MPs call for regulatory action on FS IT failures
Written by Peter Walker
The Treasury Committee has published a unanimously-agreed report warning that regulators must act to reduce the “unacceptable number” of IT failures in financial services sector.
With bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. These services, however, have been significantly disrupted due to IT failures, harming customers left without access to their financial services, stated the group of MPs.
The report made a series of recommendations to overcome this and improve operational resilience, including ensuring accountability of individuals and firms, increasing financial sector levies to ensure that the Financial Conduct Authority, Prudential Regulation Authority and Bank of England are sufficiently staffed, and ensuring that firms resolve complaints and award compensation quickly.
Among the recommendations, the committee urged regulators to maintain a very low tolerance for service disruption by providing guidance on what level of impact should be tolerated.
“The regulators must use the tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience,” a statement explained, noting that the Senior Managers Regime should be expanded to include financial market infrastructure firms, such as payment systems.
“To ensure accountability for failures, regulators must have teeth and be seen to have teeth,” the report read. “However, we have yet to see a successful enforcement case under the Senior Managers Regime against an individual following an IT failure, which may be evidence of an ineffective enforcement regime.”
It added that regulators must provide the committee with the outcome of their investigation into the TSB IT failure as soon as possible.
The report argued that firms are not doing enough to mitigate the operational risks that they face from their own legacy technology, which can often lead to IT incidents. “Regulators must ensure that firms cannot use the cost or difficulty of upgrades as excuses to not make vital upgrades to legacy systems.”
It also focused on third party provider risk, noting that many financial services firms use the same technology vendors – particularly in terms of cloud services.
“Where common providers are systemic, the Financial Policy Committee should consider recommending regulation to HM Treasury,” the report warned, adding that the cloud service provider market stands out as such a source of systemic risk.
“The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant – there is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience.”
The report also called for firms to adopt a ‘when not if’ approach, ensuring that they have robust procedures in place in the event of an incident.
“When incidents do occur, poor customer communications can exacerbate the situation,” the committee commented. “When customers complain, the time taken for some customers to hear an answer is shocking and unacceptable.”
The committee’s lead member for this inquiry, MP Steve Baker, said: “For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off.
“And for too long, we have waited for a comprehensive account of what happened during the TSB IT failure – our inquiry into service disruption at TSB remains open, and I’ve no doubt that the committee will want to examine Slaughter and May’s report and the progress of the regulators’ investigation.”
UK Finance chief executive Stephen Jones responded that when incidents do occur, firms work around the clock to minimise disruption and get services back up and running as quickly as possible.
“The industry conducts sector-wide exercises with regulators to ensure it is prepared to respond effectively to any major disruptions or events as part of its continued commitment to maintaining the resilience of the financial system.
“UK Finance continues to engage with government over how coordination between regulatory authorities could be improved, seeking to avoid overlapped or rushed mandatory change programmes that impact firms’ ability to protect their customers,” he added.