This post is an extract from our comprehensive white paper, “Fintech PaaS & SaaS Cloud Deployment Checklist: 12 critical legal considerations for providers of PaaS and SaaS fintech solutions deploying in the cloud”, which is available as a free PDF download here.
This post discusses certain licensing issues from the perspective of cloud-based platform developers in the financial technologies sector in the context of their commercial relationships with customers and suppliers. We refer to cloud-based platform developers as “providers” throughout.
Here in the UK, intellectual property rights (IPRs) in software and information technology are normally protected as literary works (i.e. as copyright, under section 3 of the Copyright, Designs and Patents Act 1988 and related case law).
Providers of cloud-based fintech solutions (as is the case for developers of most cloud-based platforms) typically do not own all the IPRs in their deployed applications.
Providers often bundle together IPRs owned by third party licensors together with their own developments in cloud-deployed “as-a-service” offerings.
The third-parties’ IPRs are often protected under standard form click-wrap licensing terms, different jurisdictions’ intellectual property regimes and varying licensing standards, meaning that a complex tapestry of protective regimes and terms typically applies to a single cloud offering behind the scenes.
Platform providers must therefore identify and work through, with each of their third-party licensors, the correct solutions for sub-licensing the IPRs of those third party suppliers to their customers and sometimes, where necessary, they may require their customers to enter into separate licence agreements with those third parties.
To keep cloud providers honest, well-advised customers will typically expect indemnities from cloud providers to protect them against any infringement of third parties’ IPRs, often with no limitation on liability, which means it is critical that providers, caught between third party suppliers and customers, keep a clear view of the flow of IPR licensing down the chain.
Sophisticated customers will also expect commitments from cloud providers that, where the customer is required to enter into a separate licence with a third-party licensor, the cloud provider will retain responsibility for the delivery of all overarching platform services and that the separate third-party licence will only relate to use and access of that third party’s IPRs.
Providers will typically only license their platforms/software for use by customers in the jurisdictions in which such IPRs will be used and only in relation to specific use cases.
A restrictive approach to customer licensing by cloud providers not only ensures tighter control commercially, it can also serve to ensure clearer alignment with the terms imposed by third party licensors and can protect providers where unusual or less onerous intellectual property laws operate in certain jurisdictions that are out of scope.
Accordingly, providers must ensure that they themselves have the right to grant sub-licences in the relevant jurisdictions and for the relevant use cases (as granted by the third party IPR owners), which can be less straightforward than it sounds.
Another element that is often not considered by cloud providers is the onward licensing of open-source software. Under the terms of open-source licences, from the GNU General Public License v3, through the Apache 2.0 licence and the MIT licence, the underlying open-source code or software can typically be incorporated into derivative works, without the need for end users or customers to be granted separate sub-licences.
It is important to understand, though, how open-source licensing is affected by additional development or modification to open-source code. Under many open-source licences, where the underlying open-source software is modified, the resulting modified software must itself be made available on an open-source basis (including any new code) under the terms of the relevant open-source licence (known as “copyleft” licences).
The Affero GPL licence, for example, requires licensees (in our case, cloud-based platform providers) to make available the source code of the finished work (including the platform provider’s own proprietary code) to its sub-licensees on an open-source basis.
Meanwhile, at the other end of the spectrum, the BSD licence is a “permissive” or “non-copyleft” licence enabling the sub-licensing of modified versions of the open-source software on a proprietary basis.
As with so many aspects of clean licensing chains, the devil is in the detail.
Given the increasing oversight and due diligence standards expected by the UK’s Financial Conduct Authority (and other regulators) in relation to outsourcing by regulated firms to technology providers, which include requirements for regulated customers to perform due diligence on the terms of agreements with their cloud providers’ third party suppliers, it is important that fintech platform providers are crystal clear of their licensing position.
At Clearlake, we recommend, and have regularly performed, end-to-end licensing audits of cloud-based solutions on behalf of PaaS and SaaS fintech providers, backed up with any necessary renegotiation of third-party licences, to ensure that the use and sub-licensing of our clients’ cloud offerings, from original IPR owner through to end user, align correctly (both legally and in practice) across multiple licence and sub-licence holders, whether privately owned or open-source, and across jurisdictions.
Where multiple third-party IPR infringement indemnities are in place across multiple customers, licensing reviews can also result in a significant reduction in platform providers’ exposure to indemnity liability risk behind the scenes without the need to renegotiate customer agreements.
At Clearlake, our commitment is to combine premium quality service and unrivalled value such that we give our clients a competitive advantage when entering into new arrangements with their customers and suppliers.
Please feel free to reach out directly to the author of this post, Dan Stanton, on email@example.com or 0204 570 8741.
This post is an extract from our comprehensive white paper, “Fintech PaaS & SaaS Cloud Deployment: 12 critical legal considerations for providers of fintech PaaS and SaaS solutions deploying in the cloud”, which is available for download as a printable PDF here.