The Treasury Committee of the House of Commons published its report last week into IT failures in the UK’s financial services sector.
The inquiry was set up in the light of concerns about the ability of financial services institutions to avoid service disruptions and, in the event of any disruption, to get services back up and running as quickly as possible. Customers are increasingly encouraged to use digital services and, when IT failures occur, may find themselves being left without access to vital financial services and unable to make payments or withdraw cash. Small businesses have been left without the basic banking services necessary to run their businesses.
Key findings in the Committee’s report were:
- While completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated. The regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks. The regulators must not allow firms to set excessively high tolerance levels for disruption and must make clear to financial services firms the limit of their tolerance for IT failures.
- It is essential that firms, and individuals within firms, are held to account for their failures. In response to IT failures to date there have been no successful enforcement cases under the Senior Managers Regime (the regulatory provisions intended to clarify the accountability of senior managers performing key roles in financial services firms). The Committee expressed concern that this indicated an ineffective enforcement regime. The Senior Managers Regime should be expanded to firms providing financial market infrastructure (FMI), for example payment systems, supervised by the Bank of England to ensure senior individuals in FMI firms are also accountable.
- In their supervision of operational resilience, the regulators need to do more to increase their resources dedicated to operational resilience and draw on expert and practitioner experience. If necessary, they should increase industry levies to fund the experts they need.
- The provision of financial market infrastructure and technology is reliant on third-party providers. If one of the large third-party providers were to fail, it could potentially affect not just consumer access but the stability of the financial system itself. Where the regulators identify that third-party providers are becoming a potential source of concentration risk, they should highlight this risk and consider whether action is required to mitigate it.
- The cloud service provider market stood out as a source of concentration risk during the inquiry. This market is already highly concentrated and the consequences of a major operational incident at a large cloud service provider could be significant, not just in the financial services sector. The Committee considered that the case for the regulation of these providers to ensure high standards of operational resilience is considerable and the UK government should urgently consider how best to do this.
- The Committee expects industry, industry bodies and the regulators to take steps to mitigate concentration risk, including establishing channels of communication with common suppliers to use during an incident, utilising the EBA process of leveraging pooled audit arrangements for cloud service providers and potentially building applications able to substitute a critical supplier with another.
- The Committee stressed the importance of clear, timely and accurate communications during operational incidents so that customers are made aware of incidents and receive advice on remediation timelines and alternative access. It should not be left to a firm’s discretion as to whether to communicate to customers or not. Where communications are ineffective, or in major incidents where there is the need for a central source of trusted information, the regulators should step in.
- The regulators should clarify standards, guidance and definitions for the industry on what incidents firms should both record and report and also consider the need to expand current reporting requirements to cover broader services provided by firms.
- Firms must act swiftly and fairly in responding to complaints and awarding compensation where customers have experienced harm or financial loss as a result of an IT incident. The Financial Conduct Authority must ensure that firms are resolving complaints and awarding any compensation quickly and take action where this is not the case.
The Regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth.