eSignature Lawfulness for Outsourcing Services Contract in European Union

How to eSign a document: e-signature lawfulness for Outsourcing Services Contract in European Union

good morning good afternoon and good evening to our audience from all around the world we are extremely excited to welcome you to the first of a number of world ready webinars from the lex mundy it contraction advisory group as many of you be aware alex monday is the world's leading network of best of breed and market independent firms in 125 plus jurisdictions my name is callum sinclair i'm the head of tech commercial from scottish uk member firm ernest paul and i'm joined today by a star lineup of uh speakers who are our true experts in their field and our topic today is international financial services outsourcing so just by way of setting the scene we spoke when we traveled this session about an increasingly digital world where the potential benefits of i.t outsourcing can be many invaded uh successful projects can deliver time and cost savings the ability to upscale fast and access to global innovation and talent but there can also be challenges that lead to delay and failure in it outsourcing projects fast changing requirements unrealistic stakeholder expectations and lack of interoperability of systems investment of key knowledge supplier financial distress and a lack of alignment between customer and the supply chain financial services outsourcing often increases the complexity again as you know dealing with a heavy regulatory burden focused on operational resilience and security the outsourcing of function rather than responsibility and sometimes complex aging on-premise legacy it systems often the product of multiple mergers layer on top of that the international dimension and a whole new set of issues arise so what structure will be used will there be one overarching agreement or master terms and local country agreements often those agreements can be substantial and complex even in jurisdictions which have historically favored a light touch in the past in for example some parts of asia will there be locally based supplier contracting entities does the tax structuring work how will the flow of funds work what about the flow of data and how scalable and flexible are those contracts can territories be added and removed from scope and what impact will that have on pricing and risk more recently cohort is driving more activity online and making travel and physical interactions very difficult which will likely impact established models for implementation operations and support and then there are political factors like brexit from a european perspective all this adds up to a requirement for a lot of careful planning and specialist support particularly for high value high risk and business critical projects and it's against this excuse me it's against this backdrop that we have brought together our experts today on international natural services outsourcing we speak regularly as international colleagues about what lex mindy firms are seeing as developing friends and international efforts outsourcing what there are some issues that are specific to certain jurisdictions there are certainly a number of common themes so i'm going to start today with with ian ian duffy from arthur cox and ian perhaps you could give us a high level eu perspective first yeah sure collins so i think a key theme in the eu in recent years has been a move towards more regulations so traditionally financial institutions would have been predominantly concerned about complying with the staff site sourcing guidelines from 2006 but that's changed quite a bit in the last number of years and we've seen a series of different guidelines being published by regulators including the eba outsourcing guidelines and guidelines on outsourcing to the cloud from esme and yoga and unsurprisingly these guidelines have been accompanied by um you know increased regulatory scrutiny around outsourcing and also an increase in in the level and the quantum of fines being issued for breaches of the outsourcing world so for example in ireland in recent years we've seen the central bank of ireland issue a number of fines and four breaches of the outsourcing rules and this increased regulatory burden has naturally caused a number of financial institutions to increase the amount of time and resources they invest into ensuring compliance with the outsourcing rules and there are a couple of key aspects of this i suppose firstly and most obviously there's making sure that you have an appropriate contract in place with your expert service provider and in certain cases that can mean including certain provisions like relating to service levels audit business continuity exit i think but a second and perhaps less heralded aspect of compliance it's putting in place an appropriate governance an oversight structure in other words making sure that you effectively monitor and oversee your outsourcing arrangements because like you said column while you might be able to answer as a function what you can't do is outsource responsibility for the regulatory compliance of that function so in practice that governments can look like you know appropriate governance meetings with your outsourced service providers appropriate reporting but also making sure that you have appropriate reporting lines internally to make sure that information in relation to your outsourcing arrangements trickles up within your organization and in practice we see quite a lot of financial institutions looking to leverage off existing reporting lines effectively do that another key part of effective governance and oversight is an appropriate outsourcing policy so again this can be really helpful in terms in terms of ensuring a consistent approach towards outsourcing across your organization which is aligned with regulatory requirements just one final point the move towards more regulation looks set to continue towards the end of last year the european commission published its proposed digital operational resilience act known as dora and this prescribes that certain contractual provisions will have to be included in all contracts between financial institutions and ict service providers and significantly invis it envisages that critical ict service providers will be subject to direct supervision by the european supervisory authorities for the first time so that's quite a significant development and i think lots of tech companies and financial institutions will be closely monitoring dora over the next year to see how it impacts on their business oh yeah thank you ian and and joachim does that shine with you and i've heard that though soon be additional local regulations in germany and outsourcing in the financial sector is that correct yes callum that's correct shortly for christmas last year the german legislator published a draft on strengthening the integrity of the financial market it's called obviously a reaction or as a reaction on the wirecard scandal we had in germany the new fact is focused on the auditing of banks but it also provides for some new regulatory constraints regarding outsourcing in several modifications to the german banking supervisory active so-called creditors and gazettes first the term service provider shall be redefined so that also subcontractors are included and we will see later on what the consequences are and second to improve the german regulators market overview and to enable the regulator baffin to identify risks of concentration of outsourcings in the industry on a small number of service providers two old acquaintances from the early 2000s are real or shall be revitalized now so the obligation to notify with barfin and the german federal bank first the intention to outsource and second then the closing of the transaction so these two obligations rise from the debt again so to say and the obligation to notify serious incidents which is just an obligation under the ebac guidelines for example now it is or it shall be set as an obligation to notify the regulat the regulatory authority of um serious incidents um that may have a material impact on the banking activities and third the regulatory authority as ian just said shall be entitled to impose binding orders directly on service providers and if the access service providers not only on the first level but also to each subcontractor which is slightly inconsistent with the fact that only the bank are subject to supervision and for international outsourcings important is the obligation of service providers located abroad to appoint a local representative in germany on to whom the administrative orders can be served so as the term service provider is much more broad now under this new act this will also apply to each subcontractor and if you use an international service provider such as ibm or alibaba or who else of course he has many many subcontractors and all these will have to appoint these representatives in germany and it is expected that this new act will be enacted short before the federal elections which we will have in germany in september so it it is something which is um absolutely actual now and which will have to be reflected in the next agreements thank you thanks jacob that's really interesting and what about if we can move on maybe to another trend how parties are allocating risk between one another um can i bring in ken from clayton um ken what are you seeing in international deals led out of australia sure sure callum um so so soon i thought lawyers are famous for kicking liability discussions down the road to the very last last negotiation system look it's interesting in australia that there's um you know 20 years ago in financial services outsourcing um it was very much a case that you had your traditional uncapped categories of loss so that you know confidentiality you'd routinely see and then after some years privacy worked its way in and then we had our our private federal privacy act which came in um uh many years ago now i think what we're seeing recently is there's an increasing resistance to uh category uncapping categories of loss that were traditionally um uncapped so [Music] particularly privacy and data protection recently is now routinely being pushed back to having customers even even large financial institutions with relatively significant bargaining power um having them accepting super caps as opposed to having it entirely uncapped so that's a that's a distinct um change and what we're seeing is it's giving rise to an interesting interaction between different causes of action so you know parties are now having to think about well um if it's an uncapped category of loss versus a category of loss that was subject to a cap you know what if there's a breach of a privacy obligation that is also a breach of law and so you have this intersectionality between different buckets of risk allocation and there's also increasing focus on liability for compliance with laws particularly those laws relate to privacy so um you know traditionally there is a distinction between vendors saying we're happy to say we'll comply with laws um in the provision of the services in other words what we're actually doing will comply with laws versus the product we build you depending on how you use that that will comply with laws traditionally that wasn't too much of a big argument but increasingly you've got these systems that manage personal data that's becoming more of a big argument that the second category got you thanks thanks ken and latisha um from a spanish point of view from an eu point of view other specific challenges that you want to highlight on the risk allocation side yes of course we we're in line with what ken was sharing we have new challenges with a more disruptive or recent technologies to the extent technologies are becoming more complex like having a clear line between the the responsibilities of the provider and the responsibilities of the of the financial institution becomes more complex to to fix it within the contract especially within the cloud environment where big a cloud companies are are imposing this this concept of a shared security model or shared responsibility model which makes sense from a technical point of view because these providers they're putting together all the infrastructure that the centers and so on so they they are responsible for that while financial institutions are putting in the cloud and moving to the cloud apps data and things that they control so within the the context of a contract it is very complex to to really fix the line of this shared security or share responsibility model there are things that are under the control of the financial institution and things that it should be the responsibility of the provider but this time is not clear at all within contract so it is a risk a for for companies financial institutions to set in this line in the contracts and a challenge for lawyers especially since eba guidelines and other regulators are including a specific requirements in the guidelines saying that companies should be fixing a rules around data integrity confidentiality security and responsibility of the parties so this is probably one of the most challenging moments for for risk allocation within contracts we first need to understand how technology works what is each company it's putting in the cloud in the uh so so we are able to fix that uh you know that in within the contract so that's a very interesting challenging challenge we're having great thank thanks latisha and we'll come back to the cloud um in a bit um as well um lindell from from clay notes we mentioned subcontractors earlier on how about the involvement of subcontractors in complex fs outsourcing i think um yorkum touched on that as well and when we spoke earlier you mentioned that that's coming under increased scrutiny are there any um lessons or insights there yeah thanks callum i suppose a few a few of the speakers have touched on i think ian did as well about this kind of increasing regulatory environments and something that the other speakers mentions with the eba guidelines one of the things that kind of pops in my mind is about this additional layer of regulation for subcontractors and and i guess you know that's a kind of a customer perspective but it also kind of reminds me that it's you know really naturally sparking um quite a bit of pushback from suppliers and this is something that's not just happening in europe and letitia mentioned the global reach of arrangements and things like that but it's also a bit of a theme that's popping up in australia and also across asia pacific as well particularly out of hong kong singapore and places like that where you often do have a bit of interaction and with things coming out of europe and global deals and all that sort of thing and i guess you know we all appreciate the reasoning behind this it all makes sense and to put these controls in place but it naturally has challenges and i think one of those things is around you know does a traditional approach to managing subcontractors actually work anymore like is it feasible in all situations and i think perhaps for some types of it services it's not um and some of those are really the things and the tissue just touched on it too about this whole sharing arrangement and different like commoditization of services and i think that some categories of i.t services sub-suppliers would see as being quite low risk so for instance if you had someone like a telefonica or a singtel or someone come in like that and they get a subby to come on and build some circuits put in a powerpoint whatever it may be they see that as quite low risk and i feel like the suppliers are saying well hold on a minute why do you need a termination right in respect to these subcontractors they're not really doing anything much it's on standard terms it's something we have here on year and it's going to be a whole lot of work to flow down these sorts of rights and obligations that we need to pass and remedies that we need to pass through down to our subcontractors so you kind of have that environment and you also have a bit of another side of the coin where you have some suppliers you know perhaps rightly so you can tell i asked for customers most of the time but there's some suppliers saying that look you know guys if you want this price we need control of our supply chain and you can't come in and tell us to do all these sorts of things because we'll have to feed that into our into our solution so there's that side as well um in australia i feel that we're perhaps not at your level perhaps in europe yet around regulation there's of we have lots of financial guidelines and and things like that which do put do mandate some um control around subcontractors like suppliers have to be on the hook you know that sort of thing and but there still is a bit of wriggle room here um so i think we're starting to see a trend with supply chain management and those sorts of things but perhaps we're not quite yet um with the rigor that we see elsewhere um and i think for me ultimately the last kind of thing is really that you know we can't expect supplies to perhaps rewrite their whole system but then suppliers also have to think about look customers need a robust and transparent supply chain so it's that that inevitable juggle fantastic wendell thanks very much um and york i'm just maybe coming back to you um and i suppose still on the theme of risk allocation what about the interaction between the banks and what the financial services providers internal audit function with outsourced services are there any pensions there and what are the issues you're seeing yes since um often banks wish to outsource not only the material services and functions to their third party service provider but also the related internal function the internal audit function for these services so that you have a combined package of the service itself plus the internal services on these outsourced services and this requires a correspondingly experienced and theft internal audit unit in the service providers organization which is more or less equivalent to a bank's internal audit function so service providers will have to build up such internal audit units which means a significant investment before they can achieve the first euro of pound or u.s dollar of of revenue and um in in the contracts we often see a tendency of the banks to um require that in case the banks or the regulatory auditor comes to audit findings that in these cases the service providers shall take the necessary corrective actions free of charge free of charge but it is questionable whether an audit finding automatically correspondent corresponds to a male performance of the service provider since only ml performance on the service provider sites which justify that the service provider takes the corrective actions free of charge so and what we see often in in contracts is that on the one side the banks insufficiently specify the service to be rendered which then turns into an internal audit finding and um in these cases well it's not not more than a change request finally that um newly defined specifications will have to be put in place and that is something which um means a change request so maybe also additional costs and you can not always overburden this the the financial consequences of these insufficiencies to the service provider so that is typically attention between these two um tendencies or trends thank you thank you joko and i suppose one other further trend that we are we've all um seen is the growth and adoption of new technology across the financial services deals we're involved with um so more new tech very much a trend and what were once technology pilots are now finding their way into the mainstream deals open banking is now proliferating to become open finance with new and interesting customer propositions being developed and despite some ongoing challenges with legacy systems procurement and onboarding in-tech collaborations with innovative smaller players are now becoming sustainable and in some cases leading to accurate acquisitions of those fintechs um and there are a new breed of challengers emerging with a laser focus on customer experience [Music] answer to some degree a leakage of cryptocurrency offerings into and crypto asset offerings into established regulated financial systems um i asked david feltman um who could be with us today a member of our i.t contracting advisory group from blake's in north america and for a north american viewpoint and although david is canadian qualified and professes himself not an expert in us outsourcing practices he told us that his impression is that the canadian regulator is generally more conservative and more prescriptive compared to the us regulator and for example many major tech companies have had to to make special accommodations for their canadian financial institution customers so that these customers can comply with canadian regulatory requirements and i understand that these are these same special accommodations are generally not offered and to us financial institutions because there's no similar u.s requirement and more generally in the canadian position david reports that the canadian regulator has established guidance that applies when regulated financial institutions outsource business activities functions processes which includes guidance on specific terms that need to be included or addressed and the outsourcing agreement very much as we've seen in other jurisdictions and last year the canadian regulator announced a public consultation on technology risks in the financial sector and with the intention of updating its guidance on outsourcing um and the current focus um as i understand it is on analyzing and understanding three priority areas of technology related risk those being cyber security advanced analytics and third-party ecosystems and in addition to technology data is the other key foundational aspects and is interconnected to all of those three priority risk areas i think the other common theme that the group keeps coming back to is is the use of ai and machine learning and data and the ever-increasing importance of cyber security and there's also more and more adoption of of cloud technology a couple of our speakers have mentioned in financial services across the board and linda if i could come back to you um you perhaps you could give us your thoughts on on cloud adoption and financial services and some of the added challenges there well i guess it's all about the cloud isn't it at the moment so i feel like you can't think about financial services outsourcing without thinking about the cloud and and you know there's massive projects at most financial institutions you know moving from on-prem to cloud and and the the rigor that comes with that and i think um leticia touched on this earlier as well about the global touch points so some matters that i've worked on you may think it's okay for one jurisdiction but then you move to hong kong and it's a different and regulatory environment again and so something that you think was going to work out of london it doesn't work anymore so it's um it's an interesting area to be in at the moment and one conundrum that often comes up for ken and myself is around how how can a low-cost cloud model actually accommodate these requirements and you know even in a situation where say you know in australia hong kong the eu wherever it may be where they're actually sector-wide regulatory regimes um but they still have they actually still struggle with this because of the way in which the cloud solution often works um you know you see especially see some suppliers like you think of like the microsoft's and things like that who have their fs amendments um that you know assist you on the journey but often you find that they're not actually where you quite need them to be and that's not a slight to them it's a supplier and they're looking after their space um and their product but you know it's this environment so it's these kind of um sometimes a disconnect in this conundrum that you face with that type of solution i think with cloud as well there's you know i have quite a bit of sympathy sometimes for suppliers when you feel like you know cloud or whatever particular you know amazing solution is coming forward it doesn't it's like putting you know around square pegging around holes sometimes where you have financial institutions wanting things like step-in rights and and all that that just doesn't quite work perhaps in the cloud environment so i think that's a definite um an area where we need to watch this space and have to have a think about you know what are some more effective ways about managing performance and ensuring performance when you're working with a cloud solution and the cloud service provider because perhaps our old ways of doing things just don't quite get us to where we need to be and even if we negotiate them in which sometimes we do you know what's the use so it's trying to think about this new innovative environment um to get what we want for both sides um i think to another thing that we've spotted recently as well is trying to merge things together what's happening with hybrid models where you have perhaps a private cloud where the customer can come in and tweak around a bit you know how does that work with the greater cloud solution who's responsible for what who's liable for what and ensuring that we have this smooth flow of services um throughout and data management and everything like that so i i think there's quite a few challenges i think cloud's exciting you know it's been around for a bit now but it's still got that you know that kind of shiny edge to it that we all like getting involved with i think there's challenges but to be honest you know it's growing and growing and growing cloud adoption but we're all there so both on the customer side and on the supplier side we're certainly not alone so it's something where we're all facing the same challenges and hopefully we'll get some really interesting results terrific thanks and latisha if i could come back to you and cloud's one of those technologies that's often contracted by financial groups worldwide or group wide and so covering several jurisdictions under a single agreement and so i understand that's not uncommon in spain for example where several groups have a global reach you know perhaps in the latin america area what what's your experience and what are the means of contractual and practical challenges to watch with us yes of course and i do agree with what you know what was saying on on this complexity and when we deal with these multi-jurisdictional contracts especially on cloud but not only on cloud there are specific challenges for example my colleague was referring to companies offering like schedules to adapt the agreements to specific you know requirements of within a region for example eva guidelines in in europe still what we're seeing in practice is that some of these companies providers are willing to offer these additional protections ing to specific region regulations for for that specific region for example for the european region and it's more complex to adapt this when the riches is global uh because uh in in general terms these regulations these eva guidelines or other financial regulators guidelines they want to be applied within a consolidated basis within the financial group which means that it should be applied worldwide so we're facing not only discussions with service providers and on these things in order to to extend the expanded the scope of these protections worldwide uh but also practical problems because there's sometimes some of these requirements companies are not ready to offer that in certain jurisdictions because of auditing or monitoring requirements or cyber security requirements for example in europe all companies a financial institutions are required requiring penetration testing for the cloud and things like that that in some cases we're seeing this is not a available or feasible in other regions from a technical perspective so it's not only that we agree in the contract that this a requirements regulatory requirements should apply worldwide but still we need to that to be complied with in technical terms in practical terms which is sometimes a challenge there are other complexities around this type of global rich agreements for example on on something that seems to be very easy to cover but in voicing for example uh in many cases these companies they allow very few these providers they allow very few companies to pay well there are hundreds of companies within an affiliates within the financial group acquiring the services so this becomes very complex in terms of a currencies and tax matters and so these agreements are are a a lot of fun i should say but they they are a very complex for final challenges which really cover the requirements worldwide thank you very much and of course again a few speakers have mentioned it but the security and privacy of customer data remains a primary concern in fs outsourcing too and particularly where there's a cross-border and flow of data and and most major economies around the world now have data privacy laws that would have something to say about that and there's certainly been a lot happening in that space in europe um following the shrimps too decision and with the european court of justice and your maybe you could tell us a wee bit about how that decision might impact international outsourcing projects you particularly if the service providers organization is set up internationally and it's and that's where some of the efficiencies and economies of scale are coming from yeah so as you said service providers with the service organizations spread all over the globe will regularly use um affiliates in non-eu or er countries such as u.s or india china belarus and and so on to provide their services and this means that they will have to pass this or to successfully pass the test on the need for additional measures as set out in the shrimp's juice decision in addition to the sccs or to bcrs or whatever they have in place and many service providers cannot yet present a readily complete analysis of the legal situations in all their near or offshore countries they they want to use and which are included in their service organization so that additional research will be necessary for for them but i think even more important as the right of governmental authorities to access data which which was the the original point of the friends 2 decision but which is um to be honest quite normal in many jurisdictions i hear my echo so even more important as the right of governmental investigation agencies to access data will be whether the respective country whether in the respective country data subjects concerned have legal protection options against such data access since this is really what is what was emphasized by the european court of justice in the french two decision and um as already legitia said additional technical measures so for example encryption will become more more important the use of encryption methods in the provision of services and will therefore have to be carefully examined with a high degree of detail so you have really to dig down into the technical processes and whether and to which extent you you can use encryption um so it is not only a contractual and a legal issue but is of course as always a significant cost factor too thank you and at this point um i'd like to bring in um yeah thank you callum um maybe one point i would like to add to um your kim description is we've seen a specific factor also slowing down some of the outsourcing or cloud transactions those past few those past few months it is the cloud act um so what is the cloud act is the clarifying lawful overseas use of data act which was enacted as a federal law in the united states in 2018 and what the cloud that allows is it allows the federal rule enforcement to compel us-based technology companies including provider of remote computing services i.e google aws or microsoft azure via varrent or supernat to provide all the data they store on servers even though those servers are not located on the us territory which means that the cloud act may apply in situations where a banking institution in europe outsourced a processing within the european union but to a provider which is under the control of a u.s group so we've seen the cloud act slowing down a lot of transactions uh when one of the companies from the from the us was was involved that being said we have engaged discussion between the european commission and um the united states government um to to find reciprocal agreements because the uh the idea of the um of the cloud act is really to uh make it easier in terms of investigation for uh criminal activities to uh to get access to electronic evidence so um it is expected that when such agreement between the european union and the u.s will be found it will be um it will be easier uh to overcome the current uh um obstacles seen in the uh indica at this stage providers can still use some of the cloud sorry banking student can still use some of the providers either by using the technical measures which joaquim was mentioning or also by by practicing risk energies we had the case recently where there was a lot of public discussion in france for the hosting of the uh health data relating to covid situation with microsoft azure in europe where french judge said that it was very unlikely that the us authorities tried to access those that are as part of a criminal investigation so claudette is really something to um to consider in uh in cloud and uh outsourcing transactions at this date um the other points uh to answer your question regarding the interaction between financial services regulation and data protection which is um interesting is the load of new regulations so for a long time financial institutions have been very sensitive to data protection because bank secrecy is key in the relationship between a bank and its client when they are individual or a legal person so sensitivity about the production of personalities is clearly here what we have seen recently is more interaction between financial regulation and data protection let me give you a few examples the first one which i think is very interesting is the interplay between the second payment service directive and the gdpr if you look at the at the pst2 um first it clearly mentioned um data protection and compliance with the ancestor of the gdpr the directive 9546 both the raci tools and the article especially article 94 of the psd2 refers to compliance with the data protection rules but also on the other side the european data protection board has published a very lengthy analysis of how to implement pst2 in data protection context what is feasible what is not very interestingly edpb has been commenting on the concept of consent under pst2 by explaining that the consent under psd2 is not the same as the consent under the gdpr and also a lot of other interesting developments regarding the way the psd2 must be implemented vis-a-vis silent parties have the impossibility to process saving and investment account data based on the legal objection created by psd2 so a lot of interaction between gst2 and and gdpr we have other examples recently in france where the knee the french data protection authority commented on development regarding financial services beats the use of biometric system including factual recognition for distant opening of accounts with the use of credit card as part of distance setting and the e-commerce activities and and maybe one which is a very interesting one um last year the european ombudsman was uh solicited by an individual and this individual was claiming that there was a massive breach of gdpr rules by the banks when implementing uh on the broad basis um antimony antimony rendering regulation know your customer regulation or counter terrorism uh financing measures unfortunately the ombudsman declined to review the case but it was a very interesting situation where based on data protection the regulation was was opposed by uh by a european citizen what i would like to say to conclude is that we see more and more regulation forcing banks to implement new types of processing which might be considered as very sensitive processing fighting against terrorism fighting against money laundering fighting against fraud imposing more transparency like me feed and all those processing by definition are looked suspiciously by the data protection authority which will try to impose safeguards condition constraints and in a lot of those situations banking institutions are a little bit in the contradictory injunction where they have to comply with new obligation and also to respect uh data protection rules so the situation for for banks force them to have probably more involvement on the um on their data protection experts in order to be able to implement those new regulations the the smoothest way fantastic tier thank you very much um ken if i could come back to you thank you um i'll wait till tier he goes on mute please terry it was it was so good i said it twice um ken on data and cyber security obviously an increasing concern there as we heard from terry for financial services you know particularly during the global pandemic where fraud and cyber breach has seen an alarming increase um what's the view from the southern hemisphere you know we hear a lot about the european position on data protection and cyber is there anything happening in australia on that front yeah yeah it's so it's interesting so um listening to that i mean philosophically from a policy perspective australian regulation uh and and to the extent that other jurisdictions in the asia pacific tender you know some of them have modeled their legislation on ours to some degree it tends to be technology agnostic in other words generally australian legislators uh uh are reluctant to specify you know you must use this level of encryption or these types of technical controls um they're more likely to describe the qualities that a particular say it's a cyber security solution needs to have than than specifying the actual standard you know whether that's that or electronic signatures you see that sort of theme come up again and again um in our regulation we have two in the in the financial uh services outsourcing context we have two i suppose significant instruments so so apra which is our prudential regulator in in australia they have uh they publish conceived cps's or consolidated credential standards and uh there's there's relevantly cps231 cps234 the first is released outsourcing that's been around for some years um and and that that prescribes certain things that's if you're entering into an outsourcing agreement and it's outsourcing of material business activity there are particular things that the outsourcing agreement needs to contain particular protections again they expressed at a pretty high level cps234 is more recent and that relates to the security of information assets um but again it's non-prescriptive as to information asset protection it regulates the regulated entity so the financial institution of the bank and it says that you know essentially here are the things that you have to do to secure your information assets and to the extent that you are outsourcing um you have to be satisfied that um the outsourced service providers have commentary protections um but again it doesn't specify down to a granular level what what those are so what has happened is that different financial institutions have developed their own requirements based on their own interpretation of what that means for them um and then if you connect that back with some of the themes that we've been hearing particularly around you know tonight or this morning on cloud and sas um it's interesting because then you'll have a financial institution saying well um here here are our security requirements for information assets so cyber security um and then you'll have a cloud provider saying oh that's very nice but here's how we do it around the world um and i say here but i may be either giving you a document or just pointing you to a hyperlink um you know on some website so there's that there's that internal there's that tension in terms of of how things are done i think the role of internal security teams within financial institutions is going to become increasingly important because they'll need to be able to you know to find a way through these things they'll they'll need to be able to to draw um educated judgments as to um the gap between the two if there is a gap or if it's just differently expressed um but that's that's probably the the the most interesting thing calendar to call out from from down under surprise thanks very much ken um at this point um i'd like to invite anyone who has a question for our speakers to post in the chat function and if we've got some time at the end we will try to answer what we can if we can answer your questions um online then we're we're very happy to to follow up and whilst you're doing that and thinking about your questions um did i say that any uh no webinar led by abrep is complete without me exit at least at once so on that note i'd like to come back to ian if i may um just to speak about i suppose what impact you know we heard a lot about this uh even in the run up to to brexit and both uk and an eu perspective what impact is brexit having on outsourcing in the financial sector and what issues is it likely to present going forward yeah so thanks calm i think one obvious impact of brexit is on the location or or the relocation of market participants so i think undoubtedly london will continue to be a preeminent global financial services center but equally we are seeing a number of financial institutions increase their footprint in other parts of the eu so you know in the likes of dublin frankfurt paris bonds um to brexit and and one result of that is that we're seeing you know an increasing number of outsourcing arrangements being entered into from those locations in the eu and previously that might not have been the case and i think brexit has also increased and the importance and the number of intragroup outsourcing arrangements that we're seeing so while institutions may have increased their footprint in dublin or frankfurt or paris they still for the most part will have a significant operation in london with considerable expertise resources and skills and often those functions in places like dublin will require support and assistance from london or from other locations in the uk in order to stand up and operate their businesses so really and that can result in pretty significant and often quite complex intra group outsourcing arrangements and i think it'll be interesting to see how those arrangements are affected if we do actually see reasonably significant regulatory divergence between the eu and the uk because you could end up in a scenario where you have functions in london looking to service the business in the uk and the business in dublin the business in frankfurt but all of a sudden those businesses are subject to quite different regulatory rules and regulatory regimes which will present challenges and to to service them so how financial institutions will bridge that gap and deal with that challenge if it does indeed come to pass i think will be interesting to see superb thank you very much ian so i'm conscious that we're we are almost i'm out of time we've got about another eight minutes to go and we're all conscious that this is a huge and expert area to cover in such a short space of time but hopefully we've given you some food for thought um and i can see some questions coming in so i'll come to those in a moment and i'd like to ask um my colleague lindsay to put up a slide with our expert speakers details on it just to um so that you have their details and also maybe just to finish before we come to q a by asking each of our speakers to give um maybe their one top tip um in relation to international financial services outsourcing from from their experience so maybe if i could come to you first tre um to un mute and give your top tip and then mute again please my tip will not be surprising to you in europe all banks must have a dpo under the gdpr and all banks and financing institutions doing business with european customers being subject to gdpr probably also must have a dpo so my tip is involve your dpo in any single outsourcing project from the start of the project don't wait the end of the negotiation to bring them on the table bring them at the at the start of the project because they will be very useful to ensure compliance with data protection rules on those projects thank you um and you're coming if i could come to you next for your top ten well my top tip would be to financial institutions so also regulatory burden um has increased in recent years you should not succumb to the temptation to completely and often blindly impose responsibility for their fulfillment on the service provider since first that would be unfair the service provider can no more estimate future developments than you can and banking finally is your business second it would be inadmissible from a regulatory point of view since the bank is never allowed to completely hand over the steering wheel to a third party and third regulatory in compliance must not necessarily mean a contractual default thank you joachim ken i can come to you next yeah um uh look i think i'll go back to the theme of risk allocation that that you started with me on callum i think uh the top tip for me would be um one size doesn't fit all um in the new world of financial services outsourcing um so just be open i would say two creative ways to exploring um the typical negotiation roadblocks you know i think if we continue to impose you know old world outsourcing standards without just thinking a little bit creatively then um negotiations will will drag on longer than is helpful for anybody and perhaps ultimately our clients won't thank us for it so keep an open mind would be my suggestion super thanks kevin that's good advice um wendell i think mine's a bit of a bit of a man trough when you're thinking about those sticky global deals that cover you know 700 sites or whatever it might be i think my thing is embrace the rules obviously we have to but also don't be afraid to be innovative and to think differently because sometimes the answer is not there it's actually around an unexpected corner so definitely keep your ears open listen to what both and trying to work through the madness together through the madness i like it lindell thank you very much and latisha yes probably my my final thought would be to that we have a challenge in front of us we need first to understand technology before we get into the contract so we need to make an additional effort to understand all these uh parts of the disagreements with ai cloud cyber security tools and so on so that's probably our main challenge trying to understand the scope whatever it can come in the future not only what you're acquiring in that a specific moment so having this open mind a within the the contract and also i think it's also very helpful to to to deal with these agreements like partnerships at the end of the day financial institutions are becoming partners with this technological tech company so a probably the best way to reach agreements is to find this as a partnership and sit together and try to find reasonable solutions when the regulator comes and both parties needs to be together trying to you know to support whatever solution they have a agreed uh and and they this is a partnership for sure super thank you and ian if i could come to you for a final top tip yeah so i think having a clear approach towards outsourcing can be really beneficial i i think it can help in terms nothing falls between the gaps either from a commercial or a regulatory perspective so whether that's having you know appropriate policies in place or even a playbook that gives you different options but also making sure that that structure like others have said gives you the flexibility to adapt to to different scenarios i think is really important but ultimately i think it can help to ensure that you cover off all the bases surpass that's fantastic thanks ian um i can see there's one question in the chat and thank you to the questioner and who says i come from a a multi-jurisdictional finance company and keen to know your experience with um financial services agreements with the cloud providers um and and the question is experience you know those agreements don't fit the global requirements of of respective finance authorities i mean i said certainly and i'm happy to throw this up into the floor um but certainly from our experience um we work on customer side but also supply side and increasingly on the supplier side and with cloud providers certainly i know that some of the hyperscale cloud providers have financial services regulatory um schedules or modules um and in many cases those have been tested against uh jurisdictional requirements in a number of territories um particularly in europe but not exclusively in europe and us but not exclusively there um so hyperscale cloud providers um will probably be reasonably well covered there there may be some points of attention there may be areas where you know there'll be tricky conversations around concessions to be made um i think the problem or the issue might come when you get here down from the hyperscale cloud providers where there's maybe less slightly less flexibility there's maybe more of a one-size-fits-all set of cloud terms that maybe haven't anticipated quite so much some of the regulatory challenges around financial services um and those are those are the deals that can move a bit more slowly but increasingly i think cloud providers you know if they want to be in that market and they realize that there are particular requirements that they'll just have to meet and the more that they can anticipate those in advance and the more likely they are to to do to do the deals and to do some good deals with um financial services providers which bring that kind of genuine sense of partnership that literature latisha mentioned so i think we're actually i'm just coming up to the turn of the hour now so i think we're probably now out of time um could i just thank um you so much and the first instance for for joining our webinar today and we're extremely grateful for your time and i would also like to thank sincerely thank my colleagues in the jurisdictions uh the speakers for their expertise and their insightful remarks and today you can see their details um on the screen um and please do feel free to use linkedin or or other channels to connect with with us and we our next world ready webinar will be in a couple of months time and on technical tech platform regulations so if you've got particular interest in that topic and do look out for details and please feel free to spread the word um and it just remains for me to say wherever you are in the world and have a fantastic rest of your day and thank you very much indeed for joining us