Model Terms Demanded for Cloud Service Agreements with European Banks
An interest group of EU banks that was formed to assist European financial institutions with their use of public cloud technology recently suggested model terms for the compliant use of cloud technology.
On May 17, 2021, the European Cloud User Coalition ("ECUC"), an interest group of EU banks formed to assist European financial institutions ("FI") with their use of public cloud technology, published a position paper with proposed solutions to challenges in connection with the compliant use of cloud technology.
The proposals provide guidelines on how to deal with outsourcing, risk management, data security, and data privacy requirements applicable to arrangements between FIs and cloud service providers ("CSP") and include points requiring model terms for cloud service agreements.
The pertinent privacy, security, and risk management requirements outlined in the Position Paper serve as a basis for its suggested requirements on standard contractual clauses.
The Position Paper suggests that the legislature or regulatory agencies address five areas with binding model terms—these include: (i) FIs audit rights; (ii) sub-outsourcings by the CSP; (iii) limitations on unilateral changes to contractual terms via embedded URLs, and standardized provisions in service level agreements on services availability, performance metrics, reporting thereof, and communication channels; (iv) categorization of CSPs as controllers or processors; and (v) insurance coverage.
In addition, the Position Paper recommends clarifications to the scope and application of the recently proposed Digital Operational Resilience Act ("DORA"), including an alignment with existing standards.
FIs should consider the outsourcing, risk management, data security, and data privacy requirements as well as the model terms in the Position Paper as a checklist for their own cloud service agreements. They should also confirm that they adequately address the operational and legal risks associated with these arrangements. In addition, the points on DORA provide FIs with an initial overview of areas affected by the implementation of DORA.
The Position Paper's publication will be consulted for the next three months. The consultation phase serves to collect feedback from CSPs, regulatory bodies, and other regulated institutions, which will be incorporated into the paper's next version.
We will keep you posted on developments relating to the use of cloud computing services by FIs.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.