IT failures in the Financial Services Sector Contents

1IT incidents

The shift to digital services

6.There has been an increasing demand for digital services in the financial services sector. Research by UK Finance found that 71 per cent of UK adults used online banking in 2017, and that this trend has been increasing.3 At the same time, the number of high-street bank branches has been falling, with a 17 per cent reduction in the number of branches between 2012 and 2018.4 The Bank of England, Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) (hereafter, “the Regulators”), explained that “customer and market participant expectations about the availability of financial services have changed dramatically, with 24-hour access to services often expected.”5 So when customers’ access to financial services is disrupted, and in particular to banking and payments services, it causes significant concern.

7.This change in customer demand is matched with an ever-increasing use of technology by financial services firms to deliver their products and services. The Regulators explained that “to meet these [customer] demands, firms have turned to technology to improve their offered services, and we have recently seen the rise of different business models, for example digitally-native banks based on smartphone apps”.6

8.Increasing use of technology can reduce costs for financial services sector firms and improve their resilience. PwC explained that:

Broader technological innovation also has the potential to improve the overall resilience of financial services. [ … ] The greater diversity in accessing services provided by technology, means consumers have more options should one channel be impaired. FinTech solutions also have the potential to significantly improve operational efficiency.7

9.However, new technology and innovation can also create risks. PwC explained that:

The financial services sector is on the whole, becoming more complex [ … ] and large financial services firms are providing, in some cases, thousands of services to clients with a very significant amount of operational infrastructure required to support. [ … ] Increased use of technology creates more points of failure than was previously the case under less diverse delivery models.8

10.There has been a shift in the way that customers access their financial services, with an increasing number of customers using digital services. As customers come to rely more heavily on digital channels, and given that many high-street branches are closing, the resilience and availability of digital channels is being brought into sharper focus. Given these exacting expectations, it is likely that even brief service disruptions may cause significant concern among consumers.

11.Financial services sector firms are increasingly utilising technology to improve their services. This can have efficiency and resilience benefits yet can also increase the complexity and risk in firms’ IT architectures. While customers may benefit from new features or digital services, they also suffer when IT failures occur.

The increasing focus on operational resilience

12.The Regulators explained that “A resilient financial system is one that can absorb shocks rather than contribute to them”, and defined operational resilience as “the ability to prevent, adapt and respond to, and recover and learn from, technology, cyber-related and any other operational incidents”.9 Improved operational resilience is a way firms can reduce the number and impact of IT or operational incidents.

13.In the past, the industry and Regulators have focused on financial and conduct over operational risks. Whilst there has been a focus on business continuity (for example flood or power issues) as an operational risk in the recent past, the number and severity of IT related incidents has resulted in a refocusing of efforts in this area. Operational resilience is now considered a priority issue, both from a regulatory perspective and within the financial services sector. Barclays described the issue of disruptions for customers as one of its “greatest priorities”,10 and Visa claimed that “There has never been a more important time for the financial services sector to enhance its current approach to operational resilience”.11 In oral evidence to us in January 2019, Andrew Bailey, Chief Executive of the FCA, explained that:

As we have hopefully mitigated some of the key risks of the financial crisis, the relative standing of operational risk, both growing as a risk in its own right, and as we have mitigated other things, has come up.12

14.The Regulators are moving towards closer supervision of operational risks and resilience. In July 2018 the Regulators jointly published a Discussion Paper, ‘Building the UK financial sector’s operational resilience’,13 which was a milestone. The Discussion Paper set out the premise that “it would be neither possible nor an efficient use of resources to attempt to make every component of an organisation completely resilient to operational disruption”.14 The Regulators’ Discussion Paper “suggests that firms and FMIs [Financial Market Infrastructure] should map their important business services to underlying systems and processes that support their delivery, and identify their tolerance for disruption under the assumption that disruption will occur (impact tolerance)”.15

Impact tolerance will be discussed further in Chapter 2.

15.The focus on operational resilience will probably continue. PwC claims that:

There is more to be done achieve the desired level of operational resilience [ … ] a range of developments impacting the financial services sector, such as increased complexity, interconnectedness, third party dependencies and initiatives such as open banking mean we believe operational resilience will remain a significant challenge over the medium term.16

16.We welcome the increasing focus on operational resilience among both industry and the Regulators. Further regulatory intervention is needed to improve the operational resilience of the financial services sector, as was required over the past decade for its financial resilience. The Regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks.

The prevalence of IT incidents

The number of IT incidents

17.IT failures, or incidents (used interchangeably), within the financial services sector appear to be becoming more common. Over the past 18 months there have been major incidents at TSB and Visa, along with a litany of incidents at other firms. This increasing trend is recognised by the FCA, which stated in 2018 that “outages in the financial services sector are becoming more frequent and publicised” and that “the number of incidents reported to the FCA has increased by 187 per cent in the past year”.17 Furthermore, the Regulators reported that 65 per cent of the incidents notified to it in 2018 were from the retail banking sector, including payment services firms, over five times the next highest sector, wholesale financial markets.18

18.A number of firms qualified the figures for the increase in the number of IT incidents in evidence to us. Many incidents experienced by firms are relatively minor, and often do not impact customers. Anne Boden, CEO of Starling Bank, explained that “There are big incidents that hit the press and everybody talks about [ … ] but all banks have small things.”19 We also heard that some firms have experienced a reduction in the number of IT incidents. For example, Barclays explained that “operational incidents across Barclays due to technology issues are becoming less frequent year-on-year, with a 15 per cent reduction (2016 to 2017) and a further 13 per cent reduction (2017 to 2018)”.20 Similarly, RBS said that the number of the most critical incidents, as defined by customer impact, had reduced from 318 in 2014, to 19 in 2018.21

The impact of IT incidents

19.IT incidents in financial services sector firms can have a significant impact on customers, and recent high-profile IT failures have demonstrated how significant and widespread this impact can be. TSB explained that customers “are increasingly using digital services to meet their everyday banking needs. This means that when banks have technical problems more of their customers are likely to be impacted and be aware of the issue than ever before”.22 PwC noted that “in the majority of cases customer inconvenience and distress is the main impact, but extreme or wide ranging impacts from major outages also result in financial detriment to consumers”.23

20.Alison Barker, Director of Specialist Supervision at the FCA, gave examples of the impact on customers.

The types of harms that we have seen include the Tesco Bank incident that affected Tesco customers, and we have issued a final notice on that. People were recompensed in the end, but they lost money over that weekend, which is a very stressful situation for consumers to face. Likewise, with TSB people could not access accounts and pay bills. [ … ] I would not class them as inconvenience; people really did suffer.24

During oral evidence sessions for our Service Disruption at TSB inquiry, cases of customer impact raised by Members included the following:

21.An important consideration for firms during an IT incident, is the effect on vulnerable customers. In written evidence, the Regulators explained that:

The FCA expects firms to consider the needs of vulnerable customers by providing assistance on a proactive basis, and considering whether it is possible to prioritise recovery in a way that restores services on which vulnerable customers may depend, such as access to cash, pre-paid cards or benefits payments.29

22.There may also be second order impacts of IT incidents. Customers may be exposed to further threats. For example, PwC explained that “Operational incidents may also be a trigger for a cyber-attack / cyber fraud where consumers’ data and money are clearly vulnerable.”30 There may also be contagion to other providers’ customers. PwC highlighted that “an operational incident in one financial institution may mean another that is reliant on it for critical services (e.g. access to payment systems) can no longer serve its own customers”.31

23.The impact of IT incidents may go beyond consumer harm, to undermine the viability of a firm, or financial stability. Lyndon Nelson, Deputy Chief Executive Officer and Executive Director for Regulatory Operations and Supervisory Risk Specialists, PRA, outlined the potential levels of impact of an IT incident:

At the lowest end, it is essentially the ability of management to run their bank or their insurance company if the IT system is gone. If the IT system continues to cause a problem, then we may be getting into the safety and soundness of firms [ … ] Then, fundamentally, it could also then cause either a financial stability or systemic issue if it then has knock-on consequences.32

This is not theoretical. There have been cases where the viability of firms has been questioned. Speaking about the IT failure at TSB, Sam Woods, Deputy Governor Prudential Regulation and Chief Executive Officer of the PRA, told us that compared to the FCA’s objectives (for example individual consumer protection), “[T]there is a higher bar for it to get to a safety and soundness issue for us in the PRA. [The TSB incident] certainly met that bar”.33

24.Operational incidents in the financial services sector are increasing in frequency. While we recognise that many incidents have limited customer impact, recent high-profile cases have shown the harm to customers that can be caused. The impact of IT incidents can range from inconvenience to customers through to customer harm, and on to matters of a firm’s viability or financial stability. Financial services providers must treat their ability to manage and prevent incidents with a level of seriousness appropriate to the significant impact when incidents occur.

Incident Reporting

25.The Regulators collect data on incidents reported by financial services sector firms. Barclays highlighted one form of reporting, explaining that “Under the Second Payment Services Directive (‘PSD2’), we report all incidents above a certain threshold, which impact any Payment Account [ … ] to the FCA”.34 Yet wider reporting of incidents is partly determined by what firms themselves record as incidents. The Center for Evidence Based Management35 explained that “the systems and processes for recording incidents varies widely” and where systems and processes are poor, “incidents may not be consistently recorded and information about the causes of those incidents is unclear or wrong”.36

26.The Regulators acknowledged there are issues with reporting. Alison Barker, FCA, explained that: “We still think that we have overall under-reporting. When you think about it across the financial sector, if 65 per cent of it is retail banks, we have under-reporting in other sectors.”37

27.The Center for Evidence Based Management highlighted the improvements needed to incident reporting. They explained that “Developing a better evidence-based understanding of this area requires more analysis but also better data and more consistent collection of data on failures.”38

28.Currently some incident data is published, for example incidents affecting current accounts.39 Lyndon Nelson, PRA, explained that “There is standardised reporting on technology, which we got through the industry, so they do currently publish some of that. I am sure it could go further.”40 Furthermore, David Bailey, Executive Director for Financial Market Infrastructure at the Bank of England, added that “in our annual report every year, we publish the operational availability of the systems that we supervise”.41 However he cautioned that “It can be helpful if consumers can compare availability and functionality, but if you have cyber incidents, you do not want to publicly reveal vulnerabilities in the system”.42

29.Some have argued for greater transparency of service availability and incident data. The ITRS Group43 suggested that:

Organisations should be made to publish the availability and performance targets they expect of each application, and then publish what they are actually achieving. This would automatically highlight where they are falling short of their targets. (Availability is often specified, but performance less so).44

30.The lack of consistent and accurate recording of data on operational incidents is concerning. The Regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. If necessary, the Regulators should clarify standards, guidance and definitions for industry on what incidents firms should both record and report. They should also consider the need to expand current reporting requirements, to cover broader services provided by firms. Higher quality incident reporting will serve to improve the ability of both the Regulators and industry to identify the biggest risks to the operational resilience of the sector.

31.It is very difficult for customers to determine which financial services providers are operationally resilient, and to make clear comparisons across the industry. The Regulators should require clearer and more prominent public reporting to empower customers to make informed decisions regarding which provider they use, and to increase firms’ focus on operational resilience. Where firms already publish incident information, this should be given greater prominence in information made available to prospective and existing customers, such as that given to wait times and complaints, which are visibly displayed in bank branches for all to see.

3 UK Finance, The Way We Bank Now 2018, May 2018

4 Bank branch and ATM statistics, CBP08570, House of Commons Library, May 2019

5 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

6 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

7 PwC (OPR0008)

8 PwC (OPR0008)

9 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

10 Barclays (OPR0009)

11 Visa (OPR0007)

12 Treasury Committee: Oral evidence: The work of the Financial Conduct Authority, HC 475, 15 January 2019 [Q416]

13 Discussion Paper: Building the UK financial sector’s operational resilience, Bank of England, PRA, FCA. July 2018

14 Discussion Paper: Building the UK financial sector’s operational resilience, Bank of England, PRA, FCA. July 2018

15 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

16 PwC (OPR0008)

18 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

20 Barclays (OPR0009)

21 RBS (OPR0004)

22 TSB Bank (OPR0010)

23 PwC (OPR0008)

25 Treasury Committee: Oral evidence: Service Disruption at TSB, HC 1009, 2 May 2018 [Q3]

26 Treasury Committee: Oral evidence: Service Disruption at TSB, HC 1009, 2 May 2018 [Q127]

27 Treasury Committee: Oral evidence: Service Disruption at TSB, HC 1009, 2 May 2018 [Q5]

28 Treasury Committee: Oral evidence: Service Disruption at TSB, HC 1009, 2 May 2018 [Q134]

29 Financial Conduct Authority, Bank of England and Prudential Regulation Authority (OPR0012)

30 PwC (OPR0008)

31 PwC (OPR0008)

33 Treasury Committee: Oral Evidence: The work of the Prudential Regulation Authority, HC 704, 23 January 2019 [Q168]

34 Barclays (OPR0009)

35 A non-profit organisation that promotes evidence-based practice in the field of management and leadership.

36 Center for Evidence-Based Management (OPR0003)

38 Center for Evidence-Based Management (OPR0003)

43 A provider of production software tools to financial institutions.

44 ITRS Group (OPR0001)

Published: 28 October 2019