As outlined in the Principles for Operational Resilience of BCBS, banks should have business continuity plans in place and conduct business continuity exercises under a range of severe but plausible scenarios to test their ability to deliver critical operations through disruption (BCBS 2021). Similarly, supervisory authorities may require FSPs to develop, maintain and periodically test appropriate business continuity plans for outsourced material services. These plans are essential for ensuring and improving the operational resilience of FSPs. They should account for the possible events where the quality of the provision of the outsourced material services deteriorates to an unacceptable level or fails completely. Additionally, plans should consider the potential impact of the service providers’ insolvency, other failures, and relevant country, where necessary, and political risks in the service provider’s jurisdiction.
Supervisory authorities may also require FSPs to ensure that service providers in material outsourcing arrangements implement appropriate business continuity plans. These plans should anticipate, withstand, respond to, and recover from severe but plausible disruptions to the material service. Business continuity plans of both FSPs and service providers should be forward-looking when assessing the impact of potential disruptions. These plans may include: (i) business impact analyses, (ii) recovery strategies, (iii) testing programmes, (iv) training and awareness programmes, (v) communication and crisis management programmes1. For instance, MAS requires FSPs to ensure their service providers regularly test their business continuity plans to confirm they can meet recovery objectives. Also, MAS-regulated FSPs need to require their service providers to notify them of any test results that may affect the service provider’s performance. An FSP also need to be informed of any substantial changes in the service provider’s business continuity plan and any adverse developments that could substantially impact the services provided to the FSP. More+
The contract between the FSP and the service provider may need to include clauses that allow both the FSP and the supervisory authority to access, audit and obtain relevant information from the service provider. These provisions will enable the FSP and the supervisory authority to assess the effectiveness of service providers’ business continuity plans when necessary. This will help them evaluate the service provider’s ability to deliver the material services that the FSP relies on, either entirely or in part.
As part of safeguarding the operational resilience, FSPs may need to establish resilience requirements for the service providers that deliver material services to themselves. For example, the UK regulators require FSPs to assess the resilience requirements for the cloud outsourcing services provided and the data managed (PRA 2021). This assessment should follow a risk-based approach to decide the appropriate cloud resilience measures. Such measures may include:
- Using multiple data centers in different geographical locations, allowing a switch to a data center in another physical location
- Having multiple active data centers in different availability zones within the same region, which allows the service provider to re-route services if a data center becomes unavailable
- Implementing a hybrid cloud architecture (i.e., a combination of hosting environments such as public cloud, private cloud, and/or on-premises data centers)
- Implementing a multi-cloud architecture (i.e., engaging multiple or back-up vendors)
- Adopting any other viable approach that can enhance and maintain an appropriate level of resiliency
The ECB will have similar expectations for the relevant FSPs. The ECB expects FSPs to ensure that, for material functions, abrupt discontinuation of a CSP’s outsourced cloud services does not cause business disruption beyond the maximum tolerable downtime or data loss specified in the FSP’s internal policies (ECB 2024a). To achieve this, FSPs should use a combination of the mentioned measures to remain fully operational, including in cases where a failed CSP cannot provide the expected level of assistance during an orderly transition under the exit plan. Also, FSPs should retain the ability to bring data and applications back on-premises. Therefore, FSPs should consider using technologies that ensure the portability of data and ICT systems, facilitating effective migration while minimizing the impact of using a solution specific to an individual CSP.
Business continuity plan of an FSP can include strategies for exiting a third-party relationship. The supervisory authority may require FSPs to have a documented exit strategy for outsourcing material services, aligned with their outsourcing policies and business continuity plans. This strategy should consider the following, among others:
- Material risks that could impact the appropriate and continuous delivery of services
- Termination of outsourcing arrangements
- Deterioration in the quality of the provided service, including actual or potential business disruptions due to inadequate or failed provision of the service
- Failure of the service provider
FSPs should ensure they can exit outsourcing arrangements without causing undue disruption to their business activities, hindering their compliance with regulatory requirements, or compromising the continuity and quality of services provided to their customers. To achieve this, FSPs should develop and implement comprehensive documented exit plans. These plans should be sufficiently tested, where appropriate, by, for example, analyzing potential costs, impacts, resources, and timing implications of transferring an outsourced services to an alternative service provider. Additionally, FSP need to identify alternative solutions and create transition plans for transferring outsourced services to an alternative service provider, bringing them back in-house, or using other viable methods. It is essential for FSPs to take necessary measures to ensure continuous provision of the material service during the transition phase. For example, in its draft guidelines, the ECB expects FSPs to create and regularly update a list of qualified alternative service providers for circumstances where an exit strategy involves moving cloud services to another CSP. This includes conducting regular market reviews to assess the pros and cons of various CSPs. Also, the ECB expects FSPs to perform technical analysis and estimate the time required for transitions when exit strategies involve bringing services in-house or migrating them to a different CSP (ECB 2024a).
Supervisory authorities may require FSPs to develop exit plans during the due diligence stage if an outsourcing arrangement is deemed material. At this stage, FSPs might need to identify potential alternative service providers and estimate the costs, resources, and timing involved in implementing the proposed exit plan under various scenarios as part of their initial risk assessment.
1. For more on business continuity and planing, see principle 3 of “operational resilience principles” BCBS (2021).
