On 28 October 2019, the Treasury Committee published its Second Report of Session 2019, IT failures in the financial services sector (HC 224). On 10 January 2020 we received the Regulators (Financial Conduct Authority, Bank of England and Prudential Regulation Authority) response to the report, and on 14 January 2020 we received the Government Response, both of which are appended below.
We welcome the Treasury Select Committee’s (the Committee’s) report dated 28 October 2019 regarding IT failures in financial services. We agree with the Committee’s observation that improved operational resilience will reduce the number and the impact of IT or operational incidents. We also welcome the Committee’s recommendations for improving operational resilience in the financial sector. This is an important area for the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), the Bank of England (‘the Bank’) in its capacity of supervising financial market infrastructures (FMIs) (collectively ‘the Authorities’) and the financial sector. We are well into the process of developing and implementing major changes to our regulatory framework for ensuring adequate operational resilience. The Committee has raised some important issues which we will take forward as we develop that regulatory framework.
When the Authorities gave evidence to the TSC enquiry, we had not yet published our Consultation Papers setting out our proposed framework of operational resilience policies. These were published on 5 December 2019. The proposals are consistent with the recommendations made by the Committee and represent an important milestone in our approach to embedding operational resilience into the regulatory framework for the financial sector. The consultation period closes on 3 April 2020, and subject to the outcome of that consultation the Authorities expect to publish final policy during the second half of the year.
The annex to this letter sets out how under our existing supervisory approaches and once the new operational resilience policy is in place, through additional supervisory scrutiny, we plan to address the Committee’s recommendations. We also set out thoughts on areas that will require further work, both by industry and the Authorities.
We would like to highlight four key areas that will contribute to greater operational resilience in the finance sector:
1. Supervisory approach and tools: we agree that effective supervision by the Authorities is an important element of improving the operational resilience of firms and FMIs. Our proposals include clear standards for operational resilience, connecting requirements and expectations to the Authorities’ public interest objectives. These proposals allow for supervisory action if firms or FMIs do not meet the standards set out in the policy.
2. Incident reporting and management: there are existing obligations on firms and FMIs to report certain operational incidents to the Authorities. However, there is a lack of consistency in the way incidents are reported to the Authorities, reflecting the complex and evolving environment in which firms and FMIs operate. This is an area that the Authorities and industry are currently tackling and further work will be needed. The Committee’s recommendations will be helpful in shaping our approach. On incident management, we propose that firms and FMIs test their incident management procedures to ensure they can remain within impact tolerances. The focus on being able to resume an important business service within an impact tolerance should also concentrate board and management attention on what matters most in the event of an incident, including when and how to contact customers and Authorities.
3. Third parties and new technology: our proposed new framework specifies that a firm or FMI’s operational resilience should not be undermined when it relies on a third party, wholly or in part, for the delivery of an important business service. Supporting this principle, and in line with the Bank’s commitments in its response to the ‘Future of Finance Report’ earlier this year, a dedicated PRA Consultation Paper on ‘Outsourcing and third party risk management’ (included in the package of consultation papers) modernises and strengthens the regulatory framework for the management of outsourcing and third party risk, including in respect of data security. The FCA Operational Resilience Consultation Paper contains a chapter outlining the importance of outsourcing and other third party service provision to operational resilience and subsequent expectations of firms. In addition, the Authorities are undertaking work to enhance the monitoring of systemic concentrations in the provision of third party services to firms and FMIs (enabled by new regulatory data). HM Treasury now has the power to specify service providers to recognised payment systems, which can bring service providers under the Bank’s direct supervision, and it has already exercised this power for one service provider. Regarding new technology the Authorities are also engaged significantly in work to improve our understanding of the use of artificial intelligence and machine learning in financial services, which will help us develop further policy in the future and address the TSC’s recommendations in this area.
4. Co-operation between the Authorities and industry: we fully agree that the approach to operational resilience should be co-ordinated across the Authorities. That is evident in the joint consultation papers and the response. We are working closely together to ensure a consistent approach to operational resilience and our intended outcomes are aligned. This positive working relationship will continue into the implementation phase of our final policy and the ongoing supervision of firms and FMIs. When incidents occur, we have a longstanding coordinated approach through the Authorities Response Framework. The financial services industry has an established collaborative approach to incident management, which is regularly tested through sector-wide simulation exercises. We also agree that collaboration between the Authorities and industry will lead to better outcomes and stronger industry wide operational resilience, and we are therefore working with industry to develop new capabilities, for example, through the work of the Cross Market Operational Resilience Group (CMORG) to advance the development of collective solutions to support system recovery in the event of a severe operational incident.
In relation to your recommendation on providing an account of the TSB IT failure, we are not able to give any public commentary at this stage because enforcement investigations are ongoing. However we would like to reassure the Committee that the Authorities have a suite of supervisory and enforcement tools for holding firms, FMIs and individuals, where relevant, to account for operational resilience failures.
We have also reflected carefully on the Committee’s recommendation to increase financial sector levies. We have and continue to build technical expertise within the Authorities and we are upskilling our supervisors via training programmes. We are also using external expertise where appropriate, for example via reviews by skilled persons. At this stage it has been possible for the Authorities to increase resources on operational resilience without a special levy, and we are mindful of the need to use our resources effectively and to balance costs to supervised firms against the benefits of meeting our objectives. We will keep the possibility of raising the levy in the future under review.
We have provided a more detailed response to all of your recommendations in the Annex to this letter. We note that the package of consultation papers published on 5 December and our ongoing supervisory work is very much consistent with your report and recommendations, and we look forward to continuing to discuss these important issues with the Committee.
Chief Executive, Financial Conduct Authority
Deputy Governor, Financial Stability, Bank of England
Deputy Governor, Prudential Regulation and Chief Executive, Prudential Regulation Authority
Published: 13 March 2020