Buying SaaS? Here’s how to avoid a bad contract

From cloud-based core banking engines to insurance underwriting technology, SaaS has become an integral part of financial services.

But as the number of solutions has increased, so too has the risk and complexity of SaaS contracts, and this presents a whole series of potential challenges for busy CEOs and founders who, understandably, want to focus their energies on the growth of their business.

If you are dealing with a contract for foundational SaaS (ie. a strategic SaaS contract which goes to the foundation of your business), then getting it wrong can be costly at best and terminal at worst, hitting you financially and reputationally.

Take, for example, payment company Square’s two-hour outage earlier this year. The incident prompted anger among customers who took to social media to vent their fury. And that’s without the regulator’s intervention or legal action from customers. Again, when US bank Capital One moved to a SaaS solution, a hacker managed to extract the data of 100 million customers before posting it to a public GitHub page. The bank was fined $80 million not because of the hack, but because the SaaS contract failed to properly address information security. The bank’s total loss will probably exceed $300 million, thanks to various court actions.


Key steps to achieving a good SaaS contract

So, if you are a CEO or founder what should you do?

The first thing to understand is that the dynamics – and risk profile – of a SaaS contract are radically different to those of old-school onprem contracts. If you fall out with your onprem software provider then, provided your software licence is still in place, you can carry on using the software. You won’t get maintenance and support, but you can usually manage for a year or two. But if you fall out with your SaaS provider, that’s it: no more functionality. Also, crucially, if you fall out with your onprem software provider, you will still have all of your data on your systems. But if you fall out with your SaaS provider, all of your data is sitting on their servers, not yours.

The next important thing to do is understand your negotiating power. As a buyer, you have lots of it: lots of it that is, until you tell the supplier that they are the preferred provider. Then your negotiating power goes from 100 to about 20. So, before you commit make sure that your preferred supplier has committed to (ie. the price they are offering include) the terms that are key for you.

What are the key terms? Well, these vary from contract to contract, but here are some important ones to think about.

Am I locked in to the contract?  How easily can I walk away and take my data with me?

Am I being provided with a service that’s market standard or better, or am I being fobbed off? You need to look at uptimes (and how they are defined), system response times, and also time to fix problems (graded by severity, P1, P2 etc).

Does the supplier have skin in the game? Does the contract have service credits or similar that allow me to beat the supplier over the head, or is my only recourse the nuclear option of termination?

Does the supplier have the right to suspend the service? This should be a real red light for a buyer because it allows the supplier to inflict the maximum damage on a business by suspending the service, but without the penalty of losing client fees (which is what would happen if the supplier terminated in the normal way).


And if you are regulated?

And if you are regulated, it’s three times as hard.

The FCA (and other financial service regulators) are increasingly concerned about important functionality (and therefore risks) sitting outside the regulatory perimeter with SaaS companies that are not themselves regulated.

If you are a regulated company buying in a SaaS service that’s important to your business, then you can expect the FCA to pay extra attention to your contract. The FCA has always maintained that outsourcing is not abdication, and so you have to be able to demonstrate that you have retained operational control. If your contract does not demonstrate this (and most vendor contracts don’t), then you are already in breach of regulations before anything has gone wrong.

To make things even harder, since March this year the FCA’s new requirements on OpRes have started to come into effect. Regulated companies must now examine how disruptions in their systems can impact their clients. You need to identify and map the resources needed to deliver important business services, from people and processes to technology and facilities. You need to carry out scenario testing and you need to be able to demonstrate to the FCA, if asked, that you have a documented OpRes strategy in place that meets the new requirements.

OpRes is not specifically about SaaS, but your foundational SaaS contracts should reflect the OpRes requirements and your overall OpRes strategy.


The benefits of getting contracts right

But it’s not all doom and gloom. You can get the benefits of SaaS, without any of the contract downsides, if you know what you are doing (or know someone who does). If you’re about to procure foundational SaaS, you’ll want to ensure you employ a lawyer who works in the sector on a day-to-day basis and who can make sure you get the most bang for your buck.

If you want to learn more about negotiating a SaaS contract, follow me on LinkedIn for further content, advice and insights.

Does the supplier have the right to suspend the service? This should be a real red light for a buyer...