Out-Law / Your Daily Need-To-Know

How business continuity requirements impact outsourcing by financial institutions

Out-Law Analysis | 21 Aug 2020 | 2:32 pm | 3 min. read

Regulatory guidelines produced by the European Banking Authority (EBA) offer financial institutions a degree of flexibility over the nature of contractual commitments they need to secure from outsourcing providers concerning the resilience and continuity of services.

One of the themes running through the EBA guidelines on outsourcing arrangements is the need for institutions to take appropriate measures to ensure that the supply of their customer services is resilient and not unduly interrupted. In line with this theme, the guidelines impose a number of requirements on institutions in respect of business continuity, both from an internal policy and process perspective, as well as the contractual commitments they must obtain from their suppliers.

The contractual requirements include the need to implement and test business contingency plans, and also concern reporting by suppliers on business continuity measures and the testing of such plans.

Requirement to implement business contingency plans

Little guidance is given by the EBA as to what business contingency or continuity plans and arrangements institutions should include in outsourcing contracts to achieve compliance. Rather, the guidelines indicate at a high level what those plans should achieve – ensuring that an institution's material business activities can be performed on a continuous basis and that operational continuity is ensured.

Carney Andreas

Andreas Carney

Partner

It is incumbent upon each institution to assess what measures are necessary to ensure operational continuity and resilience. This in turn means that they will need to flow down relevant requirements to their suppliers in a consistent manner

The guidelines provide that business continuity plans should take into account the possibility that the quality of the provision of the outsourced function deteriorates to an unacceptable level or fails, the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider’s jurisdiction.

While this high level approach and lack of detail may prove frustrating for some, the upside is that there is flexibility and discretion given to institutions as to how these goals are achieved in the context of their own, and their suppliers', operations.

It is incumbent upon each institution to assess what measures are necessary to ensure operational continuity and resilience. This in turn means that they will need to flow down relevant requirements to their suppliers in a consistent manner. These contractual requirements need to be assessed in the context of the fact many if not all suppliers will already have business continuity plans and measures in place and will wish to continue to rely on those existing arrangements.

In those circumstances, the institution would need to assess the supplier's existing arrangements to ensure that they are aligned with the institution's own standards. At a minimum, and in our experience of dealing with suppliers, seeking agreement to a standardised set of minimum requirements is not controversial and is generally agreeable. Those would typically include measures that are reflective of market practice relevant to the particular services, such as clarity on trigger events, allocation of responsibilities if a plan is triggered, consideration of alternative supply solutions and communication protocols, and the protection and migration of data, which in combination would go some way to giving comfort that the guideline requirements are met.

Requirement to test business contingency plans

The need to have oversight of outsourced functions and to ensure contractual rights of oversight is central to the EBA's outsourcing guidelines. This need is carried through to business continuity planning, where the guidelines require reporting on business continuity measures and the testing of them.

The aim of these requirements is to ensure, on an ongoing basis, that the outsourcing arrangement meets appropriate performance and quality standards in line with an institution's policies, even in circumstances where the supplier finds their service performance to be in difficulty.

While the requirements may seem straight forward enough, institutions will need to give some thought as to the practicalities of how they can be met in practice. Matters such as how plans can be sufficiently tested, whether testing should be done jointly or if a right of participation is needed, should all be considered in this context.

Business continuity and exit arrangements

The guidelines state that institutions need to consider business continuity in relation to their strategy to exit outsourcing arrangements. Paragraph 106 of the guidelines, for example, requires institutions to have a documented exit strategy in relation to critical or important functions, which takes account of the institution's business continuity plans.

While business continuity and disaster recovery are usually treated separately from exit management in outsourcing contracts, the guidelines appear to pull the two concepts together. Whether this in fact requires a departure from the more usual practice is unclear. It may well be that, in line with the theme of ensuring continuity of supply by institutions of their services to customers, the EBA believes the two things are somewhat interdependent.

Operation resilience

Robust business continuity measures are a core tenet of ensuring operational resilience and for that reason go hand in hand. No doubt business continuity measures have been tested in some shape or form for many institutions with the onset of Covid-19. The lessons learned should inform how they go about achieving compliance with the EBA's outsourcing guidelines and be implemented in their contracts with outsourcing suppliers.