IT failures in the Financial Services Sector Contents

Conclusions and recommendations

IT incidents

1.There has been a shift in the way that customers access their financial services, with an increasing number of customers using digital services. As customers come to rely more heavily on digital channels, and given that many high-street branches are closing, the resilience and availability of digital channels is being brought into sharper focus. Given these exacting expectations, it is likely that even brief service disruptions may cause significant concern among consumers.(Paragraph 10)

2.Financial services sector firms are increasingly utilising technology to improve their services. This can have efficiency and resilience benefits yet can also increase the complexity and risk in firms’ IT architectures. While customers may benefit from new features or digital services, they also suffer when IT failures occur.(Paragraph 11)

3.We welcome the increasing focus on operational resilience among both industry and the Regulators. Further regulatory intervention is needed to improve the operational resilience of the financial services sector, as was required over the past decade for its financial resilience. The Regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks. (Paragraph 16)

4.Operational incidents in the financial services sector are increasing in frequency. While we recognise that many incidents have limited customer impact, recent high-profile cases have shown the harm to customers that can be caused. The impact of IT incidents can range from inconvenience to customers through to customer harm, and on to matters of a firm’s viability or financial stability. Financial services providers must treat their ability to manage and prevent incidents with a level of seriousness appropriate to the significant impact when incidents occur. (Paragraph 24)

5.The lack of consistent and accurate recording of data on operational incidents is concerning. The Regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. If necessary, the Regulators should clarify standards, guidance and definitions for industry on what incidents firms should both record and report. They should also consider the need to expand current reporting requirements, to cover broader services provided by firms. Higher quality incident reporting will serve to improve the ability of both the Regulators and industry to identify the biggest risks to the operational resilience of the sector. (Paragraph 30)

6.It is very difficult for customers to determine which financial services providers are operationally resilient, and to make clear comparisons across the industry. The Regulators should require clearer and more prominent public reporting to empower customers to make informed decisions regarding which provider they use, and to increase firms’ focus on operational resilience. Where firms already publish incident information, this should be given greater prominence in information made available to prospective and existing customers, such as that given to wait times and complaints, which are visibly displayed in bank branches for all to see. (Paragraph 31)

The role of the Regulators

7.Regulatory supervision of operational resilience may require a different approach to that currently adopted for of prudential and conduct risks. While the Regulators are still developing their approach to supervising firms’ operational resilience, there is an opportunity to consider whether current practice is the best model of supervision for this risk. The approach to supervision must be agile, and be able to adapt as operational resilience risks change, including those introduced as new technologies are adopted. (Paragraph 40)

8.It is promising to hear that firms are broadly supportive of the approach taken by the Regulators in their July 2018 Discussion Paper. We encourage the Regulators to continue to engage with industry when developing operational resilience requirements further, to ensure that these are practical and effective. The Regulators should publish further guidance for firms on how their different operational resilience requirements interact, and their expectations of firms when implementing them. This should be done as the policy is developed, and not after firms have begun implementation.(Paragraph 41)

9.The PRA has given us assurances that if the approach in the Discussion Paper is implemented, the level of disruption will fall. This remains to be seen. The Regulators should set out publicly how they intend to measure the effectiveness of future policy in achieving this aim. We will continue to scrutinise the progress made by the Regulators to improve the sector’s operational resilience as part of its regular work.(Paragraph 42)

10.Given the importance of operational resilience, and the fast-moving nature of the risks, we urge the Regulators to prioritise the publication of their final policy and guidance. In responding to this report, the Regulators should set out their upcoming timetable for publication.(Paragraph 43)

11.We accept that completely uninterrupted access to banking services is not achievable, yet prolonged or regular IT failures are unacceptable. Recent high-profile incidents have caused significant harm to consumers and businesses, and we regard the current level of disruption from incidents as too high. We understand that impact tolerance will vary based on the regulatory objective in question (for example preventing consumer harm); the consumer group; and the importance of the product or service. Nevertheless, it is crucial that the Regulators maintain a very low tolerance for disruption to the most important services. (Paragraph 47)

12.We recommend that the Regulators provide clear guidance to firms on their expectations around the definition of business services and the level of impact tolerances. While the Regulators’ current expectation is that firms would set their own impact tolerances, ultimately firms must not be allowed to set tolerance for disruption too high. The Regulators must prohibit this to avoid lax operational resilience, which could in turn lead to a financial stability crisis or widespread consumer harm.(Paragraph 48)

13.The Regulators suggested in their Discussion Paper that firms would be expected to meet their impact tolerances in severe but plausible scenarios. We are concerned what the impact would be of an IT failure in scenarios where firms are not expected to meet their impact tolerance. In response to this report, the Regulators should describe extreme scenarios under which firms would not be expected to meet their own impact tolerance, and what the regulatory response would be to protect consumers from harm in such scenarios. (Paragraph 49)

14.The Regulators have a vital role during significant incidents. While the responsibility for managing incidents rests with financial services firms, where a firm’s response proves ineffective and there is a risk to the Regulators’ objectives, the Regulators must be willing and able to take appropriate action to mitigate risks to their objectives.(Paragraph 55)

15.Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but also to focus the attention of senior management on the risk of incidents and incident management. The Regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth. (Paragraph 62)

16.We support the increasing focus on accountability and responsibility brought about by the Senior Managers Regime. However, we have yet to see a successful enforcement case under the Regime against an individual following an IT failure. We are concerned that this may be evidence of an ineffective regime to support enforcement. We accept that not all IT failures would result in enforcement action by the Regulators. However, the Regulators should consider whether there are any barriers to the effective operation of the regime, and whether any changes to the requirements or standards are necessary to ensure that individuals can be held accountable. If future incidents continue to occur without any sanction to individuals under the Regime, us as a Committee, and Parliament, will have to consider whether the powers it has given to the Regulators are fit for purpose.(Paragraph 63)

17.The length of time it has taken for customers and Parliament to be provided with a comprehensive independent account of what happened during the TSB IT failure, who was at fault, and why the recovery process took so long is unacceptable. The Regulators must provide a full report of their investigation into the incident in their response to this report, or failing this, provide us with an update on timelines and issue the full report as soon as possible.(Paragraph 64)

18.Remuneration structures throughout firms should reflect the importance of operational resilience. When appropriately used, these structures can help improve the prominence of operational resilience, and the requisite level of attention to preventing IT failures. If the Regulators observe that firms are not adequately taking operational performance into account when determining remuneration for senior staff within financial services firms, they must intervene.(Paragraph 65)

19.As we have seen from recent examples, such as the Visa outage in 2018, operational incidents at Financial Market Infrastructure (FMI) firms can have as much effect on customers as bank incidents. It is therefore vital that senior management at FMI firms are accountable for their management of operational incidents. There does not appear to be any justification for keeping FMI outside of the Senior Managers Regime. The Government should expand the Senior Managers Regime to include FMI supervised by the Bank of England.(Paragraph 66)

20.Change is one of the biggest causes of operational incidents, and the Regulators are one of the biggest causes of change. It is vital that the Regulators do not inadvertently increase the risk of an operational incident by placing excessive or poorly coordinated requirements on firms. While it is concerning to hear firms criticise a lack of effective regulatory coordination, industry criticism of regulatory requirements must be viewed sceptically, as industry has an incentive to lobby for reduced regulatory burden. The same industry praised the joint approach by the FCA, PRA and Bank of England put forward in their July 2018 Discussion Paper.(Paragraph 74)

21.We welcome the then Chancellor’s announcement of a review into the future regulatory framework for the financial services sector, and the subsequent call for evidence on regulatory coordination. The Treasury should implement a continuing coordinating forum to assess the cumulative burden of regulatory change, and to facilitate a permanent “air traffic control” in the financial services sector. This would help ensure that the Regulators themselves do not create operational risk through the volume and timing of their regulatory demands.(Paragraph 75)

22.The Regulators have an important role in overseeing and challenging firms’ approach to operational resilience and preventing IT incidents. They need the appropriate skills and experience to do so. The Regulators have improved their capability over recent years, yet they must do more. While training programmes may assist the Regulators in building supervisory skills, expert and practitioner experience are also important. We therefore expect the Regulators to increase their capability, particularly at the more senior levels.(Paragraph 80)

23.We accept the Regulators’ current budgets make hiring staff with skills and experience in operational resilience challenging. The Regulators should increase financial sector levies to ensure they can hire the staff with the expertise and practitioner experience they need. We do not expect to hear after the fact, perhaps in reaction to a major incident, that supervisory resources were inadequate.(Paragraph 81)

Common causes of IT incidents

24.Many financial institutions face the challenge of aging, legacy infrastructure that is hard to maintain, yet expensive and risky to replace. We do not believe enough is being done by firms to mitigate the operational risks they face from their own legacy technology, such as by moving to newer technology.(Paragraph 92)

25.While legacy systems can in some cases be robust, firms must ensure that their use remains appropriate. This should include considering the availability of expertise to maintain the systems, and the system’s resilience, and their remaining useful life. Firms must not use the cost or difficulty of upgrades as excuses to not make vital upgrades to legacy systems. Regulators should have a strong framework to oversee firms’ assessments, and challenge these where necessary.(Paragraph 93)

26.We welcome the indications from the Regulators that the approach set out in the Discussion Paper, if adopted, should trigger an improvement in firms’ management of legacy systems. However, given the potential for short-sightedness by management teams, if improvements are not forthcoming, the Regulators must intervene to ensure that firms are not exposing customers to risks due to legacy IT systems. The Regulators should make use of their full range of the tools to achieve this, including commissioning independent Section 166 skilled person reviews.(Paragraph 94)

27.Poor change management is one of the primary causes of IT failures. As firms embrace new technology to improve customer experience, and grapple with upgrading legacy systems to meet the expectations of digital banking, further IT change in the financial services sector is inevitable. It is important that firms have strong and well-rehearsed change management procedures. As a matter of urgency, firms should address any issues identified in their risk management, including ensuring that they have sufficient skills and experience to manage change.(Paragraph 104)

28.We are concerned that time and cost pressures may cause firms to cut corners when implementing change programmes, for example by compressing testing schedules. Firms engaging in change programmes should not be allowed to gamble with their service availability.(Paragraph 105)

29.While we accept that the ultimate responsibility for executing change programmes lies with firms, there is a role for the Regulators where customers are at risk. In their unique position with oversight over many change projects, the Regulators should ensure that best practice and lessons learnt from past change projects are disseminated to the industry.(Paragraph 106)

30.The Regulators must also review their approach to supervising firms’ large-scale change programmes to ensure that proactive intervention is possible, ahead of IT failures, so that customers are protected. This should include the level of engagement with firms, the level of specialist resource required, and the degree of assurance sought.(Paragraph 107)

31.Given the prominence of operational incidents caused by third parties, we support the need for the industry to improve risk management of third-party relationships. Firms cannot use third party failures as an excuse when incidents occur. If the Regulators are not observing a good standard of management of third parties by regulated firms, they should amend, as appropriate, their rules or guidance to prompt an improvement.(Paragraph 113)

32.Cyber attacks are increasingly a concern for financial services sector firms. We welcome the level of coordination and priority given by firms in combatting cyber risks. We encourage the participation of all firms and the Regulators in these interactions.(Paragraph 118)

Emerging risks to operational resilience

33.Producing a sector map would allow the Regulators to better identify and understand those commonly used service providers whose disruption could have major implications for the provision of financial services. We are sceptical of the Regulators’ argument that the creation of the map would be a target for those trying to cause harm. The Regulators commonly create documents which need a similarly high degree of security to prevent the information contained in them falling into the wrong hands. Moreover, some elements of the map are well known. The Regulators should therefore reconsider the case for conducting a sector mapping exercise, including consideration of the security concerns it may create. If they conclude that it would not be in the public interest, they should set out to this Committee how they are identifying and continually monitoring the risks of common critical service providers and interconnectivity in the financial services sector.(Paragraph 134)

34.Where the Regulators identify that third-party providers are becoming a potential source of concentration risk, they should highlight this risk, and consider whether action is required to mitigate it. Where common providers are systemic, and concentration risk is high or becoming high, the Financial Policy Committee should in each case consider recommending to the Treasury that these should be regulated, as the Financial Policy Committee has done for FMI. (Paragraph 135)

35.The cloud service provider market stood out as a source of concentration risk during the inquiry. This market is already highly concentrated and there is probably nothing the Government or Regulators can do to reduce this concentration in the short or medium term. The consequences of a major operational incident at a large cloud service provider could be significant, and not just limited to the financial services sector. The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable. The Government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary.(Paragraph 136)

36.There are other ways to mitigate concentration risk, including establishing channels of communication with common suppliers to use during an incident, utilising the EBA process of leveraging pooled audit arrangements for cloud service providers, and potentially building applications able to substitute a critical supplier with another. We expect industry, industry bodies, and the Regulators to act on initiatives such as these.(Paragraph 137)

37.New technology and innovation in the financial services sector can facilitate new services for customers and provide opportunities to improve firms’ operational resilience. We support innovation where it benefits customers but with these benefits also come risks. Given the competition between firms to provide new technology driven services for customers, the Regulators should ensure they have the capability and capacity to monitor the use of new technologies in the financial services sector. Regulators must also assess whether firms are rolling out new technologies before they have proven their resilience.(Paragraph 149)

38.It is right that firms and the Regulators are considering other downside risks from new technology, such as possible discriminatory effects. As the use of new technologies such as artificial intelligence and machine learning increase, both firms and Regulators must monitor their potential to be discriminatory. If these risks cannot be rigorously identified and mitigated, firms should not use these technologies. We urge the Regulators to set clear guidance for the sector.(Paragraph 150)

39.As established financial services firms share data with new entrants, for example as a result of Open Banking, they must ensure that the data is secure before customers are allowed to use the service. While we received assurances from a number of banks that they would not put customers at risk by launching an unstable or insecure system, the stakes are high, and the level of oversight over smaller fintech providers may not be the same.(Paragraph 151)

40.Some firms expressed the concern that new technology companies may be operating with a lower level of regulation than that of traditional financial services providers, while operating in similar sectors. We welcomed the Regulators explaining that they are monitoring this risk, and that the Financial Policy Committee considers this risk under its responsibility to identify risks beyond the regulatory perimeter. We also expect particular attention to be given to firms deliberately avoiding regulation. We believe that activities should be subject to the same standards of regulation, whatever type of firm is conducting them.(Paragraph 152)

41.We urge the Government to consider the review of the payments landscape as a priority, and request that the Government set out the scope and timelines for the review in response to this report.(Paragraph 153)

42.The majority of evidence received in this inquiry relates to the banking and payments sectors. While this is unsurprising given the expectations of consumers for these services and the recent high-profile outages, we are also interested in the operational resilience of other areas of the financial services sector. All financial services firms, and the Regulators, should be alert to the causes and consequences of IT incidents across the sector, and should take the necessary steps to reduce any risks. If the Regulators have identified specific risks from IT failures of other sectors, they should briefly set out in their response to this report how these risks are being identified and mitigated.(Paragraph 156)

Operational resilience and incident management

43.We heard that the level of investment in technology following the financial crisis has been affected by cost-cutting by financial services firms. Whilst some firms argued that they have invested in technology, many consumers would be disappointed that cost control has affected important investment in firms’ IT and operational resilience. Given the profits generated by the financial services sector, this is not an acceptable position.(Paragraph 160)

44.Firms face challenges in hiring skilled and experienced staff to manage technology related risks, and we were encouraged to hear about some of the programmes that firms are investing in to train and develop staff. The financial services industry should work with universities and further education providers to develop the skills they need. There is an opportunity for firms to develop their own talent, and to recruit from a broad and diverse pool to improve their operational resilience capability.(Paragraph 166)

45.Given the PRA’s concern about the level of operational resilience experience on the boards of some financial services firms, we expect the Regulators to ensure that firms are focussed on recruiting the right skills and experience for their boards and senior management and that they are developing diverse pipelines of talent for the future.(Paragraph 167)

46.There are benefits to industry taking a collaborative approach, sharing information and working together to improve the resilience of the sector. Cross-industry bodies such as UK Finance and TheCityUK should work with industry to identify and facilitate further areas of collaboration.(Paragraph 174)

47.In their response to this report, we expect the Regulators to set out their plans to build on their existing work facilitating industry collaboration. This should include encouraging participation of firms of all sizes, and highlighting where they think industry could go further. Where firms are reluctant to collaborate due to competitive pressures or commercial interest, such as becoming more secure but not sharing best practice in order to develop a commercial advantage, there is a role for the Regulators to encourage collaboration.(Paragraph 175)

48.It is not acceptable for customers to be at risk of severe operational disruption to their banking services for an indefinite period, and for there to be no way to for the Regulators to help them, due to there being “nothing the central bank can do” as we have heard. If the industry is unwilling or incapable of collectively preventing such disruption, for example by creating critical data backups and operational plans to mitigate against the consequences of cyber attack, then the Regulators must act. In the absence of market initiative, the Regulators should take stronger action to foster market solutions, or to enforce regulatory ones, to mitigate the risks of severe operational disruption.(Paragraph 176)

49.Sector exercises are a valuable tool for improving the industry’s preparedness for incidents and identifying any potential areas of weakness. Such exercises can provide the opportunity for firms to rehearse responses to incidents and share best practice.(Paragraph 180)

50.The Regulators should continue to facilitate sector exercises and should seek, in collaboration with industry and industry bodies, to expand the programme, in particular where new risks are identified, and where it is reasonably practical to include a wider range of firms. The Regulators should ensure that lessons learnt reports are shared with industry promptly after exercises.(Paragraph 181)

51.Firms are right to adopt a ‘when not if’ mindset on operational incidents. Given this, and the impact on customers when incidents occur, it is vital that firms have robust procedures in place to be followed in the event of an incident and a viable ‘Plan B’. The Regulators should ensure that assessing the adequacy of both the incident management procedures and evidence of exercising them, forms a fundamental part of their supervisory engagement. To drive up standards, the Regulators, or industry bodies, should issue best practice guidance against which firms can assess their own procedures.(Paragraph 187)

52.Poor customer communications can exacerbate the impact of an operational incident, and previous high-profile outages have demonstrated this all too clearly. Clear, timely and accurate communications must ensure that customers are aware of the incident and that they receive advice on remediation timelines and alternative access. Customers have the right to this information.(Paragraph 194)

53.While accuracy of communications is important in order to avoid misinformation, firms should not unnecessarily delay or withhold information, even where reports of an incident may risk their reputation. It should not be left to a firm’s discretion as to whether to communicate to customers or not. If in rare circumstances there is a valid reason not to inform customers, this should require regulatory permission, and must not cause greater harm to customers.(Paragraph 195)

54.Customers need to be able to trust the information they receive during an IT incident from a financial services provider. Where communications are ineffective, or in major incidents where there is the need for a central source of trusted information, the Regulators should step in, which might include circulating information via a centralised portal.(Paragraph 196)

55.We are shocked to hear of the time taken for some customers to have complaints answered following an IT failure. This is an unacceptable position for customers and could lead to greater harm. Firms must act swiftly and fairly in responding to complaints and awarding compensation where customers have experienced harm or financial loss as a result of an IT incident. Given increasing demand on complaints teams following an incident, firms must be able to quickly scale up their capability. The FCA must ensure that firms are resolving complaints and awarding any compensation quickly and take action where this is not the case.(Paragraph 199)

Published: 28 October 2019