The Treasury Committee Report on IT failures in the Financial Services Sector: A debrief
On 28th October 2019, the House of Commons Treasury Committee published its report into IT failures in the Financial Services Sector (Report). The Report comes… Read more
On 28th October 2019, the House of Commons Treasury Committee published its report into IT failures in the Financial Services Sector (Report). The Report comes after a number of high-profile IT incidents (including those involving TSB and Visa) left thousands of customers without access to their accounts and banking services. The Treasury Committee has concluded that the current level and frequency of disruption to consumers is unacceptable.
As customers are increasingly being expected to use digital banking channels, the inquiry was called to investigate why IT failures are happening and how incidents can be prevented or their effects mitigated. In their written evidence, the Financial Conduct Authority, Prudential Regulation Authority and the Bank of England noted that “customer and market participant expectations about the availability of financial services have changed dramatically, with 24-hour access to services often expected.”
The key concerns raised, and recommendations made, by the Treasury Committee in the Report are set out below
Adequate oversight of third party suppliers
The FCA reported that third party failure is the second most common cause of incidents in the financial services sector (after change management), and the Report recommends that firms improve their oversight and management of third party suppliers.
Firms should not outsource a service or a function to a third party supplier without retaining the ability to adequately monitor the supplier’s performance and recognise when quality of performance has deteriorated. These are not new concepts in the financial services industry, as SYSC 8 and more recently the EBA Guidelines on outsourcing arrangements require firms to have appropriate levels of oversight and understanding of the outsourced services and the ability to audit the supplier’s performance of its obligations. Despite this, the finding of the Treasury Committee’s Report seems to suggest that firms are either not including the relevant powers in their supplier contracts (or are simply not making use of them) or that there is a general lack of understanding of operational resilience and cyber risk within firms.
Evidence given by the FCA stated that just “66 per cent of large firms, and 59 per cent of smaller firms, tell us that they understand the response and recovery plans of their third parties”. There is clearly a way to go before operational resilience and security are top of the agenda at some firms.
The use and reliance on legacy systems is identified as another key cause of IT failures, with many firms facing the challenge of aging, legacy infrastructure that is hard to maintain, and expensive and risky to replace.
The Report recognises that legacy systems can in some cases be robust, and that their continued use may be appropriate in those cases. However, the Report emphasises the need for firms to ensure that they have, and continue to have, the necessary expertise to maintain these systems.
The Report states that Regulators must intervene where necessary to ensure that firms are not exposing customers to risks due to the use of legacy systems and recommends that regulators make use of the full range of tools at their disposal to achieve this, including commissioning skilled person reviews.
Senior Managers Regime, Impact Tolerances and Regulator staff
The Report identifies individual accountability as another way of ensuring that firms focus on their operational resilience, and recognises the increased focus on accountability and responsibility that has been brought about by the Senior Managers Regime However, the Treasury Committee is concerned that, so far, no senior managers have been held to account under the regime for IT failures, and suggests that, if this continues, Parliament should consider whether the regulators’ powers are fit for purpose. The Report also recommends that the Senior Managers Regime be expanded to include financial infrastructure firms (such as payment systems like Visa and any financial market infrastructure overseen by the Bank of England) so that individuals at these firms can also be held to account.
The impact of IT failures is becoming more and more serious as customers become increasingly reliant on digital channels for accessing their banking services. The Treasury Committee highlighted that there seems to be an inconsistent approach taken to recording data on such incidents and firms should not be responsible for setting their own impact tolerances. The Report states that firms should “test their ability to stay within these tolerances through severe but plausible scenarios”, and that the regulators should provide guidance on what level of impact on services should be tolerated.
The Report also suggests that regulators are struggling to recruit and retain adequately experienced personnel, and that the regulators should therefore increase financial sector levies charged to the firms they oversee, so the regulators can hire staff who have the relevant capabilities in order to effectively oversee the firms.
Interestingly, the Report suggests that financial service firms should pay appropriate salaries to staff who oversee operational resilience. It states that “if the Regulators observe that firms are not adequately taking operational performance into account when determining remuneration for senior staff within financial services firms, they must intervene”.
The Regulators are yet to issue a response to the Report.
Concentration risk among cloud service providers
The Report identifies the cloud service provider market as a major source of concentration risk, with the market already highly concentrated, and concludes that there is probably nothing the Government or regulators can do in the short to medium term to reduce this concentration.
According to the Governor of the Bank of England “a quarter of major banks’ activities and almost a third of all UK payments activities are already hosted in the Cloud, and there are considerable opportunities for even more intensive usage”.
Whilst the report recognises the benefits of cloud services, it also recognises the risk that some third party providers may represent a single point of failure risk where an operational incident could have a widespread impact on the industry.
The Treasury Committee recommends that the regulators should consider mapping the sector to better identify and understand concentration risk and, where common providers are systemic, consider recommending regulation of these suppliers as providers of critical infrastructure. The potential impact of a major operational incident at for example, Microsoft or Amazon could be significant for firms.
Treatment of customer complaints
Firms need to become better at communicating IT incidents to customers and responding to customer complaints in a clear and timely fashion and providing customers with alternative banking channels. The time taken to respond to complaints and to reward compensation is too long and firms should adopt a slicker approach to this. The Report acknowledges that all firms are likely to experience some form of service interruption at some point that may trigger complaints and that this should be anticipated by firms – they should have procedures in place in order to prevent the impact of incidents being exacerbated by poor communication with customers.
While we await a response from the regulators or a communication from the Government on its intention to introduce legislation, or regulate cloud service providers, firms can review their contractual relationships with third party suppliers to ensure their contracts permit them to have an appropriate level of oversight over the services, that appropriate service levels and business continuity and disaster recovery plans are in place and that they are regularly tested.
If the contract gives the firm the right to audit the third party supplier then the firm should make use of this right. If there is no such right then the firm should consider whether the contract ought to be varied to allow the firm an appropriate level of oversight. In any event, the contract may require amendment to bring it into line with the requirements of the EBA Guidelines on outsourcing arrangements.
It is also vital for firms to ensure that they have the right, experienced personnel in place to oversee supplier performance, who have a clear understanding of the services and of the supplier’s business continuity and disaster recovery plans as well as those of their own organisation.
Share this blog
- Adtech & martech
- Artificial intelligence
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- Open banking
- Software & services