Short Reads

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

European Banking Federation Guidance on testing of Cloud Exit Strategy

29.06.2020 NL law

Financial institutions may outsource critical or important functions to cloud service providers (“CSPs”). On 25 February 2019 the European Banking Authority (“EBA”) provided guidelines (the “EBA Guidelines”) laying out the framework for outsourcing arrangements. The EBA Guidelines require institutions to have a comprehensive, documented and sufficiently tested exit strategy (including a mandatory exit plan) when they outsource critical or important functions.

To support European banks, National Competent Authorities, and CSPs, the European Banking Federation (“EBF”) published guidance (the “EBF Guidance”) on the testing of exit plans on 4 June 2020, with the aim of supporting a harmonised approach to the supervisory requirements under the EBA Guidelines.

When outsourcing critical or important functions to CSPs, institutions must take into consideration the possibility of unplanned early termination of services, for example through the deterioration of the quality of the function provided, or the failure of the service provider. An exit strategy ensures risks are mitigated in the event of an extreme failure in the CSP’s service. The main objective of this strategy is to ensure the continuity and quality of the business functions even after an outsourcing arrangement is terminated. The exit strategy must contain alternative solutions and a transition plan to ensure business continuity during and after the transition phase.

The exit strategy must be approached in a risk-based manner, which means that the strategy should identify and anticipate possible risks. A mandatory element of the exit strategy is an exit plan, which must be tested to ensure that the plan is well documented and actionable when necessary. As mentioned, the EBF has provided guidance on the testing of the exit strategy. 

The EBF Guidance provides clarity on how to fulfil the testing obligation in practice. The guidance answers the following two questions:

  1. When is exit plan testing appropriate? 

    The EBF guidance explains that the appropriate level of testing is determined based on the financial institutions’ and CSPs’ stability and internal organisation, the nature, scope and complexity of its activities, as well as the overall level of service resilience and awareness of the level of control the specific cloud sourcing demands. It is paramount to specify the level of effort required if it becomes necessary to use a different technology in a particular service or for certain processes. 

    Elements to take into consideration to answer the question of when testing is appropriate include:
  • the required time for testing: testing can impose a significant burden on resources, which can lead to impairing business operations elsewhere;
  • the costs of testing: testing can lead to disproportionate burden on the costs of the institution;
  • the risk of running the test: the risk introduced by testing itself should not outweigh the risk which is meant to be addressed by the testing in the first place; 
  • any exit plan considerations already included in the design of the cloud service: the CSP can include testing elements in the design of the service; 
  • the model of cloud consumption by the customer, for example the difference between hybrid and full public cloud usage;
  • the impact of cloud service and technological integration, which can vary for different cloud service models;
  • specificity and standardisation of the cloud service: factors inherent in the particular cloud service can make testing more appropriate, as they may reduce required workload or cost implications of the test; and
  • the relationship between the different parties involved in the cloud service.

    In light of the above considerations, the EBF Guidance rounds off this question by determining that an exit plan should be tested when the outsourced service is critical, the implementation of the exit plan does not result in the discontinuance of the service, there is not already an alternative service implemented and running in the real environment, input and output data are retained and are not stored in a back-up system, the cloud service and its migration to an alternative service is not fully standardised and the cloud service introduces risks around resiliency or financial stability.

    2. What constitutes sufficient testing of exit plans? 

    When testing is indeed appropriate, the second question must be answered: what constitutes sufficient testing of the exit plan?

    The EBF Guidance provides elements that financial institution can voluntarily take into consideration to determine if the exit plan is tested sufficiently, including:
     
  • frequency of testing; 
  • verifying that the exit plan continues to fulfil the objectives of the exit strategy;
  • building and maintaining organisational readiness to execute the exit plan and to identify any need for modifications to the plan;
  • test methods to review the technical viability of the exit plan;
  • verification of the robustness of procedures and operating assumptions in a fully monitored and controlled environment;
  • review of the exit plan against current organisational security standards for protection of data;
  • calculation of current data volumes and identification of impact when the data needs to be transferred;
  • review of the agreements and collaboration procedures between the institution and the CSP;
  • discussion of exit plan of other participants, in order to familiarise them with the current plans and ensure all participants understand their roles and responsibilities, and to ensure that the key people involved in a potential exit are familiar with the exit plan;
  • reasonable level of confidence that the exit plan is feasible and that there is transparency on the required time to execute the plan;
  • update of obsolete exit plan areas, agreements and procedures based on identified changes and issues; and
  • impact of testing, for example the required effort to plan and perform the test and to handle deviations.

Go to Stibbedigital.com

Team

Related news

15.10.2021 NL law
BRRD II implementation in the Netherlands

Short Reads - Recently, the Dutch bill for the implementation of BRRD II (i.e. Directive (EU) 2014/59 establishing a framework for the recovery and resolution of credit institutions and investment firms, as amended by Directive (EU) 2019/879) in the Netherlands was submitted to Dutch Parliament, where it is currently under debate.

Read more

01.10.2021 NL law
Vanaf 1 oktober strengere regelgeving voor verkoop van turbo’s aan particuliere beleggers

Short Reads - Turbobeleggers nemen veel risico’s en verliezen gemiddeld veel geld. De AFM vindt dat particuliere beleggers onvoldoende beschermd worden tegen de risico’s van turbo’s. De verkoop van turbo’s aan deze beleggers wordt daarom aan banden gelegd. Met ingang van 1 oktober geldt een hefboombeperking, een verplichte risicowaarschuwing en een verbod op handelsbonussen. Daarmee wil de Autoriteit Financiële Markten (AFM) particuliere beleggers beter beschermen tegen de risico’s van turbo’s.

Read more

14.10.2021 NL law
NFTs: New legal challenges on the horizon

Short Reads - Non-Fungible Tokens, widely known as NFTs, have recently gained much attention due to their role in the transfer of digital artworks. The market for NFTs grew from USD 13.5m in the first six months of 2020 to USD 2.5bn in the first half of 2021 and is still growing at an expansive rate. Notwithstanding their increasing popularity in the world of art, NFTs have many potential applications. In this blog Maciek Bednarski, Annemijn Witkam and Roderik Vrolijk explain what NFTs are and describe some of the legal challenges they will bring about.

Read more

29.09.2021 NL law
Platformisering, algoritmisering en sociale bescherming: Algoritmes en personeelsselectie

Articles - Recent kwam in de Wolters Kluwer reeks ‘Monografieën Sociaal Recht’ het boek ‘Platformisering, algoritmisering en sociale bescherming’ uit. Dit boek is op verzoek van Instituut GAK samengesteld door academici van de Universiteit Tilburg, onder leiding van Mijke Houwerzijl. Het boek, waaraan dertien auteurs een bijdrage leverden, betreft “sociaaljuridische vraagstukken die zich doen bij de (r)evolutie naar een andere wereld van werk”. Daarbij stonden centraal uitdagingen die gepaard gaan met technologisch aangedreven processen van platformisering en algoritmisering.

Read more

11.10.2021 NL law
Vervolgonderzoek van de AFM naar incidentmeldingen door asset managers

Articles - Sinds de uitbraak van het coronavirus wordt ook in de financiële sector meer op afstand samengewerkt. Dat brengt specifieke risico’s met zich mee. De Autoriteit Financiële Markten (AFM) gaat daarom vervolgonderzoek doen naar het melden van incidenten door asset managers. De reden is het uitblijven van een stijging van het aantal incidentmeldingen ondanks herhaalde oproepen daartoe.

Read more

20.09.2021 NL law
AFM: Beleggingsfondsen kunnen beleggers beter informeren over duurzaamheid

Articles - Beleggingsfondsen kunnen beleggers beter informeren over duurzaamheid. De informatieverschaffing van fondsen over duurzaamheidsrisico’s en duurzaamheidskenmerken is nog vaak te algemeen, daardoor krijgen beleggers te weinig inzicht in waar ze in investeren. Dat is een van de conclusies van de Autoriteit Financiële Markten (AFM) in een verkennend onderzoek naar de toepassing van de Sustainable Finance Disclosure Regulation (SFDR).

Read more