UK Treasury Committee report warns that the current level and frequency of disruption and consumer harm is unacceptable.

By Carl Simon FernandesNicola Higgs, Fiona M. MacleanChristian F. McDermottRob Moulton, Andrew C. Moyle, Stuart Davis, and Charlotte Collins

On 28 October 2019, the Treasury Committee published a report on IT failures in the financial services sector. The report sets out the findings from the Treasury Committee’s inquiry, which was launched following a number of high-profile and significant IT incidents. (See Senior MP Calls for Regulatory Crackdown on Banks’ IT Systems: 3 Things You Can do to Prepare.) Rather than looking into specific failures, the inquiry looked more holistically at why such incidents are becoming more frequent, how firms should be guarding against and responding to these incidents, and the role of the regulators in preventing and mitigating the impact of these incidents through their rules.

The report looks at various different aspects of the issues surrounding IT failures, including the nature of IT incidents and their common causes, the role of the regulators, and emerging risks to operational resilience.

While the report acknowledges that some level of IT failure is inevitable, it concludes that the current level and frequency of disruption caused by IT failures is unacceptable. The report places a strong emphasis on the fact that customers now rely more heavily on digital channels, making it all the more important that these channels are safe and reliable. While it is well known that IT failures are a particular problem in the retail banking and payments sectors, operational resilience is a key consideration across the financial services sector, and all firms should take note of the findings.

Although many of the recommendations are addressed to the regulators, and not to firms directly, the report provides a clear sense of the likely direction of travel the regulators will take in their future policymaking.

Key Findings and Recommendations

Outsourcing. Firms need to improve risk management of third-party relationships, given that many incidents are caused by outsourced service providers. Firms’ outsourcing arrangements are coming into ever-sharper focus (see Trends in Outsourcing Regulation and Supervision in Financial Services). If firms’ outsourcing arrangements and controls do not improve, the regulators should amend their rules and guidance on outsourcing.

Impact of IT incidents. Heavier reliance on digital services means that the impact of IT failures is even more acute. The number of IT failures is increasing, with the impact ranging from inconvenience or harm to customers, to threats to a firm’s viability. The lack of consistent and accurate recording of data on such incidents is concerning. The regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. They should also consider the need to expand current reporting requirements. The regulators should also provide clear guidance to firms around the level of impact tolerances.

Issues with legacy systems. Firms are not doing enough to mitigate the operational risks that they face from their own legacy technology, which can often lead to IT incidents. When firms do embrace new technology, poor change management is one of the primary causes of IT failures. It is therefore crucial that firms have strong and well-rehearsed change management procedures. Firms must not use the cost or difficulty of upgrades as an excuse not to make upgrades to legacy systems. If firms are not forthcoming in making improvements, the regulators must intervene to ensure that firms are not exposing customers to risks due to legacy IT systems. They should use tools such as Section 166 skilled person reviews to examine whether firms have systems that are fit for purpose. The regulators should ensure that lessons learnt from past change projects are disseminated to the industry, and must also review their approach to supervising firms’ large-scale change programmes to ensure that proactive intervention is possible.

Customer communications. When incidents do occur, poor customer communications can exacerbate the situation. Firms must use clear, timely, and accurate communications to ensure that customers are aware of an incident and that they receive advice on remediation timelines and alternative access. The report notes that, when customers complain, the time taken for some customers to hear an answer is unacceptable. Firms must resolve complaints and award any compensation quickly. The regulators should require clearer and more prominent public reporting on operational resilience, to enable customers to make informed decisions as to which providers they use. Further, if firms’ communications are ineffective, or if there is a need for a central source of trusted information, the regulators should step in to keep customers informed.

Senior management. Holding senior management to account when IT failures occur is essential, to prevent mistakes being repeated and to focus the attention of senior managers on operational resilience. However, it is concerning that, to date, no senior manager has been held to account under the SMCR for IT-related failures. Also, remuneration structures within firms need to reflect the importance of operational resilience. If future incidents occur without sanction, Parliament should consider whether the regulators’ enforcement powers are fit for purpose. The Senior Managers Regime should also be expanded to include Financial Market Infrastructure firms, such as payment systems, so that individuals at these firms may be held to account. The regulators should also ensure that firms are focused on recruiting candidates with the right skills and experience, particularly for boards and senior management. The industry should work with universities and education providers to help ensure there is a sufficient pool of individuals with the right skillset.

Regulatory supervision. Supervision of firms’ operational resilience may need to follow a different model to that for prudential and conduct risks, but should be afforded similar prominence. The regulators must intervene to improve the operational resilience of the financial services sector, and must maintain a very low tolerance for service disruption by providing guidance on what level of impact should be tolerated. If the additional work proves challenging, the regulators should increase the financial sector levies to ensure that they can hire staff with the expertise and experience required. Parliament expects the regulators to increase their capability, particularly at more senior levels, and does not want to hear after the event that supervisory resources were inadequate.

Regulatory coordination. Change is one of the biggest causes of operational incidents, but the regulators are one of the biggest causes of change. The regulators should not inadvertently increase the risk of incidents by placing excessive or poorly coordinated requirements on firms. This links into comments made in relation to the Financial Services Future Regulatory Framework Review about the need for better “air traffic control” around regulatory change. (See HM Treasury Kicks Off Financial Services Future Regulatory Framework Review.) The regulators should publish further guidance on how their different operational resilience requirements interact, and provide guidance as policy develops.

Concentration risk. One of the key emerging risks to operational resilience is concentration risk, particularly amongst cloud service providers. There is a considerable case for the regulation of cloud service providers as critical infrastructure, to ensure high standards of operational resilience. The regulators should highlight potential concentration risks and consider whether mitigating action is required. The regulators should also consider producing a sector map to show concentration risk and interconnectedness. If common providers are systemic, the Financial Policy Committee should consider recommending regulation to HM Treasury.

Next Steps

The regulators will be expected to respond to the report, outlining their planned action to address the Treasury Committee’s recommendations. In particular, the Treasury Committee has urged the regulators to set out in their response a concrete timetable for the publication of policy documents, following their joint Discussion Paper on building the UK financial sector’s operational resilience. The regulators have previously indicated that they plan to consult on policy proposals in 2019, but have not committed to any precise timing.

Meanwhile, firms should take note of the report’s key findings, and ensure they are devoting sufficient attention to operational resilience, pending any concrete policy changes. Unregulated entities, such as cloud service providers, should follow these proposals closely, as they could have a significant impact on the way such entities operate in future.