you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH :

01 February 2024

Moving lock, stock and barrel to the cloud: what banks need to know when negotiating with service vendors

Skimming through business journals from the last decade or so, it feels like the transition to cloud computing has been looming over the banking industry for a long time. But with so many industries now taking steps to digitalise, even the traditionally cautious banking industry is being swept up in the tide.

AI experiment

As part of our AI experiment in roadmap24, we have curated a few prompts and asked AI about this article. Take a look and find out what ChatGPT responded*:



The pace at which credit institutions have been adopting cloud computing services has picked up significantly in the last two years, bolstered by the operational needs brought about by the COVID-19 pandemic but also by fintech and other nimbler competitors moving aggressively into financial institutions' traditional territory.

In this digitalisation push, few (if any) banks have publicly communicated a roadmap to full cloud adoption. Presumably fewer still have even prepared one. We have observed that banks prefer to move into cloud territory tentatively, by first harvesting the relatively low hanging fruit of the outer circle of enterprise apps like e-mail, internal chat and other communication and collaboration solutions, and some data & analytics and customer experience tools for integrating interactions with clients on multiple channels. On the other hand, cloud transitioning is more cumbersome when it comes to sensitive and complex areas such as core banking and may take some additional thought and strategizing.

Regardless of where in the process of cloud adoption a bank may find itself, there are at least several topics to be on the lookout for (listed below in an order not necessarily linked to their importance) when negotiating contracts with their cloud services vendors:

  • Vendor liability limitation: Vendors usually aim to limit their liability as much as possible, consistent with their "one to many" business model. On the other hand, this may not be easily acceptable to a bank due to regulatory requirements applicable to outsourcing arrangements. Moving past this requires some fine balancing in negotiation.
  • Data protection and confidentiality: Cybersecurity, data safety and business continuity come very high on the banks' agenda and are therefore typically a strong point of friction in their negotiations with cloud services suppliers. On the other hand, this needs to be reconciled with vendors' modus operandi and cost-saving proposition, which may require them to, for example, set up and maintain data centres throughout the world.
  • Termination rights: A right of the bank buyer to unilaterally terminate upon the regulator's request or for convenience (e.g. in case it wishes to insource or transfer to another servicer) may collide with the vendor's requirement to secure a steady income stream and restrict short-notice terminations.
  • Audit/access rights: Rights of audit/access for the bank buyer and the regulator may not be easily granted by the vendor because of their "one to many" model (resulting in high costs associated with separating customer data and their own sensitive information).
  • Resolution and digital resilience: Bank resolution-specific constraints as well as upcoming digital and operational resilience criteria applicable to banks may add further complexity to the process.

In practice, vendors (especially cloud natives) and their bank customers will typically start from very different places when looking to agree on contracts for cloud services. Suppliers start from the web-based general terms and conditions they have used in the consumer space and bank customers start with their traditional outsourcing agreements.

This is not to say that such arrangements cannot be agreed. In fact, cloud service providers and bank buyers often do reach a workable compromise, especially when the value driver for cloud adoption is robust. Established vendors also increasingly offer so-called "industry clouds" for their regulated clients. After all, banks and financial institutions are presumably the new frontier in cloud computing.

author: Adina Damaschin

AI experiment

* The AI add-on to this article ..

... has been curated by our legal tech team prior to publication.

... has been compiled by AI. Its results may not accurately reflect the original content or meaning of the article. 

... aims to explore AI possibilities for our legal content.

... functions as a testing pilot for further AI projects.

... has legal small print: This AI add-on does not provide and should not be treated as a substitute for obtaining specific advice relating to legal, regulatory, commercial, financial, audit and/or tax matters. You should not rely on any of its outputs as (formal) legal advice. Schoenherr does not accept any liability to any person who does rely on the content as (formal) legal advice.