About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Regulators Discuss SM&CR and IT Failure at UK Parliamentary Hearings

Subscribe to our newsletter

The UK’s parliament’s treasury committee recently held a series of hearings on IT failures in the financial sector. Over the course of the hearings, at which representatives of the Bank of England, the Financial Conduct Authority and the Prudential Regulatory Authority spoke, the regulators discussed work completed and work in progress around operational resilience in general, and IT resilience specifically.

Held at the end of July, the hearings focused on the causes of IT failures at financial services firms over the past couple of years. While much of the discussion focused on the impact of outages on consumers, regulators identified an underlying problem within banks regarding the patchwork nature of their IT estate – both in terms of hardware and software, with the possibility of a significant IT failure causing considerable systemic risk.

Using SM&CR as a lever

At the heart of the problem is the vast technology estates that most banks run, with 30,000 servers or more, according to Guy Warren, CEO of ITRS Group, who gave evidence at a set of earlier hearings. In an interview he pointed out that banks’ servers have to coordinate to deliver services, and often they are a mix of very old technology, such as mainframes, and newer technology. In the hearings, the regulators joked about bank code that stretches back to the 1970s. According to Warren, this layered infrastructure has built up because banks have tended to add to systems rather than replace old ones.

These older systems can be much less resilient than newer technology platforms, and the combination of old and new tech can make overall processes within banks fragile. As well, managing change in this type of environment is very difficult, and “change” is a significant cause of IT failures at banks.

Regulators at the hearing were clear that they want to see banks upgrade their infrastructure. “I am hoping that the discussion paper [Building the UK’s financial sector’s operational resilience], when we make it to policy, will effectively eliminate” old code and systems, said Lyndon Nelson, deputy chief executive of the Prudential Regulatory Authority (PRA). “If you think about it, the firm will have to think about what services to provide to the consumer, for example, and what is in the production line to get that service to them. Our best estimate is that, if there is a legacy system in there, their response time or their recovery time is going to be a lot higher. So, the policy, I think, is going to drive out that.”

Key to this is going to be the SM&CR, says Warren. The new focus by regulators will mean that if financial services firms “can’t afford to do the business, then they should make that decision. But you can’t underspend and then just complain that it’s hard to do all this. It’s all doable but it just costs you money and time to do it. Regulating the person will step that up… that really focuses you and your organization on resolving your key risks and key issues.”

Under SM&CR, the Chief Operations Senior Management Function (SMF 24) will be the person responsible for the resilience of operations. Ultimately, says Warren, the SMF 24 role will have to call out known risks as well as improvements that their employer needs to make. Says Warren, “Within most financial institutions, IT has been a cost centre and a secondary function, often reporting into the COO rather than having a seat at the top table. But actually, financial institutions cannot operate without IT, and IT is a revenue channel for them and should be seen that way.”

Regulators were clear about this in the hearings. “This is where accountability for the resilience in the firms’ operations comes in,” said David Bailey, executive director of financial market infrastructure at the Bank of England. “As part of the [operational resilience] discussion paper, we are very much holding boards accountable. Also, both my colleagues at the PRA and the FCA have the senior managers regime, where they can place specific accountability on individuals to be responsible. That will include, for example, understanding what risks are being run by legacy IT systems.”

At the end of the hearing, the PRA’s Nelson said that there were “a few” enforcement cases making their way through the system at the moment that directly relate to IT failure. While it’s unlikely that significant enforcement efforts will happen in advance of the full roll out of the final operational resilience policy document, says Warren, firms should keep in mind the possibility that UK regulators may want to make an example of firms with significant IT issues in the medium-term.

Below is a list of some of the key materials cited by regulators during the hearings.

Recent publications from the UK regulators

Ongoing consultations and documents to come

  • Recently published draft guidance on how firms should think about dealing with vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers. Vulnerability becomes an acute issue during periods of operational difficulty, according to Barker.
  • The PRA and FCA plan to issue a consultation paper in October that is a follow-up to the paper they published in July 2018, DP 18/4: Building the UK financial sector’s operational resilience. The consultation paper should contain some specific proposals for firms.
  • The PRA and FCA are creating a supervisory framework around operational resilience, which will include “where they will prioritize their review and resources.”
  • The Treasury published a call for input on the Financial Services Future Regulatory Framework Review Call for Evidence: Regulatory Coordination, in late July, which will explore how regulatory change impacts resilience, and particularly IT systems.
  • A document outlining lessons learned from recent scenario exercises around cyber resilience will be published by the PRA soon. It should have within it a number of work programmes, including:
    • Data integrity – How firms will handle the possibility that key operational data, including consumer information, could be corrupted during a failure
    • Major incident – How the regulators and industry should handle an event where a major institution becomes incapacitated.
  • The Basel Committee is looking at recalibrating its liquidity policy to take account of potential runs on financial institutions fuelled by social media.
Subscribe to our newsletter

Related content


Recorded Webinar: FRTB Implementation in APAC: An industry update and what is left to do

Fundamental Review of the Trading Book (FRTB) regulation, a set of proposals from the Basel Committee on Banking Supervision (BCBS) for a new market risk-related capital requirement for banks, is due to be implemented across APAC over the next few years. Singapore and Japan, by way of example, have set implementation deadlines in 2024, while...


How to Harness the Value of Cloud for Scale and Agility

As financial services firms recognise the value of data and benefits of data-led processes, many are undergoing digital transformations that put data at the heart of their operations and decision making. For most, this is providing competitive edge as data, and the insights it brings, enrich decisions and improve productivity – but not all digital...


A-Team Briefing: Cloud Innovation for Data Ops

This Innovation Briefing will explore approaches to data infrastructure transformation, technologies required and how to make sure processes are optimised to support real time data management. Hear from leading practitioners and innovative technology solution providers who will share insight into how to set up and leverage your data infrastructure to provide user access to consistent data and analytics, and companies the ability to monetise their data.


ESG Handbook 2023

The ESG Handbook 2023 edition is the essential guide to everything you need to know about ESG and how to manage requirements if you work in financial data and technology. Download your free copy to understand: What ESG Covers: The scope and definition of ESG Regulations: The evolution of global regulations, especially in the UK...