About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Regulators Discuss SM&CR and IT Failure at UK Parliamentary Hearings

Subscribe to our newsletter

The UK’s parliament’s treasury committee recently held a series of hearings on IT failures in the financial sector. Over the course of the hearings, at which representatives of the Bank of England, the Financial Conduct Authority and the Prudential Regulatory Authority spoke, the regulators discussed work completed and work in progress around operational resilience in general, and IT resilience specifically.

Held at the end of July, the hearings focused on the causes of IT failures at financial services firms over the past couple of years. While much of the discussion focused on the impact of outages on consumers, regulators identified an underlying problem within banks regarding the patchwork nature of their IT estate – both in terms of hardware and software, with the possibility of a significant IT failure causing considerable systemic risk.

Using SM&CR as a lever

At the heart of the problem is the vast technology estates that most banks run, with 30,000 servers or more, according to Guy Warren, CEO of ITRS Group, who gave evidence at a set of earlier hearings. In an interview he pointed out that banks’ servers have to coordinate to deliver services, and often they are a mix of very old technology, such as mainframes, and newer technology. In the hearings, the regulators joked about bank code that stretches back to the 1970s. According to Warren, this layered infrastructure has built up because banks have tended to add to systems rather than replace old ones.

These older systems can be much less resilient than newer technology platforms, and the combination of old and new tech can make overall processes within banks fragile. As well, managing change in this type of environment is very difficult, and “change” is a significant cause of IT failures at banks.

Regulators at the hearing were clear that they want to see banks upgrade their infrastructure. “I am hoping that the discussion paper [Building the UK’s financial sector’s operational resilience], when we make it to policy, will effectively eliminate” old code and systems, said Lyndon Nelson, deputy chief executive of the Prudential Regulatory Authority (PRA). “If you think about it, the firm will have to think about what services to provide to the consumer, for example, and what is in the production line to get that service to them. Our best estimate is that, if there is a legacy system in there, their response time or their recovery time is going to be a lot higher. So, the policy, I think, is going to drive out that.”

Key to this is going to be the SM&CR, says Warren. The new focus by regulators will mean that if financial services firms “can’t afford to do the business, then they should make that decision. But you can’t underspend and then just complain that it’s hard to do all this. It’s all doable but it just costs you money and time to do it. Regulating the person will step that up… that really focuses you and your organization on resolving your key risks and key issues.”

Under SM&CR, the Chief Operations Senior Management Function (SMF 24) will be the person responsible for the resilience of operations. Ultimately, says Warren, the SMF 24 role will have to call out known risks as well as improvements that their employer needs to make. Says Warren, “Within most financial institutions, IT has been a cost centre and a secondary function, often reporting into the COO rather than having a seat at the top table. But actually, financial institutions cannot operate without IT, and IT is a revenue channel for them and should be seen that way.”

Regulators were clear about this in the hearings. “This is where accountability for the resilience in the firms’ operations comes in,” said David Bailey, executive director of financial market infrastructure at the Bank of England. “As part of the [operational resilience] discussion paper, we are very much holding boards accountable. Also, both my colleagues at the PRA and the FCA have the senior managers regime, where they can place specific accountability on individuals to be responsible. That will include, for example, understanding what risks are being run by legacy IT systems.”

At the end of the hearing, the PRA’s Nelson said that there were “a few” enforcement cases making their way through the system at the moment that directly relate to IT failure. While it’s unlikely that significant enforcement efforts will happen in advance of the full roll out of the final operational resilience policy document, says Warren, firms should keep in mind the possibility that UK regulators may want to make an example of firms with significant IT issues in the medium-term.

Below is a list of some of the key materials cited by regulators during the hearings.

Recent publications from the UK regulators

Ongoing consultations and documents to come

  • Recently published draft guidance on how firms should think about dealing with vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers. Vulnerability becomes an acute issue during periods of operational difficulty, according to Barker.
  • The PRA and FCA plan to issue a consultation paper in October that is a follow-up to the paper they published in July 2018, DP 18/4: Building the UK financial sector’s operational resilience. The consultation paper should contain some specific proposals for firms.
  • The PRA and FCA are creating a supervisory framework around operational resilience, which will include “where they will prioritize their review and resources.”
  • The Treasury published a call for input on the Financial Services Future Regulatory Framework Review Call for Evidence: Regulatory Coordination, in late July, which will explore how regulatory change impacts resilience, and particularly IT systems.
  • A document outlining lessons learned from recent scenario exercises around cyber resilience will be published by the PRA soon. It should have within it a number of work programmes, including:
    • Data integrity – How firms will handle the possibility that key operational data, including consumer information, could be corrupted during a failure
    • Major incident – How the regulators and industry should handle an event where a major institution becomes incapacitated.
  • The Basel Committee is looking at recalibrating its liquidity policy to take account of potential runs on financial institutions fuelled by social media.
Subscribe to our newsletter

Related content


Upcoming Webinar: Practical considerations for regulatory change management

Date: 18 September 2024 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes Regulatory change management has become a norm across financial markets but a challenge for financial institutions that must monitor, manage and adapt to ensure compliance with both minor and major adjustments to obligations. This year is particularly troublesome, with...


The Impact of The Move to T+1: What to Look Out for

By Sandeep Sabnani, Head of Equities Product Strategy and Growth at ION Markets. The shift to T+1 settlement over the past few years has occupied the minds of front office and trading desks across equity markets globally. Earlier this year, India became the first major economy to fully introduce T+1, following a phased approach, while...


TradingTech Briefing New York

Our TradingTech Briefing in New York is aimed at senior-level decision makers in trading technology, electronic execution, trading architecture and offers a day packed with insight from practitioners and from innovative suppliers happy to share their experiences in dealing with the enterprise challenges facing our marketplace.


Corporate Actions 2009 Edition

Rather than detracting attention away from corporate actions automation projects, the financial crisis appears to have accentuated the importance of the vital nature of this data. Financial institutions are more aware than ever before of the impact that inaccurate corporate actions data has on their bottom lines as a result of the increased focus on...