32.Financial services sector firms are regulated by a number of different bodies. For the purpose of this inquiry we heard oral evidence from the Bank of England, FCA, and PRA. However, various other bodies have also been responsible for the regulation of the sector, including the Payments Systems Regulator (PSR), and other cross-cutting bodies such as the Information Commissioner (ICO). Marcus Scott, Chief Operating Officer, TheCityUK, told us that “Many of our member firms have up to nine regulators [ … ] and that is quite complex.”
33.There is a role for the financial services Regulators in specifically reducing both the number and impact of IT failures in the financial services sector. The Regulators told us:
While we expect firms and FMIs to manage the risks arising from use of technology, we also accept that we have an important role in strengthening the operational resilience of the financial system and in helping to reduce the impact of operational incidents when they occur.
34.The role of the Regulators in operational resilience more generally is still developing. They explained that:
Compared to our frameworks for capital, liquidity, OCIR [Operational Continuity in Resolution], and senior management accountability, the regulatory framework for operational resilience has scope to be developed. We are therefore considering how we might supplement existing requirements.
Charles Randall, Chair of the FCA, commented that:
Technology change means major new risks to our objectives can develop more rapidly than ever. These risks increasingly come from beyond large authorised firms and regulated products, such as when scammers use the internet to target victims. We must continue to develop our own use of technology and our supervision and enforcement capabilities to respond rapidly where our remit allows.
35.The Regulators published a joint Discussion Paper (DP), ‘Building the UK financial sector’s operational resilience’, in July 2018. The Regulators’ “collaboration on this paper reflects the interconnectedness of the financial system and a shared interest in the opportunities and threats posed by developments in technology”. In written evidence they explained the purpose of the DP.
The DP reminded firms and FMIs of existing requirements relating to operational resilience, and suggested ways of strengthening operational resilience and that firms and FMIs could:
- assume severe disruptive events will happen and plan on that basis;
- focus on the wider impact on end users of disruption to the supply of products and services (“business services”), not just on system recovery;
- set impact tolerances and use scenario testing as a way of enhancing existing arrangements; and
- identify resilience gaps, and invest in the ability to maintain continuity of supply of products and services.
36.The proposed approach in the DP was supported by many respondents. Graham Bastin, Head of Operational Resilience at Barclays, commented that “The thing that we really welcomed was the customer lens that they were looking at”. Ian Lundberg, Chief Officer, Senior Vice President, Client Services Europe, Visa, told us that “Absolutely it resonated with us. [ … ] We welcomed [ … ] the idea of looking at the payments ecosystem in total, and the interdependencies between us all.”
37.Lyndon Nelson, Deputy Chief Executive Officer and Executive Director for Regulatory Operations and Supervisory Risk Specialists, PRA, commented that the DP:
Has received a lot of positive comment [ … ] The main constructive comment we have had back is that the firms are trying to work out how operational resilience fits in with some of the other requirements that the regulators already have on operational continuity and resolution, or in terms of operational risk and the capital they might hold against that.
38.The Regulators are currently considering responses to the July 2018 DP. Lyndon Nelson, PRA, explained that: “we intend to come back in about October with a consultation paper. I cannot be too precise on the date”. Consultation papers set out draft policy, and the Regulators seek responses before policy is finalised.
39.When asked whether implementing the proposed approach would reduce the disruptions that financial services customers experience, Lyndon Nelson remarked that “You would hope that would be the outcome of the policy. [ … ] consumers and constituents will see something very different. They will get their service—it may be slightly clunky or slightly late, but it certainly will not be at the level of disruption that we have had so far”.
40.Regulatory supervision of operational resilience may require a different approach to that currently adopted for of prudential and conduct risks. While the Regulators are still developing their approach to supervising firms’ operational resilience, there is an opportunity to consider whether current practice is the best model of supervision for this risk. The approach to supervision must be agile, and be able to adapt as operational resilience risks change, including those introduced as new technologies are adopted.
41.It is promising to hear that firms are broadly supportive of the approach taken by the Regulators in their July 2018 Discussion Paper. We encourage the Regulators to continue to engage with industry when developing operational resilience requirements further, to ensure that these are practical and effective. The Regulators should publish further guidance for firms on how their different operational resilience requirements interact, and their expectations of firms when implementing them. This should be done as the policy is developed, and not after firms have begun implementation.
42.The PRA has given us assurances that if the approach in the Discussion Paper is implemented, the level of disruption will fall. This remains to be seen. The Regulators should set out publicly how they intend to measure the effectiveness of future policy in achieving this aim. We will continue to scrutinise the progress made by the Regulators to improve the sector’s operational resilience as part of its regular work.
43.Given the importance of operational resilience, and the fast-moving nature of the risks, we urge the Regulators to prioritise the publication of their final policy and guidance. In responding to this report, the Regulators should set out their upcoming timetable for publication.
44.The Regulators said they were “considering ways of strengthening the operational resilience of the financial sector, and one possible enhancement is for firms and FMIs to set impact tolerances”. This is motivated by the premise in the DP that: “it would be neither possible nor an efficient use of resources to attempt to make every component of an organisation completely resilient to operational disruption”. The Regulators set out how this could be applied:
Firms would be expected to then “test their ability to stay within these tolerances through severe but plausible scenarios”.
45.This raises the question of where firms might set such tolerances. PwC argued that impact tolerances will be guided by customer demand, economic and societal importance of the service, and substitutability. RBS “believes the regulators have a role to play by identifying and providing guidance on specific service impact tolerances they would expect to see”. Also, the impact of an incident may differ when viewed with the different regulatory lenses of consumer harm, safety and soundness of firms and financial stability, so the impact tolerances may have to vary based on these objectives.
46.A similar approach to setting impact tolerances is already employed for FMI. David Bailey, Executive Director for Financial Market Infrastructure at the Bank of England, explained that “all FMIs should have plans in place to be able to recover from an outage within two hours; but certainly to ensure that all payments are settled by the end of the intended value date.”
47.We accept that completely uninterrupted access to banking services is not achievable, yet prolonged or regular IT failures are unacceptable. Recent high-profile incidents have caused significant harm to consumers and businesses, and we regard the current level of disruption from incidents as too high. We understand that impact tolerance will vary based on the regulatory objective in question (for example preventing consumer harm); the consumer group; and the importance of the product or service. Nevertheless, it is crucial that the Regulators maintain a very low tolerance for disruption to the most important services.
48.We recommend that the Regulators provide clear guidance to firms on their expectations around the definition of business services and the level of impact tolerances. While the Regulators’ current expectation is that firms would set their own impact tolerances, ultimately firms must not be allowed to set tolerance for disruption too high. The Regulators must prohibit this to avoid lax operational resilience, which could in turn lead to a financial stability crisis or widespread consumer harm.
49.The Regulators suggested in their Discussion Paper that firms would be expected to meet their impact tolerances in severe but plausible scenarios. We are concerned what the impact would be of an IT failure in scenarios where firms are not expected to meet their impact tolerance. In response to this report, the Regulators should describe extreme scenarios under which firms would not be expected to meet their own impact tolerance, and what the regulatory response would be to protect consumers from harm in such scenarios.
50.The Regulators explained that they have a role “in helping to reduce the impact of operational incidents when they occur”. Where the Regulators need to coordinate during an incident, they can use the Authorities Response Framework (ARF). The Regulators explained that the ARF is used for serious incidents by the Regulators and the Treasury but can also be expanded to include other agencies. They explain that the “ARF provides an important co-ordination function for the authorities [ … ]. It allows intelligence to be pooled and common issues to be discussed and approaches agreed”.
51.Alison Barker, FCA, explained the role of the FCA during an incident:
As the first responder, we will establish the facts of what is happening and establish the key point of contact within the institution. We will inevitably contact the [Bank of England] and the Treasury. There will then be the co-ordinating authorities call, which will have a set agenda around ensuring that we know what has happened, that we understand the impacts, that we know who is doing what at the firm, that we are clear that the firm understands what it has going on and what level of response we need to have.
52.The ARF was initiated by the FCA after the TSB migration. The FCA in a letter to us, set out its work following the migration:
The FCA has continuously engaged with TSB since 20 April. This includes on-site visits to TSB’s Head Office and other TSB sites to observe progress and monitor its approach to identifying and resolving the issues [ … ]. We also review daily management information from TSB to ensure we understand the steps TSB is taking to remedy the situation, and challenge TSB where needed.
53.The FCA also has staff on standby, should incidents occur. Alison Barker, FCA, highlighted that “we will be monitoring things and we have teams on call over every single weekend and over bank holidays to monitor incidents”. She reassured us that the FCA have estimated that they can run at least 10 incidents at the same time.
54.Andrew Bailey, Chief Executive of the FCA, in evidence to our Service disruption at TSB inquiry, accepted that “there is a lot still to learn” about the TSB case. More broadly, in relation to both the TSB and Visa incidents, he said that the FCA “seek to learn from all these incidents but none of us can give [the Committee] an assurance that these things will never happen again”.
55.The Regulators have a vital role during significant incidents. While the responsibility for managing incidents rests with financial services firms, where a firm’s response proves ineffective and there is a risk to the Regulators’ objectives, the Regulators must be willing and able to take appropriate action to mitigate risks to their objectives.
56.One way to create an environment whereby firms focus on their operational resilience is to clearly identify who is responsible for such resilience within a firm. The Regulators explained that they require:
Specified types of firms to appoint managers, approved by the regulator, who are responsible for specific areas and for each of the firms’ business functions and activities. The Senior Management Function (SMF) 24 is the Chief Operations function, with responsibility for a firm’s internal operations and technology. SMF24 currently applies to banks, dual-regulated investment firms and building societies, and is being extended to ‘enhanced’ FCA solo regulated firms from December 2019. We expect senior management to be responsible for their firms’ proactive operational resilience as well as when incidents occur.
57.Lyndon Nelson, PRA, explained that “the SMR bites even at pre-enforcement. When we are talking about some of these big programmes [ … ], one of the big things that the supervisor does is make sure who is responsible”. Graham Bastin, Barclays, commented that the Senior Managers Regime “has sharpened the focus. We have the governance structures [ … ] where it is very clear where the accountability for operational technology resilience lies.”
58.In the Treasury Committee’s Work of the PRA inquiry oral evidence session in July 2018, we asked what penalties would be expected if firms did not meet impact tolerances. Sam Woods, Deputy Governor Prudential Regulation and Chief Executive Officer of the PRA, told us that “We have the full range of our regime to deploy, so we do not need a new penalty regime to attach to this”. Similarly, during oral evidence to us on 15 January 2019, Andrew Bailey, FCA, commented on the possible sanctions the FCA can use when IT outages occur as follows:
I will say two things on that. First, it feeds through into the remuneration policy, so we expect banks’ policies on variable remuneration to reflect operational reliance. [ … ] If we find it is not, we will act, because it is important that it is. That goes to the second point, which is that it is a responsibility under the senior managers regime.
59.However, the Senior Managers Regime does not apply to all firms. David Bailey, Bank of England, told us that “We do not have that same senior managers regime applicable to financial market infrastructure. [ … ] It is an area where accountability in the firms that I supervise could be enhanced”. The Financial Policy Committee in its July 2019 Financial Stability Report noted “that there is a strong case for extending the Senior Managers and Certification Regime to FMIs”.
60.In addition to individuals, the Regulators can also impose sanctions on financial services sector firms. The Regulators gave examples of where they have held financial services sector firms to account.
As can be evidenced from the previously mentioned enforcement action we took against RBS Group for its system failures in 2012, the recent financial penalty imposed on Tesco Personal Finance plc for failing to protect its personal current account holders against a cyber-attack in 2016, and the current investigations of TSB and Equifax, we have continued to use our relevant powers to hold firms to account when they fail to comply with our requirements in relation to serious operational incidents.
61.Yet, as we have seen following TSB’s IT failure in April 2018, investigating in the event of failures is a slow process. At the time of publication, neither the report commissioned by TSB (the ‘Slaughter and May’ report) nor the regulatory investigation, have concluded.
62.Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but also to focus the attention of senior management on the risk of incidents and incident management. The Regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth.
63.We support the increasing focus on accountability and responsibility brought about by the Senior Managers Regime. However, we have yet to see a successful enforcement case under the Regime against an individual following an IT failure. We are concerned that this may be evidence of an ineffective regime to support enforcement. We accept that not all IT failures would result in enforcement action by the Regulators. However, the Regulators should consider whether there are any barriers to the effective operation of the regime, and whether any changes to the requirements or standards are necessary to ensure that individuals can be held accountable. If future incidents continue to occur without any sanction to individuals under the Regime, us as a Committee, and Parliament, will have to consider whether the powers it has given to the Regulators are fit for purpose.
64.The length of time it has taken for customers and Parliament to be provided with a comprehensive independent account of what happened during the TSB IT failure, who was at fault, and why the recovery process took so long is unacceptable. The Regulators must provide a full report of their investigation into the incident in their response to this report, or failing this, provide us with an update on timelines and issue the full report as soon as possible.
65.Remuneration structures throughout firms should reflect the importance of operational resilience. When appropriately used, these structures can help improve the prominence of operational resilience, and the requisite level of attention to preventing IT failures. If the Regulators observe that firms are not adequately taking operational performance into account when determining remuneration for senior staff within financial services firms, they must intervene.
66.As we have seen from recent examples, such as the Visa outage in 2018, operational incidents at Financial Market Infrastructure (FMI) firms can have as much effect on customers as bank incidents. It is therefore vital that senior management at FMI firms are accountable for their management of operational incidents. There does not appear to be any justification for keeping FMI outside of the Senior Managers Regime. The Government should expand the Senior Managers Regime to include FMI supervised by the Bank of England.
67.If regulation places an excessive burden on firms, this could harm their resilience. UK Finance argued that legislative and regulatory requirements underpin more of firms’ change than previously. Similarly, Barclays told us that:
A number of major technology change programmes have been mandated by Government or regulators, to transform the financial services sector and provide services digitally [ … ] many of these mandated reforms are significant change programmes with implementation often required simultaneously. This can sometimes create competing requirements or conflicting demand that may generate technology and operational risk.
Conversely, Anne Boden, CEO of Starling Bank, commented that “on regulatory burden, we do not have a significant burden from regulatory changes, because we have new software and new procedures”.
68.In January 2019, we questioned Sam Woods, PRA, on whether regulators were creating risk through excessive demands. He responded that:
As is often the case, members of some financial institutions may be expressing themselves more vividly than the facts support. The easiest way to express it is that a good chunk, say 20 per cent, of those numbers [on incidents] is cyber. I can assure you that the PRA is not launching cyberattacks on any financial institution. [ … ] There is a grain of truth in what you have been told, in the sense that there is a lot of change.
69.Furthermore, Lyndon Nelson, PRA, explained that the cumulative burden of regulatory change on firms “is always difficult to assess”. In relation to this burden, he commented that “I would not accept it domestically, but for the global firms, there is no question but they have been hit by a variety of different standards”.
70.Yet firms have raised this risk with the Regulators. Graham Bastin, Barclays, told us that:
When we are executing the volume of change that I referenced earlier and we can see there are collisions or compression on that change schedule, we are very happy to push back on where those changes are coming from and to explain the consequences, or the unintended consequences.
71.The coordination between the Regulators on their July 2018 Discussion Paper was welcomed by a number of firms. RBS “welcomes the open, challenging and collaborative approach taken by the regulators”. Yet we also heard that regulatory demands could be better coordinated. UK Finance commented that the risks of regulatory change are “exacerbated by an absence of coordination between public authorities over substance, timing and prioritisation”. Also, Graham Bastin, Barclays, commented that:
I think the discussion papers stimulated a conversation around something called air traffic control. If we could see greater coalition and co-ordination across the different regulators, not just in the UK but internationally, that would be super-helpful.
72.In his Mansion House speech in June 2019, the then Chancellor announced “a major, long-term review into the future of our regulatory framework”, and commented that “I have heard the message from business that there is a critical need for greater “air traffic control” to manage the cumulative impact of regulatory change emanating from different sources”. The Treasury launched a call for evidence on regulatory coordination in July 2019 which forms the first part of this review. This “looks at how government and the regulators work together to coordinate their activities to ensure the best outcomes for the financial services sector, consumers of financial services, and the UK as a whole.”
73.Regarding ‘air traffic control’, Alison Barker, Director of Specialist Supervision at the FCA, commented that:
The chief executives of our organisations, the CMA and the Payment Systems Regulator are all very committed. There has been a discussion with the Chancellor. They will take forward what ideas come through the call for input. There is an idea that there will be some consultation or wider discussion later in the year.
74.Change is one of the biggest causes of operational incidents, and the Regulators are one of the biggest causes of change. It is vital that the Regulators do not inadvertently increase the risk of an operational incident by placing excessive or poorly coordinated requirements on firms. While it is concerning to hear firms criticise a lack of effective regulatory coordination, industry criticism of regulatory requirements must be viewed sceptically, as industry has an incentive to lobby for reduced regulatory burden. The same industry praised the joint approach by the FCA, PRA and Bank of England put forward in their July 2018 Discussion Paper.
75.We welcome the then Chancellor’s announcement of a review into the future regulatory framework for the financial services sector, and the subsequent call for evidence on regulatory coordination. The Treasury should implement a continuing coordinating forum to assess the cumulative burden of regulatory change, and to facilitate a permanent “air traffic control” in the financial services sector. This would help ensure that the Regulators themselves do not create operational risk through the volume and timing of their regulatory demands.
76.The Regulators explained their approach to resourcing and staff skills and experience in relation to operational resilience, stating that they:
Employ experts in both technology and cyber resilience who provide support to front-line supervisors to assess firms’ and FMIs’ resilience. Many of these experts hold recognised industry qualifications which, to be maintained, require continuous professional development and certification on an annual basis.
Furthermore, the Regulators emphasised their ability to contract external resources. David Bailey, Bank of England, explained that “we make quite extensive use of external resources, so that we can commission expert resources to come into a firm and perform assessments, which adds to the expertise we can draw on”.
77.However, we heard that the Regulators need to improve their skills and experience related to operational resilience. PwC explained that “the expertise and experience of operational resilience topics is less widespread in supervisory and policy teams in the PRA and FCA, than more typical prudential and conduct risks.” Simon Chard, Financial Services Partner, PwC, added in oral evidence that firms have told them “that they would appreciate being able to have a discussion on those topics and more resource within the regulator to discuss those topics with them”.
78.The skills and experience issue was recognised by the Regulators. Lyndon Nelson, PRA, remarked on training supervisory staff, that “we would acknowledge that we have to get the supervisors further up the curve”. Also, in oral evidence, the Regulators described the training programmes for supervisory staff. However, in written evidence they wrote that “recruiting and retaining these experts continues to be challenging, given the demand for their skills and the Authorities’ resource constraints”. Lyndon Nelson, PRA, described some of the challenges that the PRA faces:
The main constraint, to be honest, is probably a budgetary one. We have a number of other priorities. [ … ] I am happy with the resource settlement that we have got. [ … ] We could go quicker if we had more, but I think it is the right balance.
Alison Barker, FCA, was asked whether salaries were a challenge in recruiting the right people. She explained that “It can be, but we focus on what benefits you get from working at a regulator. People often come to work at a regulator because there is a sense of purpose”.
79.Given the need to improve resourcing at the Regulators, PwC suggested that:
There may need to be consideration as to whether greater resources and more subject matter experts (enhanced through secondments from the private sector where appropriate, or by recruiting more senior advisers with expertise in an operational resilience discipline) assigned to operational resilience may be necessary.
80.The Regulators have an important role in overseeing and challenging firms’ approach to operational resilience and preventing IT incidents. They need the appropriate skills and experience to do so. The Regulators have improved their capability over recent years, yet they must do more. While training programmes may assist the Regulators in building supervisory skills, expert and practitioner experience are also important. We therefore expect the Regulators to increase their capability, particularly at the more senior levels.
81.We accept the Regulators’ current budgets make hiring staff with skills and experience in operational resilience challenging. The Regulators should increase financial sector levies to ensure they can hire the staff with the expertise and practitioner experience they need. We do not expect to hear after the fact, perhaps in reaction to a major incident, that supervisory resources were inadequate.
46 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
47 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
48 FCA, , HC (2017–19) 2415, 9 July 2019
49 Bank of England, Prudential Regulation Authority, and Financial Conduct Authority, , July 2018.
50 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
56 Financial Conduct Authority, Bank of England and Prudential Regulation Authority () The Regulators in written evidence define tolerances: “An impact tolerance describes a firm’s or FMI’s tolerance for disruption to a particular business service, under the assumption that disruption to the systems and processes supporting that service will occur. Impact tolerance is expressed by reference to specific outcomes and metrics. Such metrics could include the maximum tolerable duration or volume of disruption, a measure of data integrity or the number of customers affected.”
57 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
58 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
59 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
60 PwC ()
61 RBS ()
62 The value date is “the day on which the payment, transfer instruction, or other obligation is due and the associated funds and securities are typically available to the receiving participant”. BIS-IOSCO, , April 2012.
64 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
65 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
67 Treasury Committee, , 30 May 2018
70 Treasury Committee: Oral Evidence: , HC 1009, 6 June 2018 [Q234]
71 Treasury Committee: Oral Evidence: , HC 1009, 6 June 2018 [Q234]
72 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
75 Treasury Committee: Oral evidence: , HC 704, 11 July 2018 [Q116]
76 Treasury Committee: Oral evidence: , HC475,15 January 2019 [Q418]
78 Bank of England, , July 2019
79 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
80 UK Finance ()
81 Barclays ()
83 Treasury Committee: Oral evidence: , HC704, 23 January 2019 [Q161]
85 25,000 changes a month.
87 RBS ()
88 UK Finance ()
90 The Rt Hon Philip Hammond MP, , 20 June 2019
91 The Treasury, , July 2019
93 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
95 PwC ()
99 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
102 PwC ()
Published: 28 October 2019