Short Reads

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

29.06.2020 NL law

Financial institutions may outsource critical or important functions to cloud service providers (“CSPs”). On 25 February 2019 the European Banking Authority (“EBA”) provided guidelines (the “EBA Guidelines”) laying out the framework for outsourcing arrangements. The EBA Guidelines require institutions to have a comprehensive, documented and sufficiently tested exit strategy (including a mandatory exit plan) when they outsource critical or important functions.

To support European banks, National Competent Authorities, and CSPs, the European Banking Federation (“EBF”) published guidance (the “EBF Guidance”) on the testing of exit plans on 4 June 2020, with the aim of supporting a harmonised approach to the supervisory requirements under the EBA Guidelines.

When outsourcing critical or important functions to CSPs, institutions must take into consideration the possibility of unplanned early termination of services, for example through the deterioration of the quality of the function provided, or the failure of the service provider. An exit strategy ensures risks are mitigated in the event of an extreme failure in the CSP’s service. The main objective of this strategy is to ensure the continuity and quality of the business functions even after an outsourcing arrangement is terminated. The exit strategy must contain alternative solutions and a transition plan to ensure business continuity during and after the transition phase.

The exit strategy must be approached in a risk-based manner, which means that the strategy should identify and anticipate possible risks. A mandatory element of the exit strategy is an exit plan, which must be tested to ensure that the plan is well documented and actionable when necessary. As mentioned, the EBF has provided guidance on the testing of the exit strategy. 

The EBF Guidance provides clarity on how to fulfil the testing obligation in practice. The guidance answers the following two questions:

  1. When is exit plan testing appropriate? 

    The EBF guidance explains that the appropriate level of testing is determined based on the financial institutions’ and CSPs’ stability and internal organisation, the nature, scope and complexity of its activities, as well as the overall level of service resilience and awareness of the level of control the specific cloud sourcing demands. It is paramount to specify the level of effort required if it becomes necessary to use a different technology in a particular service or for certain processes. 

    Elements to take into consideration to answer the question of when testing is appropriate include:
  • the required time for testing: testing can impose a significant burden on resources, which can lead to impairing business operations elsewhere;
  • the costs of testing: testing can lead to disproportionate burden on the costs of the institution;
  • the risk of running the test: the risk introduced by testing itself should not outweigh the risk which is meant to be addressed by the testing in the first place; 
  • any exit plan considerations already included in the design of the cloud service: the CSP can include testing elements in the design of the service; 
  • the model of cloud consumption by the customer, for example the difference between hybrid and full public cloud usage;
  • the impact of cloud service and technological integration, which can vary for different cloud service models;
  • specificity and standardisation of the cloud service: factors inherent in the particular cloud service can make testing more appropriate, as they may reduce required workload or cost implications of the test; and
  • the relationship between the different parties involved in the cloud service.

    In light of the above considerations, the EBF Guidance rounds off this question by determining that an exit plan should be tested when the outsourced service is critical, the implementation of the exit plan does not result in the discontinuance of the service, there is not already an alternative service implemented and running in the real environment, input and output data are retained and are not stored in a back-up system, the cloud service and its migration to an alternative service is not fully standardised and the cloud service introduces risks around resiliency or financial stability.

    2. What constitutes sufficient testing of exit plans? 

    When testing is indeed appropriate, the second question must be answered: what constitutes sufficient testing of the exit plan?

    The EBF Guidance provides elements that financial institution can voluntarily take into consideration to determine if the exit plan is tested sufficiently, including:
     
  • frequency of testing; 
  • verifying that the exit plan continues to fulfil the objectives of the exit strategy;
  • building and maintaining organisational readiness to execute the exit plan and to identify any need for modifications to the plan;
  • test methods to review the technical viability of the exit plan;
  • verification of the robustness of procedures and operating assumptions in a fully monitored and controlled environment;
  • review of the exit plan against current organisational security standards for protection of data;
  • calculation of current data volumes and identification of impact when the data needs to be transferred;
  • review of the agreements and collaboration procedures between the institution and the CSP;
  • discussion of exit plan of other participants, in order to familiarise them with the current plans and ensure all participants understand their roles and responsibilities, and to ensure that the key people involved in a potential exit are familiar with the exit plan;
  • reasonable level of confidence that the exit plan is feasible and that there is transparency on the required time to execute the plan;
  • update of obsolete exit plan areas, agreements and procedures based on identified changes and issues; and
  • impact of testing, for example the required effort to plan and perform the test and to handle deviations.

Go to Stibbedigital.com

Related news

28.07.2022 NL law
Purely commercial interest also a legitimate interest? Council of State leaves the question unanswered.

Short Reads - On 27 July 2022, the Council of State confirmed that the Dutch Data Protection Authority wrongly imposed a €575,000 fine on VoetbalTV. But the Council did not answer the question whether the AP rightly or wrongly believes that a purely commercial interest cannot be a legitimate interest within the meaning of the General Data Protection Regulation.

Read more

27.07.2022 NL law
Voortgangsbrief modernisering van het ondernemingsrecht

Short Reads - Op 27 juni 2022 zond de minister voor Rechtsbescherming een voortgangsbrief over de modernisering van het ondernemingsrecht naar de Tweede Kamer. De brief is een vervolg op eerdere brieven van zijn ambtsvoorgangers van eind 2018 (zie onze alert) en mei 2020 over dit onderwerp. In de voortgangsbrief gaat de minister in op de laatste stand van zaken van verschillende geplande en lopende wetgevingstrajecten op het terrein van het ondernemingsrecht.

Read more

28.07.2022 NL law
Zuiver commercieel belang ook gerechtvaardigd belang: Raad van State laat zich er niet over uit

Short Reads - Op 27 juli 2022 heeft de Raad van State bevestigd dat de Autoriteit Persoonsgegevens onterecht een boete van € 575.000 aan VoetbalTV heeft opgelegd. De hoop bestond dat de Afdeling antwoord zou geven op de vraag of de AP terecht of onterecht meent dat een zuiver commercieel belang géén gerechtvaardigd belang kan zijn in de zin van de Algemene Verordening Gegevensbescherming. Het antwoord op deze vraag blijft echter uit.  

Read more

27.07.2022 NL law
Wetsvoorstel digitale oprichting besloten vennootschappen

Short Reads - Op 21 april 2022 is het wetsvoorstel tot implementatie van de richtlijn met betrekking tot het gebruik van digitale instrumenten en processen in het kader van het vennootschapsrecht bij de Tweede Kamer ingediend. Het wetsvoorstel stelt wijzigingen voor in Boek 2 BW en de Wet op het notarisambt. Een gedeelte van de richtlijn wordt afzonderlijk geïmplementeerd in het Handelsregisterbesluit 2008. Het wetsvoorstel is slechts van toepassing op EU-onderdanen. Dit in tegenstelling tot het voorontwerp waaronder ook niet-EU-onderdanen vielen.

Read more

27.07.2022 NL law
Diversiteit

Short Reads - Op 1 januari 2022 is de Wet ingroeiquotum en streefcijfers ("Diversiteitswet") in werking getreden. De Diversiteitswet ziet op het evenwichtiger maken van de verhouding tussen het aantal mannen en vrouwen in het bestuur, de raad van commissarissen ("RvC")[1] en de subtop van grote naamloze en besloten vennootschappen[2] en introduceert daarnaast een wettelijk diversiteitsquotum voor RvC’s van beursvennootschappen. 

Read more