Response of the Eurosystem as operator of TARGET Services to the external review carried out by Deloitte on the incidents that affected TARGET Services in 2020

28 July 2021

Response of the Eurosystem as operator of TARGET Services to the external review carried out by Deloitte on the incidents that affected TARGET Services in 2020

In 2020, TARGET Services encountered a number of major incidents affecting in particular TARGET2 and TARGET2-Securities (T2S). Owing to the frequency of the incidents as well as their relevance, the ECB decided in November 2020 to launch an external and independent review of TARGET Services in order to draw all possible lessons from these incidents and properly address them.

Deloitte GmbH ('Deloitte') was appointed on 21 December 2020 to conduct this review. The terms of reference foresaw the identification of the root causes of the incidents, the drawing of more general lessons as well as proposing recommendations in the following areas: (i) Change & release management, (ii) Business continuity management, (iii) Fail-over and recovery tests, (iv) Communication protocols, (v) Governance, and (vi) Data centre & IT operations.

Numerous interviews were carried out between January and April 2021with employees, local and senior managers of the ECB and the four service-providing national central banks (Deutsche Bundesbank, Banco de España, Banque de France and Banca d'Italia) that operate TARGET Services. Deloitte's findings and recommendations are provided in a report, which is available on the ECB Website. As a matter of transparency, the report is made available in its entirety, with the exception of a few sections which were blackened out in order to preserve the confidentiality of sensitive information related to the security of the systems.

While Deloitte did not identify any finding with a "very high" severity rating, a number of findings were rated with "high" severity in all of the 6 above-listed areas. On that basis Deloitte issued 18 detailed recommendations, which can be summarised in four high-level recommendations (see below).

The Eurosystem accepts the recommendations made by Deloitte in its report as well as its general conclusions and is committed to implement the recommendations in full. For a number of the recommendations, concrete actions have already been agreed or even implemented. For others, discussions were held with market participants, which will be kept informed about the design and deployment of the remedying actions.

Page 1 of 3

High-level recommendations in accordance with Deloitte's report and Eurosystem's responses

_________________________________________________________________________________

Recommendation 1

Implement risk assessments within relevant processes, especially in change management, and deciding on the criticality of processes and IT elements, in particular business impact analysis.

Eurosystem's response

In 2020 the Eurosystem decided to establish a comprehensive risk management framework, which has already been partially implemented, and which will be fully operational by the end of 2021. This framework will be applied to all relevant processes, including the change management area.

_________________________________________________________________________________

Recommendation 2

Improve relevant processes, inter alia communication with external stakeholders and continuous improvement/incorporation of lessons learned.

Eurosystem's response

The Eurosystem has already engaged into a constructive dialogue with market participants in view of drawing lessons from the 2020 incidents and strengthening its communication protocols. Based on this recommendation from Deloitte, this work will be further pursued, and concrete proposals will be presented to the relevant groups for implementation towards the beginning of 2022.

_________________________________________________________________________________

Recommendation 3

Improve documentation by inter alia introducing umbrella documents for complex processes, implementing a Configuration Management Database (CMDB) spanning all TARGET systems' IT elements and requiring more stringent documentation of roles and responsibilities.

Eurosystem's response

The Eurosystem will undertake to bring the necessary clarity and coherence in the operational and technical documentation of TARGET Services. This work is also a necessity in the perspective of the go-live of the future T2-T2S consolidated platform, which will further increase the interdependencies among the different TARGET Services.

_________________________________________________________________________________

Page 2 of 3

Recommendation 4

Enhance organisational and governance structures, including implementing a common second line of defence (LoD), responsible for implementing and running a comprehensive risk management and overarching internal control system, spanning all platforms and services with adequate staffing.

Eurosystem's response

The Eurosystem acknowledges the strong relevance of a common second line of defence for a proper management of risks in financial market infrastructures. Following an earlier recommendation made by the TARGET2 oversight function, the Eurosystem already launched the work on the establishment of a more comprehensive second line for all the TARGET Services in the course of 2020. It is expected to be fully operational by the end of 2021.

_________________________________________________________________________________

Page 3 of 3