Financial institutions may outsource critical or important functions to cloud service providers (“CSPs”). On 25 February 2019 the European Banking Authority (“EBA”) provided guidelines (the “EBA Guidelines”) laying out the framework for outsourcing arrangements. The EBA Guidelines require institutions to have a comprehensive, documented and sufficiently tested exit strategy (including a mandatory exit plan) when they outsource critical or important functions.
To support European banks, National Competent Authorities, and CSPs, the European Banking Federation (“EBF”) published guidance (the “EBF Guidance”) on the testing of exit plans on 4 June 2020, with the aim of supporting a harmonised approach to the supervisory requirements under the EBA Guidelines.
When outsourcing critical or important functions to CSPs, institutions must take into consideration the possibility of unplanned early termination of services, for example through the deterioration of the quality of the function provided, or the failure of the service provider. An exit strategy ensures risks are mitigated in the event of an extreme failure in the CSP’s service. The main objective of this strategy is to ensure the continuity and quality of the business functions even after an outsourcing arrangement is terminated. The exit strategy must contain alternative solutions and a transition plan to ensure business continuity during and after the transition phase.
The exit strategy must be approached in a risk-based manner, which means that the strategy should identify and anticipate possible risks. A mandatory element of the exit strategy is an exit plan, which must be tested to ensure that the plan is well documented and actionable when necessary. As mentioned, the EBF has provided guidance on the testing of the exit strategy.
The EBF Guidance provides clarity on how to fulfil the testing obligation in practice. The guidance answers the following two questions:
- When is exit plan testing appropriate?
The EBF guidance explains that the appropriate level of testing is determined based on the financial institutions’ and CSPs’ stability and internal organisation, the nature, scope and complexity of its activities, as well as the overall level of service resilience and awareness of the level of control the specific cloud sourcing demands. It is paramount to specify the level of effort required if it becomes necessary to use a different technology in a particular service or for certain processes.
Elements to take into consideration to answer the question of when testing is appropriate include:
- the required time for testing: testing can impose a significant burden on resources, which can lead to impairing business operations elsewhere;
- the costs of testing: testing can lead to disproportionate burden on the costs of the institution;
- the risk of running the test: the risk introduced by testing itself should not outweigh the risk which is meant to be addressed by the testing in the first place;
- any exit plan considerations already included in the design of the cloud service: the CSP can include testing elements in the design of the service;
- the model of cloud consumption by the customer, for example the difference between hybrid and full public cloud usage;
- the impact of cloud service and technological integration, which can vary for different cloud service models;
- specificity and standardisation of the cloud service: factors inherent in the particular cloud service can make testing more appropriate, as they may reduce required workload or cost implications of the test; and
- the relationship between the different parties involved in the cloud service.
In light of the above considerations, the EBF Guidance rounds off this question by determining that an exit plan should be tested when the outsourced service is critical, the implementation of the exit plan does not result in the discontinuance of the service, there is not already an alternative service implemented and running in the real environment, input and output data are retained and are not stored in a back-up system, the cloud service and its migration to an alternative service is not fully standardised and the cloud service introduces risks around resiliency or financial stability.
2. What constitutes sufficient testing of exit plans?
When testing is indeed appropriate, the second question must be answered: what constitutes sufficient testing of the exit plan?
The EBF Guidance provides elements that financial institution can voluntarily take into consideration to determine if the exit plan is tested sufficiently, including:
- frequency of testing;
- verifying that the exit plan continues to fulfil the objectives of the exit strategy;
- building and maintaining organisational readiness to execute the exit plan and to identify any need for modifications to the plan;
- test methods to review the technical viability of the exit plan;
- verification of the robustness of procedures and operating assumptions in a fully monitored and controlled environment;
- review of the exit plan against current organisational security standards for protection of data;
- calculation of current data volumes and identification of impact when the data needs to be transferred;
- review of the agreements and collaboration procedures between the institution and the CSP;
- discussion of exit plan of other participants, in order to familiarise them with the current plans and ensure all participants understand their roles and responsibilities, and to ensure that the key people involved in a potential exit are familiar with the exit plan;
- reasonable level of confidence that the exit plan is feasible and that there is transparency on the required time to execute the plan;
- update of obsolete exit plan areas, agreements and procedures based on identified changes and issues; and
- impact of testing, for example the required effort to plan and perform the test and to handle deviations.