RISE for banks and insurers, the regulatory considerations.

RISE with SAP deployments inside banks and insurers carry a regulatory perimeter that extends far beyond the standard SAP cloud contract. The perimeter is set by national regulators such as the European Central Bank, the European Insurance and Occupational Pensions Authority, the Prudential Regulation Authority in the United Kingdom, the Office of the Comptroller of the Currency in the United States, and a range of equivalent regulators across the regions where the buyer operates. The perimeter is also shaped by horizontal regulations such as the Digital Operational Resilience Act in the European Union and the corresponding operational resilience frameworks in other jurisdictions. The buyer team that approaches the RISE negotiation without the regulatory perimeter as a structuring constraint will produce a contract that fails the supervisory review, that triggers regulatory escalation during the operating period, or that constrains the buyer ability to defend the deployment at the next supervisory cycle. This article walks through the regulatory perimeter that applies to bank and insurer RISE deployments and the contractual structure that supports the regulated deployment.

The regulatory perimeter that applies to bank and insurer RISE deployments

The regulatory perimeter combines three layers of supervision that interact across the RISE contract. The first layer is the outsourcing supervision that the national regulator applies to any material outsourcing of a critical or important operational function. The supervision establishes the documentary requirements, the notification obligations, the supervisory review process, and the supervisory access rights that the regulator holds against the outsourcing arrangement.

The second layer is the operational resilience supervision that frameworks such as the Digital Operational Resilience Act and the equivalent national frameworks apply to the buyer technology estate. The supervision focuses on the resilience of the critical operational functions, the testing of the resilience, the management of the third party concentration risk, and the management of the digital operational events that affect the buyer. The supervision applies whether the function is operated internally or through a third party, with the third party arrangement carrying additional documentation and oversight requirements.

The third layer is the data protection supervision that combines the regional privacy regulation with the sector specific data handling requirements. The combination applies to the personal data of customers, the personal data of staff, the financial transaction data, the supervisory reporting data, and any other data category that the regulator has identified as carrying specific handling requirements. The supervision applies to the RISE deployment as the system of record for many of the data categories that the buyer estate processes.

Data localisation and sovereignty controls

The data localisation and sovereignty controls for bank and insurer RISE deployments need to address the regulatory positions of each jurisdiction in which the buyer operates and the supervisory positions of the home country regulator and the host country regulators. The controls cover the storage location of the production data, the storage location of the disaster recovery data, the storage location of the operational telemetry, the location of the personnel that operate the deployment, and the legal access that foreign authorities can assert against the data wherever it is stored.

The storage location controls should specify the named hyperscaler region or regions in which the data resides, with the contractual restriction on any movement of the data outside the named regions. The restriction should cover the production data, the disaster recovery data, and any backup or archival data that the deployment generates. The restriction should also cover the operational telemetry that the SAP delivery organisation generates from the buyer environment, because the telemetry frequently transits through SAP global support locations that sit outside the named regions.

The sovereignty controls should address the legal access that foreign authorities can assert against the data, including the access under the United States Cloud Act, the access under the equivalent national frameworks, and the access that any future framework could establish. The controls combine technical measures such as the customer managed key encryption with contractual measures such as the notification obligation on receipt of any foreign authority request and the cooperation obligation on the buyer legal challenge to the request. The combination provides the documentary basis that the buyer team will need to defend the deployment at the supervisory review.

Audit rights for regulated institutions

The audit rights for the regulated bank and insurer deployment need to extend beyond the standard SAP audit provisions to support the supervisory access that the regulator holds against the outsourcing arrangement. The extended rights cover the buyer right to conduct the audit directly, the buyer right to appoint a third party auditor, the regulator right to conduct the audit directly, and the regulator right to receive the audit report from any audit that the buyer or the third party conducts.

The buyer audit right should cover the operational environment that supports the RISE deployment, the controls that the SAP delivery organisation operates, the controls that the hyperscaler operates, and the controls that any sub processor operates. The right should not be constrained to a defined frequency or scope, because the supervisory access right that the buyer needs to support is not constrained in this way. The right should also cover the buyer ability to test the controls through penetration testing, vulnerability scanning, and the operational resilience testing that the regulatory framework requires.

The regulator audit right should be documented in the contract as a direct right of the supervisory authority, with the SAP delivery organisation obligated to support the audit on the same terms as the buyer audit. The documentation provides the supervisory authority with the assurance that the audit can proceed without requiring an additional contractual arrangement between the supervisor and SAP, and the documentation removes the negotiation friction that would otherwise arise at the supervisory request point.

Operational resilience and concentration risk

The operational resilience provisions for the bank and insurer deployment cover the recovery time and recovery point objectives that the deployment supports, the testing of the recovery arrangements at the frequency that the regulatory framework requires, the management of any service event that crosses a defined threshold, and the documentation of the resilience position across the regulatory reporting cycle. The provisions should align with the buyer operational resilience policy and should support the supervisory reporting that the buyer team produces at the defined cycle.

The concentration risk provisions address the regulatory concern about the systemic risk that a single cloud provider concentration creates across the financial services sector. The provisions should include the buyer right to migrate the deployment to an alternative hyperscaler region, the buyer right to migrate the deployment to an alternative hyperscaler entirely, and the buyer right to repatriate the deployment to an on premise or private cloud arrangement. The rights should be supported by the data portability provisions that make the migration commercially feasible, and the rights should be exercisable across the contract term rather than constrained to a defined renewal point.

Negotiating the regulatory schedule

The regulatory schedule is the contractual instrument that consolidates the regulatory provisions into a single addendum to the RISE contract. The schedule should be negotiated as a single document rather than a series of point amendments to the standard contract, because the consolidation supports the supervisory review and because the consolidation reduces the negotiation overhead at the next renewal or amendment. The schedule should be drafted to accommodate the addition of new jurisdictions as the buyer estate expands, the addition of new regulatory requirements as the framework evolves, and the addition of new supervisory authorities as the buyer entity structure changes. The schedule should be supported by the operating documentation that the SAP delivery organisation produces, including the control reports, the audit reports, and the operational resilience testing reports that the buyer team will provide to the supervisor.

Conclusion: the regulatory perimeter shapes the contract

The RISE with SAP deployment for a bank or insurer is a regulated arrangement before it is a commercial arrangement. The regulatory perimeter shapes the contract structure, the operating model, the data residency, the audit rights, the resilience commitments, and the concentration risk management. The buyer team that engages with the perimeter as the structuring constraint of the deployment produces a contract that supports the supervisory review across the contract term and that defends the deployment at every supervisory cycle. The buyer team that treats the perimeter as an addendum to a standard commercial negotiation produces a contract that fails the supervisory review, that triggers regulatory escalation during the operating period, or that constrains the buyer ability to defend the deployment at the next supervisory cycle. The structuring approach is the difference between a sustainable regulated deployment and a deployment that creates regulatory risk across the seven year contract term.