Outsourcing contract and IT contracts

New legal and regulatory requirements to be integrated; legal aspects to be covered in contractual clauses

> FINMA Circular Outsourcing, New FADP, FINMA Circular on Operational Risks and Resilience
> Analysis of certain standard contractual clauses, updating of contractual documentation
> Impact of Artificial Intelligence on this type of contracts
> Cloud Contracts: importance of reversibility clauses; key points to negotiate in case of contract termination, etc.

Introduction

• Definition of «contract management»
• Reminder of contractual freedom
• Legal and regulatory requirements
• Wide variety of contracts in the financial sector
• Focus on certain contracts: outsourcing contracts, IT contracts
• Impact of new technologies in the contractual field: artificial intelligence (AI)

OUTSOURCING CONTRACTS

Definition of Outsourcing Contracts

• Essential outsourced function
  • Examples of outsourcing
• Transfer of large amounts of CID (“Mass CID”) to the service provider
  • Definition of the concept of «large amounts of CID»

Requirements of FINMA Circular 2018/3 Outsourcing Applicable to Outsourcing Contracts – Reminder of requirements and latest developments

• Inventory of outsourced functions
  • Requirements for the service provider
  • Professional capabilities
  • Guarantee of sustainable performance of the function / orderly reintegration of the outsourced function or transfer to another provider (reversibility)
  • Distribution of competences and responsibilities between the financial institution and the service provider
  • Regular monitoring of the service provider
    • Periodic assessment of the efficiency of security controls established by the provider
    • Periodic evaluation of service levels agreed upon in the «Service Level Agreements» (SLA)
• Audit and supervision: by FINMA; by the financial institution; by the financial institution’s audit firm
• Security requirements
  • Adequacy of measures
  • Continuity of the outsourced function in case of emergency («Business continuity / Disaster recovery»)
• Transfer of an essential function abroad
  • Guarantee of access and inspection rights abroad
  • Guarantee of restructuring and resolving the Bank
    • Access to necessary information at all times
• Requirements concerning subcontracting
  • Obligation to inform the bank in case of use or change of subcontractors performing essential functions
  • Possibility for the bank to terminate the outsourcing contract in case of refusal to use or change subcontractors
  • Transfer to the subcontractor of the necessary obligations and guarantees to comply with the outsourcing circular
• Confidentiality obligation

Federal Data Protection Act (FADP) of September 25, 2020

Reminder of some requirements and latest developments regarding the new FADP in the context of outsourcing involving CID transfer

• Obligations of the data controller
  • Duty to inform (art. 19 and 20 FADP)
  • Data protection impact assessment (art. 22 and 23 FADP): conditions, exceptions
  • Notification of data security breaches (art. 24 FADP)
• Security and data protection (art. 7 and 8 FADP and art. 3 OPDo) – Implementation of appropriate organizational and technical measures
  • Data protection by design and by default
  • Data access and identity management: authorization systems, selection of individuals with access to data, «need-to-know» principle, authentication
  • Data encryption, pseudonymization, and anonymization
• Requirements of the new FADP concerning subcontracting (art. 9 FADP)
  • Verification by the data controller of the subcontractor’s ability to guarantee data security
  • Prior authorization required from the data controller for the subcontractor to further subcontract data processing to a third party
  • Compliance by the subcontractor with the same general obligations as the data controller
• Transmission of personal data abroad
  • Transfer to a country with «adequate» data protection legislation
  • Transfer to a country without «adequate» data protection legislation

FINMA Circular 2023/1 Operational Risks and Resilience – Banks

Overview of certain requirements of this Circular in the context of outsourcing involving CID transfer

• Critical data
• Critical functions
• Strategies, policies, and internal procedures: Board of Directors, Executive Board, departments
• ICT risk management: establishing an inventory
• Cyber risk management: critical processes
• Critical data risk management: additional data protection measures when transferring or storing data abroad and outsourcing
• Business continuity management (BCM): requirements concerning the “disaster recovery plan” (DRP) in case of outsourced critical processes
• Guarantee of operational resilience: coordination of the components of comprehensive risk management, including outsourcing management

Content of Internal Guidelines and Procedures to Be Implemented for Outsourcing

• Internal roles and responsibilities
• Service provider selection
• Risk assessment
• Monitoring of outsourced function
• Description of the information to be included in an outsourcing contract
• Data protection
• Appendices to guidelines and procedures: inventory of outsourced functions and “incident report”

Specific Requirements Concerning Financial Institution Clients

• Lifting of banking secrecy (Article 47 LB)
• Duty of transparency

Documentation / Evidence Required by Auditors

• ISAE, ISO, and SOC reports (ISAE 3402, ISO 27001, SOC 1, etc.)
• Risk mapping
• Inventory of outsourced functions
• Documentation/clause stating subcontractors comply with regulatory requirements
• Documentation/clause stating regulatory security measures are respected

IT CONTRACTS

Definition of IT Contract

• No legal definition

Categories of IT Contracts

• Standard contracts: maintenance, license, software development, integration.
• Cloud Computing-Based Contract Categories: description, examples, points of concern
  • Cloud Deployment Models: Public Cloud, Private Cloud, Hybrid Cloud, Community Cloud
  • SaaS Contract (Software as a Service)
  • IaaS Contract (Infrastructure as a Service)
  • PaaS Contract (Platform as a Service)
  • FaaS Contract (Function as a Service)
  • DaaS Contract (Desktop as a Service)
  • StaaS Contract (Storage as a Service)

Structure of an IT Contract

• Contractual framework
• Different phases:
  • Implementation/Development Phase
  • Testing Phase (User Acceptance Testing, UAT)
  • Pre-Production Phase (“Staging”)
  • Production Phase or “Go Live”
• Analysis of typical clauses:
  • Clause on the Scope of Services Provided
  • Clause on Fees
  • Clause on Intellectual Property Rights
  • Clause on Liability and Indemnification
  • Clause on Confidentiality and Data Protection
  • Duration and Termination of the Contract
    • General Principles
    • Specifics of Terminating Cloud Contracts: Types of Terminations, Reversibility Clauses (Extent of Data Access Rights, Data Portability, Transfer Modalities)
  • Applicable Law and Jurisdiction

COMMON ISSUES

Impact of Artificial Intelligence in the Contractual Field and Specifically in Outsourcing and IT Contracts

• Contracts with AI Service Providers
• Importance of Certain Clauses in an AI Contract
  • Data Protection Clauses: Protection via a Data Processing Agreement (DPA)
  • Clauses Related to Confidentiality Obligations
  • Intellectual Property Rights (IPR) Clauses: Ownership of IPR, IPR on the Results (“Output”) Generated by the AI System, Use of Data for AI Training, Indemnification Clause, Background IP, Foreground IP, etc.
  • Contractual Obligations Related to AI Regulation and General Terms of Use of AI Service Providers
    • Impact of the “EU AI Act”
    • Requirements under Swiss Law
    • General Terms of AI Service Providers

Implications and Coordination of Departments/Services Concerned Within the Financial Institution in the Context of Outsourcing and IT Contracts

• Legal Department
• Compliance Department
• IT Department: Cybersecurity Department, Chief
  Information Security Officer (CISO)
• Risk Department
• Data Protection Officer (DPO)
• Operations Department
• Vendor Management Department

Updating, Modifying, and Archiving Contractual Documentation

• Contract Deadlines: Contract Renewal, Contract Termination
• Contract Modifications: Formal and Material Changes
• Archiving of Contractual Documentation: Retention Period, Form of Retention