After a number of significant IT failures, such as that experienced by TSB in 2018, this inquiry provided an opportunity to look ‘under the bonnet’ of the financial services sector to ask why IT failures were happening, and how the industry and the Regulators could have prevented such incidents.
Bank branches are disappearing from our high streets and local communities, and cash machines are being withdrawn. Customers are increasingly being expected to use digital services, and yet these services are being significantly disrupted due to IT failures. Consumers suffer from harm when these IT failures occur. They have been left without access to their vital financial services and have been left unable to make payments or withdraw cash. Small businesses have been left without the basic banking services necessary to run their businesses.
While completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated. We believe the current level and frequency of disruption and consumer harm is unacceptable. Nevertheless, we realise and accept that some IT failure is inevitable. The Regulators must make plain to financial services firms what their tolerance levels for failure are. It is crucial that the Regulators must not allow firms to set their own tolerance levels for disruption too high.
It is essential that firms, and individuals within firms, are held to account for their failures, and we welcome the focus on accountability that has been brought to bear by the Senior Managers Regime. However, so far, there have been no successful enforcement cases under the Senior Managers Regime following IT failures, and we are concerned that this is evidence of an ineffective enforcement regime. The Regulators must consider if there are any barriers to its effective operation.
The Senior Managers Regime does not apply to Financial Market Infrastructure (FMI), for example payment systems. Disruption at FMI firms can affect customers as significantly as disruption within their own providers. The Government should therefore expand the Senior Managers Regime to include FMI firms supervised by the Bank of England, to ensure senior individuals in FMI firms are also accountable.
In their supervision of operational resilience, the Regulators need to draw on expert and practitioner experience. In recent years the Regulators have increased their resources dedicated to operational resilience, but they must do more. If necessary, they should increase industry levies to fund the experts they need.
Many services, such as Financial Market Infrastructure and technology, are provided by third parties. If one of the large third-party providers were to fail, it could potentially affect not just consumer access, but the stability of the financial system itself.
The provision of cloud services to financial services sector firms is highly concentrated. The services provided are often critical. The case for their regulation is therefore overwhelming and the Committee urges the Government to consider how best to regulate cloud service providers.
Published: 28 October 2019