance, and save money. Cloud technology may help financial institutions reach these goals. Many financial institutions want to expand their use of cloud technology primarily for faster and cheaper scalability of computing power and data storage than is currently offered by more traditional, locally installed solutions. To date, many financial institutions have not expansively adopted cloud technology, partially due to the obstacles imposed by regulations and guidance and partially due to the industry’s judiciousness in adopting new technologies. Nevertheless, financial institutions should address the increasingly critical position that cloud technology will occupy in their operations directly or indirectly.

Financial institutions should weigh the overall risks associated with having only a small number of vendors that provide Infrastructure as a Service services (“IaaS Vendors” and “IaaS Services”). The same IaaS Vendors provide IaaS Services directly to financial institutions as well as indirectly as subcontractors to many Software as a Service vendors (“SaaS Vendors”), Platform as a Service vendors (“PaaS Vendors”) and other types of vendors (e.g., managed and professional service providers, consultants, law firms) that provide services to financial institutions (IaaS Vendors and all vendors that use IaaS Services to provide services to financial institutions are referred to as “Vendors”). Such widespread reliance on IaaS Vendors constitutes a concentration risk to financial institutions. To help mitigate concentration risks, and other risks associated with the failure or poor performance of IaaS Vendors, financial institutions could consider contractual obligations that support, and are consistent with, the applicable regulatory expectations and requirements.