Critical about clouds

As part of the Financial Services and Markets Bill, the UK has proposed a regime to regulate critical third-party service providers (CTPs), which could shift the negotiating power in favour of GPs but gives rise to concerns about fragmentation.

“The existing framework represents the regulator’s increasing attention on firms’ operational resilience since the global financial crisis and some high-profile banking outages,” comments Clive Cunningham, a partner in Herbert Smith Freehills’ financial services regulatory practice. “The new special regime for CTPs reflects a growing concern about particular risks arising from the financial services industry’s increasing dependency on cloud and IT infrastructure services providers.”

The market for cloud services is consolidated, with Statista reporting that Amazon holds 34% of the market, Microsoft’s Azure 21% and Google Cloud 11%. Together, the three hold 66% and lead by a landslide – the next largest player after Google is Alibaba with 5%.

When shopping around for a provider, large-cap firms may experience equitable contract negotiations due to a levelled playing field, and even use multiple providers at the same time so as to not put all their eggs in one basket. It can be a different experience for mid-size firms or those at the lower end of the market. Hyperscalers may allow some wiggle room around free consultancy, access to customer engineers, training and certifications; they are unlikely to be flexible on their pricing.

This stronghold allows cloud services providers to push their standard terms and conditions, leaving their counterparties with little room to make their own demands.

However, under the Bill’s current wording, obligations are imposed on the service provider alone, which could shift the current landscape, comments Cunningham: “There is a real possibility this new regime will rebalance the whole relationship between fund managers and their cloud/IT services providers. Currently, it’s the regulated firm doing the asking – for data, access and other contractual rights to meet its regulatory obligations. In future, CTPs will probably need more rights in return, so that they are plugged into how their services create systemic risks for the financial services sector and the solutions to mitigate those. The one-sided imposition of standard contract terms could be a thing of the past.”

His colleague Nick Pantlin, partner and head of TMT and digital for the UK and Europe at Herbert Smith Freehills, adds: “In addition to recalibrating the legal Ts and Cs under which they engage with their customers, service providers will also need to consider how the new requirements will affect their customer offerings from an operational and commercial perspective. This will no doubt be an opportunity for some service providers and could potentially create a two-tier market.”

Looks like rain
The UK is not the only country considering a regime to regulate CTPs, as the EU has already published a regulation on operational resilience for the financial sector, as well as an amending directive, in the form of the Digital Operational Resilience Act (DORA).

Crucially, DORA imposes obligations on both service providers and their clients but has a narrow definition of service providers compared to the UK. Further, the EU requires service providers to have substance within the union, whereas under the current wording the UK will not demand presence. This is contrary to the commonality of regulation requiring locality and raises additional questions on how sharp the teeth of the UK’s new regime will be.