Short Reads

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

29.06.2020 NL law

Financial institutions may outsource critical or important functions to cloud service providers (“CSPs”). On 25 February 2019 the European Banking Authority (“EBA”) provided guidelines (the “EBA Guidelines”) laying out the framework for outsourcing arrangements. The EBA Guidelines require institutions to have a comprehensive, documented and sufficiently tested exit strategy (including a mandatory exit plan) when they outsource critical or important functions.

To support European banks, National Competent Authorities, and CSPs, the European Banking Federation (“EBF”) published guidance (the “EBF Guidance”) on the testing of exit plans on 4 June 2020, with the aim of supporting a harmonised approach to the supervisory requirements under the EBA Guidelines.

When outsourcing critical or important functions to CSPs, institutions must take into consideration the possibility of unplanned early termination of services, for example through the deterioration of the quality of the function provided, or the failure of the service provider. An exit strategy ensures risks are mitigated in the event of an extreme failure in the CSP’s service. The main objective of this strategy is to ensure the continuity and quality of the business functions even after an outsourcing arrangement is terminated. The exit strategy must contain alternative solutions and a transition plan to ensure business continuity during and after the transition phase.

The exit strategy must be approached in a risk-based manner, which means that the strategy should identify and anticipate possible risks. A mandatory element of the exit strategy is an exit plan, which must be tested to ensure that the plan is well documented and actionable when necessary. As mentioned, the EBF has provided guidance on the testing of the exit strategy. 

The EBF Guidance provides clarity on how to fulfil the testing obligation in practice. The guidance answers the following two questions:

  1. When is exit plan testing appropriate? 

    The EBF guidance explains that the appropriate level of testing is determined based on the financial institutions’ and CSPs’ stability and internal organisation, the nature, scope and complexity of its activities, as well as the overall level of service resilience and awareness of the level of control the specific cloud sourcing demands. It is paramount to specify the level of effort required if it becomes necessary to use a different technology in a particular service or for certain processes. 

    Elements to take into consideration to answer the question of when testing is appropriate include:
  • the required time for testing: testing can impose a significant burden on resources, which can lead to impairing business operations elsewhere;
  • the costs of testing: testing can lead to disproportionate burden on the costs of the institution;
  • the risk of running the test: the risk introduced by testing itself should not outweigh the risk which is meant to be addressed by the testing in the first place; 
  • any exit plan considerations already included in the design of the cloud service: the CSP can include testing elements in the design of the service; 
  • the model of cloud consumption by the customer, for example the difference between hybrid and full public cloud usage;
  • the impact of cloud service and technological integration, which can vary for different cloud service models;
  • specificity and standardisation of the cloud service: factors inherent in the particular cloud service can make testing more appropriate, as they may reduce required workload or cost implications of the test; and
  • the relationship between the different parties involved in the cloud service.

    In light of the above considerations, the EBF Guidance rounds off this question by determining that an exit plan should be tested when the outsourced service is critical, the implementation of the exit plan does not result in the discontinuance of the service, there is not already an alternative service implemented and running in the real environment, input and output data are retained and are not stored in a back-up system, the cloud service and its migration to an alternative service is not fully standardised and the cloud service introduces risks around resiliency or financial stability.

    2. What constitutes sufficient testing of exit plans? 

    When testing is indeed appropriate, the second question must be answered: what constitutes sufficient testing of the exit plan?

    The EBF Guidance provides elements that financial institution can voluntarily take into consideration to determine if the exit plan is tested sufficiently, including:
     
  • frequency of testing; 
  • verifying that the exit plan continues to fulfil the objectives of the exit strategy;
  • building and maintaining organisational readiness to execute the exit plan and to identify any need for modifications to the plan;
  • test methods to review the technical viability of the exit plan;
  • verification of the robustness of procedures and operating assumptions in a fully monitored and controlled environment;
  • review of the exit plan against current organisational security standards for protection of data;
  • calculation of current data volumes and identification of impact when the data needs to be transferred;
  • review of the agreements and collaboration procedures between the institution and the CSP;
  • discussion of exit plan of other participants, in order to familiarise them with the current plans and ensure all participants understand their roles and responsibilities, and to ensure that the key people involved in a potential exit are familiar with the exit plan;
  • reasonable level of confidence that the exit plan is feasible and that there is transparency on the required time to execute the plan;
  • update of obsolete exit plan areas, agreements and procedures based on identified changes and issues; and
  • impact of testing, for example the required effort to plan and perform the test and to handle deviations.
     

Team

Related news

01.09.2020 NL law
Toezichthouders aan de poort

Articles - Het kan iedere financiële onderneming overkomen: in de bus vindt men een verzoek om informatie te verstrekken aan een van  de financiële toezichthouders, De Nederlandsche Bank (DNB) of de Autoriteit Financiële Markten (AFM). Een dergelijk verzoek leidt al snel tot onrust binnen de onderneming. Ingrid Viertelhauzen en Maciek Bednarski bespreken de reikwijdte van de inlichtingenbevoegdheid en plaatsen hier enkele kanttekeningen bij.

Read more

10.08.2020 NL law
ISDA kondigt publicatie van Adjusted RFRs, wijziging van de 2006 Definitions en IBOR Fallback Protocol aan

Short Reads - In twee in juli verschenen persberichten kondigt ISDA (i) de aanvang van de berekening en publicatie door Bloomberg van zogenaamde 'Fallback Rates' voor een aantal bestaande IBORs en (ii) de voorgenomen publicatie door ISDA van gewijzigde 'rate options' in de 2006 Definitions en het langverwachte IBOR Fallback Protocol aan.

Read more

01.09.2020 NL law
Handhavingsbesluiten van financiële toezichthouders bestuursrechtelijk aanvechten

Articles - Financiële toezichthouders (Stichting Autoriteit Financiële Markten (AFM), De Nederlandsche Bank (DNB) en de Autoriteit Consument en Markt (ACM)) hebben een breed arsenaal aan formele sancties en informele maatregelen tot hun beschikking om normconform gedrag bij marktpartijen te bewerkstelligen. Voorbeelden daarvan zijn: een last onder dwangsom, een bestuurlijke boete, een aanwijzing, een waarschuwing, een normoverdragend gesprek en de publicatie van sancties.

Read more

21.07.2020 NL law
Financiële sector moet klimaatrisico’s bespreken met klanten

Short Reads - Financiële instellingen moeten in gesprekken met klanten aandacht besteden aan klimaatrisico’s. Bij zakelijke klanten met name over de mogelijke impact van klimaatrisico’s op hun bedrijfsvoering en bij hypotheekeigenaren bijvoorbeeld over de verduurzaming van hun woning. Ook in het licht van het Klimaatcommitment van de financiële sector is dit van belang. Dit blijkt uit een bloemlezing van acht Nederlandse financiële instellingen, verenigd onder het Platform voor Duurzame financiering.

Read more

28.08.2020 NL law
Loan Market Association publiceert aanvulling op bestaande Revised Replacement of Screen Rate Clause in reactie op aanbeveling van Working Group on Sterling Risk-Free Reference Rates

Short Reads - In het kader van de rentebenchmarktransitie (voor uitleg en achtergrond, zie mijn vorige publicatie van augustus 2020) heeft de Loan Market Association (LMA) in mei 2018 een zogenaamde 'Replacement of Screen Rate Clause' gepubliceerd die partijen in hun op door de LMA ontwikkelde standaarddocumentatie gebaseerde kredietovereenkomsten kunnen opnemen.

Read more