Cloud computing has burst onto the scene. Broker-dealers, ATSs and ECNs see nothing but sunny skies ahead. This article clears up some of the often nebulous deal terms each should consider before sending trade data to the clouds.
What In The World Is Cloud Computing?
The “cloud” is made up of software and hardware service providers invisible to the traders using them. Traders see only the front-end website. Broker-dealers, ECNs and ATSs timeshare the servers, networks, administrators, and software developers. Traders enjoy the benefits of more services, more flexibility, scalability, more access to liquidity and faster executions. All this comes without broker-dealers, ECNs and ATSs having to incur large upfront capital expenditures for hardware and software requiring frequent upgrades and without having to hire and retain costly IT staff. The cloud has expanded beyond traditional IT services, and now offers a broad range of market data, blotters, portfolio models, analytic tools, dark pools, trading algorithms, and aggregator services.
Choosing Service Partners In The Cloud?
A search for a partner begins with structured due diligence. Examine qualifications, technology, staff, management style and past work of potential service partners. Obtain and review proposals that include detailed descriptions for any services to be provided. Regulated entities that have been through the outsourcing exercise will attest to the many technical and legal obstacles involved in picking the right service partners. A wrong choice can result in significant downstream costs, reputational damage, regulatory liability, or worse. Broker-dealers, ECNs, and ATSs cannot sacrifice performance, increase trade latency, tolerate downtime, skimp on compliance, or injure their customers with technical snafus.
Many large cloud service providers purport to offer “industry standard” service or technology agreements. Make no mistake. These agreements are complex and rife with legal traps. They need to be carefully negotiated with advice of experienced in-house or outside counsel. The devil is in the details, and it pays to have a negotiating team with IT know-how and regulatory and software expertise. Broker-dealers, ECNs and ATSs must avoid letting their judgment be clouded by the lure of potential cost savings in using service providers. They need to think carefully about the following issues when they negotiate cloud computing agreements.
How Do I Make Sure The Cloud Meets Expectations?
Clear specifications in the contract should detail how software is to perform and interact with hardware and other software. The client may want the cloud provider to agree to each and every representation made by the cloud provider’s sales staff. The cloud provider, in contrast, may seek to provide performance obligations that meet loose definitions not always tailored to the client’s needs. The cloud provider should define “bugs,” satisfactory levels of “bugs,” what events are deemed a “failure,” and remedies for a “failure” occurring. Think “fix” as opposed to mere restoration of service. Think service level obligations and penalties if they are not met. Beta testing provisions may also be included to ensure that the software–before a global rollout and commitment–meets minimum requirements during the beta phase. The negotiation process is an opportunity for the client to “smoke out” the cloud and determine how confident the cloud is about the performance of its products.
How To Protect The Data In The Cloud?
The client may want guarantees that its data will remain uncorrupted and secure, during both data transmission and storage. Further, the client may request cloud service providers to agree not to share information that reveals the identity of customers, trading patterns or aggregate trades. The client should require that the cloud maintain confidentiality and renounce any ownership interest in any data received from the client or its customers.
How To Handle Regulatory Requirements In The Cloud?
Broker-dealers have been regulated by the SEC since its creation in 1934. ATSs have been directly regulated by the SEC only since 1998, when the SEC promulgated Regulation ATS, Rules 300-303. Rule 301, for example, specifies requirements for ATSs, including: capacity estimation, stress testing, security reviews, oversight procedures, disaster recovery plans, annual auditing, and filing and periodically amending Form ATS to report material system outages or changes. FINRA imposes additional regulations on broker-dealers and ATSs. The operations of broker-dealers, ECNs, and ATSs fall into two categories–those that cannot be outsourced, and those that can with proper supervision. Broker-dealers cannot outsource regulatory responsibilities. The cloud should only perform ministerial activities for the broker-dealer. Except for limited back office contact, the cloud should not communicate with a broker-dealer’s customers. The broker-dealer client must monitor and supervise any outsourced functions on an ongoing basis pursuant to comprehensive written supervisory procedures (WSPs).
Neither the SEC nor FINRA has made clear how much, if any, responsibility falls directly on the cloud service providers, themselves. As the line between the client and the cloud blurs, both the SEC and FINRA may conclude that policy considerations weigh heavily in favor of subjecting the underlying providers to direct regulation. Such a change would likely take an act of Congress because regulatory jurisdiction over the cloud is unclear. For now the regulators reach the clouds through the backdoor, requiring broker-dealers to put certain provisions in their outsourcing agreements. For example, agreements normally need to provide regulators access to the client’s data at the cloud service provider.
Who Is Responsible When The Cloud Crashes?
Clouds burst. Systems glitch. Networks crash. Parties need to agree on how liability for resulting damages, both actual and consequential, will be apportioned. The parties will need to decide if liability should only arise from willful misconduct or if a negligence or gross negligence standard is more appropriate. Typically, the cloud service provider may insist on a bold faced disclaimer and a modest cap on its liability. Such limitations can be outright rejected or countered with carve outs for failures to meet support obligations that clearly fall in the hands of the cloud. Given that traders, as end-users, will not necessarily have a direct relationship, much less a direct agreement, with the cloud, broker-dealers, ECNs, and ATSs will bear the brunt of their customers’ fury if the cloud fails. The cloud will typically insist on disclaiming any liability for consequential damages; at the very least, clients could seek a carve-out for the cloud’s gross negligence or willful misconduct.
A “cloud computing” structure could involve significant software integration between the client and the cloud, perhaps even sharing source code. The cloud may want full indemnification from any claims or lawsuits arising out of use of the software on its servers. Clients should seek to limit indemnifications to claims covering acts or omissions that are within their control. In turn, clients should also seek indemnification from the cloud for any breach of a covenant to provide support level obligations and to ensure that products will perform in accordance with their specifications and not infringe the intellectual property rights of others. The parties may also consider insurance policies to cover indemnities, to mitigate hefty potential damages in the event of an infringement finding. The relative economics of the transaction appropriately will play a big part in how liabilities are allocated between the parties.
Who Owns The Intellectual Property In The Cloud?
Clients and cloud service providers might cross-license software to provide an integrated solution, for example, when both the client and service provider have intellectual property that the other can use. Under a cross-license, each party gives its counterparty a license to use its respective technology. Each will want to maintain full ownership to all of its intellectual property. Clients may seek a fully paid, perpetual license, to any software developed by or with the cloud in connection with providing services under the agreement.
What If The Relationship With The Cloud Sours?
Clients will need to plan for the termination of service provider agreements where services repeatedly fail or regulatory changes cannot be accommodated. The cloud may create a tangled web that makes terminating a relationship difficult. Availability of transition services should be a consideration at the time of entering any agreement. Ideally, services should be portable with minimal costs when moving to a new provider. The agreement should allocate costs and require the cloud to provide its full cooperation in the transition. Moreover, the cloud and the client should anticipate how transition and termination provisions could be interpreted in the event of either’s insolvency.
This article casts a few rays of light through the clouds. These transactions are not one-size-fits-all. They require careful planning and thoughtful negotiations. As more broker-dealers, ECNs, and ATSs look to the clouds, the industry will face increased regulatory scrutiny, intellectual property lawsuits, and technical issues. Clients need to meticulously analyze, understand, and provide for the potential issues when clouds are selected and agreements negotiated.
Mr. Sharp is a partner and Messrs. Kurzer and Reese are associates in the Litigation Department of Milbank, Tweed, Hadley & McCloy LLP. Mr. Reese is also an adjunct assistant professor of computer science at Hunter College (CUNY). The views expressed herein are not legal advice, are solely those of the authors, and may not be attributed to Milbank or its clients.