Financial institutions need to plan ahead and ensure that when a critical or important outsourcing arrangement comes to an end, they can exit without disrupting their business operations and customer services.
Guidelines on outsourcing produced by the European Banking Authority (EBA) contain ground rules that financial institutions subject to the guidelines can follow to ensure that this objective is achieved.
The guidelines provide that institutions need to have a documented exit strategy when outsourcing critical or important functions that is in line with their internal outsourcing policy and business continuity plans.
The strategy needs to cater for termination of outsourcing arrangements in the ordinary course of business, but also for stressed scenarios such as the potential failure of the service provider, deterioration in the quality of services or the potential disruption caused by a failure of provision of the services. In adopting this approach, the EBA has merged exit management with concepts that would typically be more familiar when addressing business continuity and disaster recovery.
For an institution to be in a position to execute on its exit strategy and plans, it will need to ensure that the approach is properly reflected in its outsourcing contracts
The guidelines are not overly prescriptive as to how the exit strategy should look or what it should address. They do, however, outline some requirements – like the need to assign roles and responsibilities to manage the transition of an outsourced function back to the institution or to a new provider, to identify success criteria for proper transition, and to have indicators that monitor the outsourcing arrangement and trigger implementation of the exit plan and applicable actions.
This sets the scene for the guiding principle to designing and implementing an exit strategy, which is to ensure that institutions can exit outsourcing arrangements in a way that does not unduly disrupt their business activities, put their regulatory compliance at risk, or cause detriment to the continuity and quality of provision of services to the institutions' customers.
The guidelines require that institutions, as part of their overall exit strategy, develop, test and implement comprehensive exit plans. As with the overall exit strategy, much of the detail is left to the institutions.
The guidelines provide some pointers, but they are fairly rudimentary. They stipulate that exit plans should be comprehensive and documented, identify alternative solutions and cater for transition of services in-house or to a new provider when it is necessary.
The guidelines also require that exit plans are sufficiently tested, which may feel somewhat novel in the context of exit planning, as opposed to business continuity and disaster recovery where testing relevant plans would be the norm. The guidelines elaborate a little on the need to test exit plans by giving examples of test factors, such as carrying out an analysis of the potential costs, impacts, resources and timing implications of migrating to an alternative provider.
The majority of the provisions in the EBA guidelines concern exit strategy and planning at the institutional level, as opposed to the contractual level.
However, for an institution to be in a position to execute on its exit strategy and plans, it will need to ensure that the approach is properly reflected in its outsourcing contracts. There is a need, therefore, for a level of forensic analysis to properly flow down those elements of the strategy and plans that are dependent on supplier input and performance so that the strategy, plans and contracts are all aligned.
Financial institutions should be able to rely on exit management provisions that are common to many outsourcing arrangements, but some new provisions such as support for testing exit plans will likely need to be introduced. There may also be a need to bolster provisions in some cases, for example around the ease and speed of data migration. Any costs associated with transition services, exit and migration may also need to be looked at so they do not act as a 'blocker' when suppliers are called on to support an exit.
Ideally, all exit terms for a given outsourcing contract, including a tailored exit management plan, would be in agreed form when the outsourcing contract is signed. Achieving this, however, does not come without its challenges. The development and detail of exit management plans are matters often left to work out or finesse after the agreement has commenced. It is not uncommon for these plans to remain 'in development' for some time.
Given the new context of the guidelines, this is something that institutions will wish to avoid. If a fulsome exit management plan cannot be agreed prior to signing, institutions should seek to agree, at a minimum, binding terms that capture the guideline requirements in principle, with the detail to be firmed up within a short, defined window. As this approach carries a level of compliance risk, institutions should consider what contractual leverage they may need to ensure this is achieved.
As mentioned in the guidelines, "trust in the reliability of the financial system is crucial for its proper functioning and is a prerequisite if it is to contribute to the economy as a whole". Operational resilience lies at the heart of creating this trust. Institutions need to have the right mechanisms in place to ensure the continuity of their services, and managing an exit from key supplier arrangements is an important element of this.