About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Regulators Discuss SM&CR and IT Failure at UK Parliamentary Hearings

Subscribe to our newsletter

The UK’s parliament’s treasury committee recently held a series of hearings on IT failures in the financial sector. Over the course of the hearings, at which representatives of the Bank of England, the Financial Conduct Authority and the Prudential Regulatory Authority spoke, the regulators discussed work completed and work in progress around operational resilience in general, and IT resilience specifically.

Held at the end of July, the hearings focused on the causes of IT failures at financial services firms over the past couple of years. While much of the discussion focused on the impact of outages on consumers, regulators identified an underlying problem within banks regarding the patchwork nature of their IT estate – both in terms of hardware and software, with the possibility of a significant IT failure causing considerable systemic risk.

Using SM&CR as a lever

At the heart of the problem is the vast technology estates that most banks run, with 30,000 servers or more, according to Guy Warren, CEO of ITRS Group, who gave evidence at a set of earlier hearings. In an interview he pointed out that banks’ servers have to coordinate to deliver services, and often they are a mix of very old technology, such as mainframes, and newer technology. In the hearings, the regulators joked about bank code that stretches back to the 1970s. According to Warren, this layered infrastructure has built up because banks have tended to add to systems rather than replace old ones.

These older systems can be much less resilient than newer technology platforms, and the combination of old and new tech can make overall processes within banks fragile. As well, managing change in this type of environment is very difficult, and “change” is a significant cause of IT failures at banks.

Regulators at the hearing were clear that they want to see banks upgrade their infrastructure. “I am hoping that the discussion paper [Building the UK’s financial sector’s operational resilience], when we make it to policy, will effectively eliminate” old code and systems, said Lyndon Nelson, deputy chief executive of the Prudential Regulatory Authority (PRA). “If you think about it, the firm will have to think about what services to provide to the consumer, for example, and what is in the production line to get that service to them. Our best estimate is that, if there is a legacy system in there, their response time or their recovery time is going to be a lot higher. So, the policy, I think, is going to drive out that.”

Key to this is going to be the SM&CR, says Warren. The new focus by regulators will mean that if financial services firms “can’t afford to do the business, then they should make that decision. But you can’t underspend and then just complain that it’s hard to do all this. It’s all doable but it just costs you money and time to do it. Regulating the person will step that up… that really focuses you and your organization on resolving your key risks and key issues.”

Under SM&CR, the Chief Operations Senior Management Function (SMF 24) will be the person responsible for the resilience of operations. Ultimately, says Warren, the SMF 24 role will have to call out known risks as well as improvements that their employer needs to make. Says Warren, “Within most financial institutions, IT has been a cost centre and a secondary function, often reporting into the COO rather than having a seat at the top table. But actually, financial institutions cannot operate without IT, and IT is a revenue channel for them and should be seen that way.”

Regulators were clear about this in the hearings. “This is where accountability for the resilience in the firms’ operations comes in,” said David Bailey, executive director of financial market infrastructure at the Bank of England. “As part of the [operational resilience] discussion paper, we are very much holding boards accountable. Also, both my colleagues at the PRA and the FCA have the senior managers regime, where they can place specific accountability on individuals to be responsible. That will include, for example, understanding what risks are being run by legacy IT systems.”

At the end of the hearing, the PRA’s Nelson said that there were “a few” enforcement cases making their way through the system at the moment that directly relate to IT failure. While it’s unlikely that significant enforcement efforts will happen in advance of the full roll out of the final operational resilience policy document, says Warren, firms should keep in mind the possibility that UK regulators may want to make an example of firms with significant IT issues in the medium-term.


Below is a list of some of the key materials cited by regulators during the hearings.

Recent publications from the UK regulators

Ongoing consultations and documents to come

  • Recently published draft guidance on how firms should think about dealing with vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers. Vulnerability becomes an acute issue during periods of operational difficulty, according to Barker.
  • The PRA and FCA plan to issue a consultation paper in October that is a follow-up to the paper they published in July 2018, DP 18/4: Building the UK financial sector’s operational resilience. The consultation paper should contain some specific proposals for firms.
  • The PRA and FCA are creating a supervisory framework around operational resilience, which will include “where they will prioritize their review and resources.”
  • The Treasury published a call for input on the Financial Services Future Regulatory Framework Review Call for Evidence: Regulatory Coordination, in late July, which will explore how regulatory change impacts resilience, and particularly IT systems.
  • A document outlining lessons learned from recent scenario exercises around cyber resilience will be published by the PRA soon. It should have within it a number of work programmes, including:
    • Data integrity – How firms will handle the possibility that key operational data, including consumer information, could be corrupted during a failure
    • Major incident – How the regulators and industry should handle an event where a major institution becomes incapacitated.
  • The Basel Committee is looking at recalibrating its liquidity policy to take account of potential runs on financial institutions fuelled by social media.
Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: How to develop a reporting framework for ESG disclosure regulation

ESG reporting is a challenge and additional burden for many financial institutions as regulations continue to evolve, ESG data management is complex, and global standards remain elusive. Helpful solutions include reporting frameworks that support the collection, understanding, and management of ESG data for disclosure. This webinar will provide practical guidance on how to build a...

BLOG

SIX wins award for Best Data Provider to the Sell-Side in A-Team Group’s Data Management Insight Awards Europe 2023

SIX has won the award for Best Data Provider to the Sell-Side in A-Team Group’s Data Management Insight Awards Europe 2023. These annual awards recognise leading providers of data management solutions, services and consultancy to capital markets participants in Europe. SIX’s data provision to the sell-side was selected as an award winner by A-Team Group’s...

EVENT

ESG Data & Tech Summit London

The ESG Data & Tech Summit will explore challenges around assembling and evaluating ESG data for reporting and the impact of regulatory measures and industry collaboration on transparency and standardisation efforts. Expert speakers will address how the evolving market infrastructure is developing and the role of new technologies and alternative data in improving insight and filling data gaps.

GUIDE

Regulatory Data Handbook 2023 – Eleventh Edition

Welcome to the eleventh edition of A-Team Group’s Regulatory Data Handbook, a popular publication that covers new regulations in capital markets, tracks regulatory change, and provides advice on the data, data management and implementation requirements of more than 30 regulations across UK, European, US and Asia-Pacific capital markets. This edition of the handbook includes new...