Cloud Compliance Center

United Kingdom

Select a Topic
Quick Links
Start Comparison
Contract requirements
3. Are there any specific contractual requirements for cloud outsourcing?

Under the Financial Conduct Authority's ("FCA") Senior Management Arrangements, Systems and Controls sourcebook ("SYSC") at SYSC 8.1.9R, firms must ensure that the parties' rights and obligations are clearly allocated and described in a written agreement. Aside from that requirement, SYSC 8 does not contain any other requirements regarding the contractual arrangements firms must undertake when performing an outsourcing. 

The European Banking Authority ("EBA") guidelines are more prescriptive and set out specific matters that must be addressed in a written contract between the firm and the services provider. Some of the contractual requirements are dealt with briefly and are of the type one commonly sees in any commercial agreement, for example, a clear description of the outsourced function, term, the governing law, financial obligations, service levels, information about whether the service provider has taken out insurance, requirement to implement and test business continuity and disaster recovery (BCDR) plans, and reporting obligations when material impacts affect the service provider's ability to carry out the services.

Other contractual requirements are more specific to the regulated nature of the institution, including that the contract should specify the following:

  • Whether the sub-outsourcing of a critical or important function is permitted; if the sub-outsourcing of a critical or important function is permitted, the agreement must specify the following:

    • What types of activities are excluded from the sub-outsourcing

    • Any conditions that must be complied with

    • That the service provider is responsible for the activities of their sub-outsourcers

    • That the service provider must inform the institution of any planned sub-outsourcing or material changes, and that the institution can object to this

    • That the institution has the right to terminate in the event of any undue sub-outsourcing (e.g., where the risks are materially increased for the institution without prior notification)

  • The locations where the critical or important function will be provided and/or where relevant data will be kept and processed, and a requirement that the service provider notifies the firm if it intends to change this during the term

  • The accessibility, availability, integrity, privacy and safety of relevant data (institutions must define data and system security requirements within the agreement)

  • That the institution can monitor the service provider's performance on an ongoing basis

  • That the data owned by the institution can be accessed by the institution in the event of the service provider's insolvency

  • That the service provider cooperates with competent authorities

  • That the institution can rely on its rights under the Bank Recovery and Resolution Directive regimes that apply to it in a resolution or ring-fencing scenario

  • The unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider; the EBA guidelines are expressed as requiring a risk-based approach to audit, but where there is the outsourcing of a critical or important function then they specifically require the following:

    • The service provider to grant full access to all relevant business premises and devices, systems, networks and data used for providing the outsourced function

    • Unrestricted inspection and auditing rights to ensure compliance with regulatory and contractual requirements

Contractual arrangements cannot limit the effective exercise of audit rights by the institution, competent authority or third parties appointed by them. Where relevant, commonly accepted audit standards should be applied, although it is permissible to use pooled audits and third-party certifications to allow more efficient audit processes to take place. Generally, institutions must give prior notice of the audit, but not where there is an emergency or crisis situation or the audit would not be effective. The EBA guidelines also recognize that care must be taken when performing audits in multitenanted environments to ensure that risks for other clients are avoided or mitigated. There is also a separate requirement for the service provider to subject its internal audit reports to the institution as appropriate, and specific termination rights are required where any of the following apply:

  • The service provider breaches applicable law or the contract.

  • Impediments capable of altering the performance of the outsourced function are identified.

  • There are material changes affecting the outsourcing arrangement or service provider (e.g., change of subcontractors).

  • There are weaknesses regarding the management and security of confidential, personal or other sensitive information.

  • The competent authority requires this.

The outsourcing agreement must also clearly set out the obligations of the service provider where there is to be an exit and transfer to a successor supplier, set out an appropriate transition period to minimize disruption and set out an obligation on the service provider to support an orderly transfer of the outsourced function following the termination.

The EBA's ICT guidelines state that firms are required to ensure the following in their contracts:

  • Appropriate information security related objectives and measures (e.g., minimum cybersecurity requirements, location of data centers, encryption requirements, monitoring processes and data retention policies)

  • Incident handling processes, together with appropriate escalation and reporting mechanisms

The Prudential Regulation Authority's ("PRA") Supervisory Statement SS2/21 came into effect on 31 March 2022 but applies to all outsourcing arrangements entered into after 31 March 2021. The PRA rules are not "materially divergent" with the EBA Guidelines on Outsourcing but provide more granularity in certain areas. The differences include the following:

  • There is a requirement to specify the renewal date and the start and end date of the contract.

  • There is a requirement to specify the forum and the governing law.

  • There is a specific requirement for the contract to address the confidentiality of data and accessibility, availability, etc.

  • The right to monitor should be based on KPIs.

  • There is no obligation for the service provider to submit its internal audit reports to the institution.

  • The BCDR obligations are mutualized, and the requirement to test BCDR plans is softened to a requirement to take reasonable steps to support the test of the plans.

  • Termination rights should cover both stressed and non-stressed scenarios and both parties are expected to take reasonable steps to support the testing of customers' termination plans.

  • When it comes to sub-outsourcing, the PRA does not expect firms to directly monitor fourth parties in all circumstances, but the potential impact of large, complex sub-outsourcing chains on firms' operational resilience will need to be considered.

  • For material outsourcings, there is a requirement on the institution to make the PRA aware if the service provider is unable or unwilling to contractually facilitate the institution's compliance with regulatory obligations.

  • There is greater flexibility to interpret audit rights in a manner proportionate to materiality of the outsourcing. Firms can choose an appropriate audit method if it enables them to meet their obligations. The level of assurance should be in keeping with the significance of the firm and materiality of services. Where an on-site audit could create unmanageable risk for the provider or other clients, the parties should agree alternative ways to provide an equivalent level of assurance, while not removing contractual rights for an on-site audit. There is no mandatory right for the firm to conduct penetration testing. However, the provider should be required to provide results of any penetration testing.

  • There should be a clear reference to the Bank of England's resolution powers under the Banking Act 2009 (implementing Articles 68 and 71 of the Bank Recovery and Resolution Directive (2014/59/EU) ("BRRD")), and in particular, a description of the "substantive obligations" of the written agreement in the sense of Article 68 of the BRRD.

The PRA also makes clear that an imbalance in negotiating power is not justification for a firm to accept clauses and terms that do not meet the outsourcing requirements. Firms should make the PRA aware if the service provider is unable or unwilling to "contractually facilitate" the PRA requirements. The PRA expects written agreements for material outsourcing to indicate whether material sub-sourcing is permitted, and if a service provider must obtain specific or general written authorization from the firm before transferring data (Article 28 of the General Data Protection Regulation).

Quick Links
{{ $store.state.loadingScreen.message }} ...