119.There are many cases where financial services sector firms use the same third-party providers. Barclays described some of these common providers:
Banks operate within an ecosystem of connected entities, many of which are suppliers or organisations that provide services directly or indirectly to the UK financial services sector, e.g. telecommunication network providers, technology providers, card transaction acquirers, card transaction processors (e.g. VISA Europe), central bank and market infrastructure providers and cash management providers.
While this is not a new phenomenon, as technologies develop new sources of concentration risk emerge, for example firms’ use of cloud service providers.
120.When financial services sector firms use common providers, this can create concentration risk. If one of these suppliers was to fail, there could be an impact on many financial services sector firms. PwC explained this risk:
Failures in third party providers can result in significant disruption. The interconnectedness of the financial services industry means that localised outages can lead to contagion to other institutions. There is potential for global issues to develop, especially where multiple firms depend on the same service provider.
TSB gave an example of such an incident:
On the morning of 28 September 2018, a number of banks, including TSB, experienced service issues which started at the same time, and were all resolved a few hours later. For TSB, the cause was an incident at a third-party supplier—a supplier common to all the banks encountering problems that morning.
121.However, concentration among a small number of providers may not necessarily mean reduced resilience. PwC argued that:
It is also not automatically the case that a small number of providers represents a decrease in sectoral resilience. In some cases these large providers are better able to manage operational challenges than multiple potential points of failure. In the event of a widespread cyber attack, for example, large technology companies are likely to be better placed to defend themselves than a large number of smaller firms.
122.One prominent source of concentration risk is FMI. Given the systemic risks that stem from the use of FMI, some of these firms are supervised by the Bank of England. The Regulators explained the supervision of FMI:
As they sit at the heart of the financial system, FMIs need to operate smoothly every day, so their availability and resilience is one of the key objectives of the Bank’s supervisors. FMIs have stringent requirements placed on them in line with the Principles for Financial Market Infrastructures (PFMI). Supervisory reviews also focus on the firms that provide critical services to FMIs, those that FMIs outsource to more generally, and on business continuity plans.
The Bank of England has tools to mitigate systemic risk. David Bailey, Executive Director for Financial Market Infrastructure at the Bank of England, explained that:
The infrastructure that underpins several of the payment systems [ … ]—faster payments, Bacs and LINK—is all provided by a single firm, Vocalink. Last year [ … ] it had reached a significance that meant we needed to recommend to the Treasury that it was brought within the regulatory perimeter. [ … ]
We can also think about how to expand the regulatory perimeter when activities expand. Again, we recommended this, and the Treasury made a change via the Digital Economy Act two years ago that enabled us to supervise not just inter-bank payment systems, but payment systems that might operate in a way that facilitated payments between individuals without a bank intermediating them.
123.Cloud services providers are a recent example of where firms are increasingly using common suppliers. Mark Carney, Governor of the Bank of England, highlighted in a speech that “A quarter of major banks’ activities and almost a third of all UK payments activity are already hosted on the Cloud, and there are considerable opportunities for even more intensive usage”.
124.There are significant potential benefits of using the cloud for the financial services sector. The Regulators recognised the benefits in terms of “cost savings and faster deployment cycles”. Sam Woods, Deputy Governor Prudential Regulation and Chief Executive Officer of the PRA, explained that “It is not necessarily a bad thing that firms are moving more stuff to the cloud. [ … ] It may be that the cyber resilience of some cloud providers is higher than that of some individual firms”. Furthermore, RBS explained that the use of cloud “permits increased physical robustness and stability as architectures are no longer bound to limited large expensive assets such as datacentres”.
125.Despite the benefits of cloud services, there are also risks. The Regulators summarised them as follows:
Cloud services also pose unique risks, including to data sensitivity, cross-border infrastructure and market concentration. [ … ] At the system level, some third-party providers (including cloud service provides) may be a key point of concentration and present a single point of failure risk where an operational incident could have a widespread impact on the system.
126.Given the risks of the cloud, Sam Woods, PRA, told us that “We have recently instituted a new process within supervision in order to guide the supervisors as to whether something is important enough to require a deep inquiry from us, or whether it is a more routine thing that we can let go”.
127.The PRA is actively in discussions with some of the cloud service providers themselves. It has also focused its attention on particular risks, for example Lyndon Nelson, Deputy Chief Executive Officer and Executive Director for Regulatory Operations and Supervisory Risk Specialists, PRA, highlighted the PRA’s focus on “how firms can exit and enter these contracts, and how much choice they actually have about what contractual terms they have, because obviously they have regulatory obligations.”
128.While concentration risk in some areas, for example FMI, is being addressed, other sources of concentration risk remain. The Regulators explained that the Financial Policy Committee monitors concentration risk “as part of its broader financial stability agenda”.
129.Yet the Regulators also described a role for firms:
The Discussion Paper suggests that firms and FMIs should map their important business services to underlying systems and processes that support their delivery, and identify their tolerance for disruption under the assumption that disruption will occur (impact tolerance); we believe this could help identify and mitigate the risks arising from dependencies on critical third-party suppliers/vendors.
130.To improve the understanding of concentration risk firms have suggested there is the need for a sector map. PwC highlighted that identifying where firms use the same provider is “something which is not always obvious, or easy, to determine”. TSB argued that “To better understand the location and nature of concentration risk, we think it would be helpful if the Regulators mapped the common systems and components in financial services”. However, Lyndon Nelson, PRA, explained that “We are very nervous about having a map, because it would be wonderful for people who want to cause us harm” and told us that “We have the ability to pull that map together.”
131.One way to mitigate concentration risk, is to regulate the common providers, as is done for some FMI firms. PwC explained that:
Systemic providers of services should be held—and indeed hold themselves—to a higher standard of resilience. [ … ] The regulatory perimeter is also an important consideration for the regulators in meeting their objectives. There are institutions that are increasingly systemically important to the financial system (such as large technology firms) that are not regulated by the financial services regulators.
In oral evidence, Simon Chard, Financial Services Partner, PwC, added that:
Our view is that you need to do that understanding where the map is, where the participants are and where the risk is. We certainly feel that it may be a consequence of that that the regulatory perimeter is moved or other firms are brought into that.
132.There are other options, short of bringing common suppliers fully into the regulatory perimeter. TSB suggested that:
The Committee may wish to consider whether the development of mandatory common standards for critical and common suppliers could improve overall operational resilience. Suppliers would have to meet and maintain these standards in order to supply financial services companies.
Similarly, UK finance suggested that:
The Government and/or regulators might enable there to be a form of utility assurance on the outsource providers’ operational resilience [ … ] This could align to European Banking Authority guidelines such that there are pooled audits organised jointly with other clients of the same outsource provider [ … ] in order to use audit resources more efficiently and to decrease the organisational burden on both the clients and the outsource provider.
133.Finally, concentration risk could be mitigated if firms were able to switch between providers in the event of an incident. PwC explained that:
Greater substitutability between these [critical] providers would clearly be welcome, and something industry and regulators should continue to focus on. It should be noted though there are significant operational and commercial challenges around achieving the degree of substitutability that would mitigate fully a serious operational incident at one of these key service providers. It is unlikely, for example, that firms would ever be able to automatically reroute trades into a different CCP or change cloud provider, at very short notice.
Yet progress towards substitutability has been made in some cases. For example, in 2018, “Visa handled 18.9 million transactions for UK issuers as part of [their] stand-in processing service”.
134.Producing a sector map would allow the Regulators to better identify and understand those commonly used service providers whose disruption could have major implications for the provision of financial services. We are sceptical of the Regulators’ argument that the creation of the map would be a target for those trying to cause harm. The Regulators commonly create documents which need a similarly high degree of security to prevent the information contained in them falling into the wrong hands. Moreover, some elements of the map are well known. The Regulators should therefore reconsider the case for conducting a sector mapping exercise, including consideration of the security concerns it may create. If they conclude that it would not be in the public interest, they should set out to this Committee how they are identifying and continually monitoring the risks of common critical service providers and interconnectivity in the financial services sector.
135.Where the Regulators identify that third-party providers are becoming a potential source of concentration risk, they should highlight this risk, and consider whether action is required to mitigate it. Where common providers are systemic, and concentration risk is high or becoming high, the Financial Policy Committee should in each case consider recommending to the Treasury that these should be regulated, as the Financial Policy Committee has done for FMI.
136.The cloud service provider market stood out as a source of concentration risk during the inquiry. This market is already highly concentrated and there is probably nothing the Government or Regulators can do to reduce this concentration in the short or medium term. The consequences of a major operational incident at a large cloud service provider could be significant, and not just limited to the financial services sector. The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable. The Government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary.
137.There are other ways to mitigate concentration risk, including establishing channels of communication with common suppliers to use during an incident, utilising the EBA process of leveraging pooled audit arrangements for cloud service providers, and potentially building applications able to substitute a critical supplier with another. We expect industry, industry bodies, and the Regulators to act on initiatives such as these.
138.The use of new technology and innovation in the financial services sector presents an opportunity to provide new features and services for customers, potentially at lower cost. New technologies can also facilitate improved operational resilience. The Regulators explained that “the implementation of new technologies in financial services can enhance risk management. For instance, the latest machine learning techniques can be used to provide more robust insights that help firms mitigate risk.”
139.However, new technologies can also pose a risk to the operational resilience of financial services firms. PwC explained that:
The rate of innovation in cloud, AI [Artificial Intelligence], robotics and Distributed Ledger Technology (DLT), could lead to vulnerability. We are in the middle of a technological revolution which requires firms to adopt relatively untested technologies while navigating the challenges posed by legacy systems which do not have embedded resilience.
140.There are also wider risks to consider. For example, there are potential downsides of the use of AI. Anne Boden, CEO of Starling Bank, explained that AI:
Can perpetuate prejudice and can, in some cases, perpetuate the situation regarding the financial systems of certain people in one way and that of other people in a very different way. We need to get the models right. They need to be fair and we need to be doing it with our eyes open.
141.The Bank of England and the FCA surveyed firms on Artificial Intelligence and machine learning to understand their use and impact on financial services. The results were published in October 2019, and the Bank of England and the FCA have announced their intention to establish a public-private working group on AI to explore further. In addition, Lyndon Nelson, PRA, commented that:
The way in which some of the models are established means that they either reflect the biases of humanity or put those in. The important thing for the regulator is that these cannot be a black box. The management need to understand what outcomes they come up with, and the regulator needs to understand those as well.
142.We also examined the risks of Open Banking, and whether there is a trade-off between customer convenience and security. Anne Boden, Starling Bank, told us that “I would never launch anything that is not secure”, and Graham Bastin, Head of Operational Resilience at Barclays, said that Barclays “would never consciously launch anything that was unstable”. On data security, Anne Boden of Starling Bank told us:
You then have FinTechs, which do not have banking licences but are regulated within the open banking regime and can consume that data. The banks have responsibility for our customers and we are responsible for compensating our customers if something goes wrong when a customer shares their data with a regulated FinTech.
We also heard from Alison Barker, Director of Specialist Supervision at the FCA, about the risks of Open Banking:
We are aware of the comments where people say, “If you have access to banking systems, will that create more risk?” We are monitoring that closely. In our statistics of the things that have been notified to us, 0.2 per cent relate to Open Banking. We have not seen any issues coming through, but we are aware of the risks and have very closely assessed the information service providers to make sure that their technology is appropriate and strong.
143.When asked whether customer demand for new technology or functions is causing harm, Alison Barker, FCA, explained that “No, I think it goes back to the point that we expect firms to understand and manage the change and understand the business services, and understand what the impacts of any outages should be.”
144.The Regulators are assessing the impact of new technologies on the sector. They gave examples of the FCA’s Regulatory Sandbox, which “provides firms the opportunity to test innovative propositions in a real market and with real consumers, but with appropriate safeguards and oversight”, and the Bank of England’s Fintech Hub, which focuses on “the policy implications of fintech”.
145.New technology-driven firms are entering the market, taking advantage of new ways of reaching customers and offering new services. Barclays highlighted that “technology firms, which predominantly operate in sectors traditionally far removed from the regulated financial services sector, are increasingly starting to engage in financial services activities, while existing outside of the regulatory perimeter”.
146.Representatives of the industry and some firms were keen to ensure the consistency of regulation. Marcus Scott, Chief Operating Officer, TheCityUK explained that new technology firms should be held to the same standard of resilience:
We need to make sure that that new technology is resilient. It is not subject to perhaps the same regulations because it is not consumer-facing, but it should be subject to the same operational resilience standards.
Marcus Scott, TheCityUK, also explained that new unregulated entrants to the market:
Brings in the issue of where to put the regulatory perimeter, so that everyone is operating under the same set of rules. There has been a tendency to look at new technologies and say that we do not want to stifle them, which is right. At the same time, they need to be regulated in a way that makes sure they are operating under the same set of rules.
Similarly, Barclays argued that regulation should be guided by the principle of “same activity, same risk, same regulation”.
147.When asked by us if technology companies structuring their activities to avoid regulation was concerning, Alison Barker, FCA, commented:
Not particularly, but we always have challenges with the perimeter and who is on which side of it, so we do watch that carefully. If we have firms doing activities that ought to be regulated, but they are doing them and they are not regulated, we take specific action.
Furthermore, Lyndon Nelson, PRA, added that “The Financial Policy Committee has a legal responsibility, and it looks at that.”
148.In his Mansion House dinner speech in June 2019, the then Chancellor announced a “Treasury-led review of the payments landscape [ … ] to make sure that our regulation and infrastructure keeps pace with the dizzying array of new payments models”.
149.New technology and innovation in the financial services sector can facilitate new services for customers and provide opportunities to improve firms’ operational resilience. We support innovation where it benefits customers but with these benefits also come risks. Given the competition between firms to provide new technology driven services for customers, the Regulators should ensure they have the capability and capacity to monitor the use of new technologies in the financial services sector. Regulators must also assess whether firms are rolling out new technologies before they have proven their resilience.
150.It is right that firms and the Regulators are considering other downside risks from new technology, such as possible discriminatory effects. As the use of new technologies such as artificial intelligence and machine learning increase, both firms and Regulators must monitor their potential to be discriminatory. If these risks cannot be rigorously identified and mitigated, firms should not use these technologies. We urge the Regulators to set clear guidance for the sector.
151.As established financial services firms share data with new entrants, for example as a result of Open Banking, they must ensure that the data is secure before customers are allowed to use the service. While we received assurances from a number of banks that they would not put customers at risk by launching an unstable or insecure system, the stakes are high, and the level of oversight over smaller fintech providers may not be the same.
152.Some firms expressed the concern that new technology companies may be operating with a lower level of regulation than that of traditional financial services providers, while operating in similar sectors. We welcomed the Regulators explaining that they are monitoring this risk, and that the Financial Policy Committee considers this risk under its responsibility to identify risks beyond the regulatory perimeter. We also expect particular attention to be given to firms deliberately avoiding regulation. We believe that activities should be subject to the same standards of regulation, whatever type of firm is conducting them.
154.Many of the most significant IT failures have originated in the retail banking and payments sector. While this may be the case given the complexity of banks and payment systems, and the impact on customers when these services are disrupted, IT incidents originating in other sectors could also be impactful.
155.PwC explained that they assessed the maturity of operational risk management to be highest amongst retail banks and investment banks, with insurance, asset management and wealth management lower down the spectrum of maturity.
156.The majority of evidence received in this inquiry relates to the banking and payments sectors. While this is unsurprising given the expectations of consumers for these services and the recent high-profile outages, we are also interested in the operational resilience of other areas of the financial services sector. All financial services firms, and the Regulators, should be alert to the causes and consequences of IT incidents across the sector, and should take the necessary steps to reduce any risks. If the Regulators have identified specific risks from IT failures of other sectors, they should briefly set out in their response to this report how these risks are being identified and mitigated.
153 Barclays ()
154 PwC ()
155 TSB Bank ()
156 PwC ()
157 “FMIs are networks of users that transact with each other. They exist to reduce the risks and costs involved in making payments and settling trades in financial instruments”. The Bank of England’s regulation of FMIs includes payment systems, central securities depositories, and central counterparties. Bank of England, , 20 February 2018
158 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
160 Mark Carney, Speech: , 20 June 2019
161 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
162 Treasury Committee: Oral evidence: , HC 704,23 January 2019 [Q167]
163 RBS ()
164 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
165 Treasury Committee: Oral evidence: , HC 704,23 January 2019 [Q167]
167 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
168 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
169 PwC ()
170 TSB Bank ()
173 PwC ()
175 TSB Bank ()
176 UK Finance ()
177 PwC ()
178 Visa ()
179 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
180 PwC ()
182 Bank of England and FCA, , October 2019
184 “Open Banking is designed to bring more competition and innovation to financial services. It was set up by the Competition and Markets Authority on behalf of the UK Government.” “Open Banking is the secure way to give providers access to your financial information.”
190 Financial Conduct Authority, Bank of England and Prudential Regulation Authority ()
191 Barclays ()
194 Barclays ()
197 The Rt Hon Philip Hammond MP, , 20 June 2019
198 PwC ()
Published: 28 October 2019