Mifid obstructing cloud computing at European banks
Rigid cloud computing contracts are clashing with outsourcing rules in Europe’s Markets in Financial Instruments Directive (Mifid), making it difficult for financial institutions to use cloud services, unless the deal is big enough to drag a vendor to the negotiating table.
“A bank can negotiate very long contracts for some aspects of its technology. If it buys through cloud, however, it’s presented in some cases with a set of terms and told to either take it or leave it,” says Mark O’Conor, a partner in the intellectual property and technology group at law firm DLA Piper. “That’s quite a jump to go from a fully negotiated contract.”
It also conflicts with Mifid. The directive compels financial institutions to obtain certain agreements when entering into an outsourcing relationship for functions deemed critical to the running of the organisation – a fixed contract may not satisfy those conditions.
A set of guidelines to help financial institutions comply with Mifid’s outsourcing requirements was published by Mifid Connect – a group of 11 trade bodies – in 2007, and has been endorsed by the UK’s Financial Services Authority (FSA). The guidelines suggest, for example, setting minimum service performance standards, or having step-in rights that allow an underperforming vendor to be replaced. This may not be possible under some vendor contracts.
And the guidelines themselves pose an interpretation risk. A financial institution may argue it interpreted the Mifid regulation differently when establishing a contract with a cloud service provider. Nonetheless, O’Conor says the recommendations could be seen as binding.
“It would have force of law in the sense that they are considered a market norm,” he says. “A regulator may say, ‘All the other banks conducting the same sort of outsourcing followed this guidance and had contracts that did include these things. You are liable because you have not done what is market practice.'”
Various elements within the guidelines also provoke concerns. One recommendation is to put in place procedures to continuously monitor and assess the performance of the service provider, such as through service delivery reports.
However, Yo Delmar, vice-president of governance, risk and compliance solutions at software provider MetricStream, warns this may not be easy. Large companies may end up with dozens of service providers for different aspects of their business, so obtaining and digesting performance reports may be time-consuming. As a result, she expects there will be a demand for cloud service providers to feed customers with security and risk reports on a near real-time basis. “A kind of broker layer between cloud service providers and customers that provides that information will develop,” Delmar says.
The recommendation that cloud service providers protect confidential information relating to the firm and its clients is a further potential issue. Data held in the US, for example, would be subject to the Patriot Act, which allows the US government to compel the delivery of data held by US companies. O’Conor warns this could be a breach of the confidentiality obligations financial institutions have with their customers.
But while banks may be more cautious as a result of Mifid, it is not stopping them from turning to cloud computing, he says – in large part because the industry is under pressure to cut costs – and cloud providers are, in some cases, becoming more flexible.
“They are bemoaning the fact they’re not winning big contracts,” says O’Conor. “They’re therefore starting to put in specific terms for different industries, including financial services. If there’s enough money on the table because it’s a big enough deal, you can negotiate terms.”
This article was first published on Risk