The UK’s parliament’s treasury committee recently held a series of hearings on IT failures in the financial sector. Over the course of the hearings, at which representatives of the Bank of England, the Financial Conduct Authority and the Prudential Regulatory Authority spoke, the regulators discussed work completed and work in progress around operational resilience in general, and IT resilience specifically.
Held at the end of July, the hearings focused on the causes of IT failures at financial services firms over the past couple of years. While much of the discussion focused on the impact of outages on consumers, regulators identified an underlying problem within banks regarding the patchwork nature of their IT estate – both in terms of hardware and software, with the possibility of a significant IT failure causing considerable systemic risk.
Using SM&CR as a lever
At the heart of the problem is the vast technology estates that most banks run, with 30,000 servers or more, according to Guy Warren, CEO of ITRS Group, who gave evidence at a set of earlier hearings. In an interview he pointed out that banks’ servers have to coordinate to deliver services, and often they are a mix of very old technology, such as mainframes, and newer technology. In the hearings, the regulators joked about bank code that stretches back to the 1970s. According to Warren, this layered infrastructure has built up because banks have tended to add to systems rather than replace old ones.
These older systems can be much less resilient than newer technology platforms, and the combination of old and new tech can make overall processes within banks fragile. As well, managing change in this type of environment is very difficult, and “change” is a significant cause of IT failures at banks.
Regulators at the hearing were clear that they want to see banks upgrade their infrastructure. “I am hoping that the discussion paper [Building the UK’s financial sector’s operational resilience], when we make it to policy, will effectively eliminate” old code and systems, said Lyndon Nelson, deputy chief executive of the Prudential Regulatory Authority (PRA). “If you think about it, the firm will have to think about what services to provide to the consumer, for example, and what is in the production line to get that service to them. Our best estimate is that, if there is a legacy system in there, their response time or their recovery time is going to be a lot higher. So, the policy, I think, is going to drive out that.”
Key to this is going to be the SM&CR, says Warren. The new focus by regulators will mean that if financial services firms “can’t afford to do the business, then they should make that decision. But you can’t underspend and then just complain that it’s hard to do all this. It’s all doable but it just costs you money and time to do it. Regulating the person will step that up… that really focuses you and your organization on resolving your key risks and key issues.”
Under SM&CR, the Chief Operations Senior Management Function (SMF 24) will be the person responsible for the resilience of operations. Ultimately, says Warren, the SMF 24 role will have to call out known risks as well as improvements that their employer needs to make. Says Warren, “Within most financial institutions, IT has been a cost centre and a secondary function, often reporting into the COO rather than having a seat at the top table. But actually, financial institutions cannot operate without IT, and IT is a revenue channel for them and should be seen that way.”
Regulators were clear about this in the hearings. “This is where accountability for the resilience in the firms’ operations comes in,” said David Bailey, executive director of financial market infrastructure at the Bank of England. “As part of the [operational resilience] discussion paper, we are very much holding boards accountable. Also, both my colleagues at the PRA and the FCA have the senior managers regime, where they can place specific accountability on individuals to be responsible. That will include, for example, understanding what risks are being run by legacy IT systems.”
At the end of the hearing, the PRA’s Nelson said that there were “a few” enforcement cases making their way through the system at the moment that directly relate to IT failure. While it’s unlikely that significant enforcement efforts will happen in advance of the full roll out of the final operational resilience policy document, says Warren, firms should keep in mind the possibility that UK regulators may want to make an example of firms with significant IT issues in the medium-term.
Below is a list of some of the key materials cited by regulators during the hearings.
Recent publications from the UK regulators
- The FCA published the findings of a survey, Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018 in November 2018.
- In December 2018 the FCA published insights about firms cyber security preparations obtained during visits with a select group of 20 firms – Wholesale banks and asset management cyber multi-firm review findings.
- In March 2019 the FCA published Cyber security – industry insights. The information in this document was obtained from industry groups on cyber security that the FCA organizes.
Ongoing consultations and documents to come
- Recently published draft guidance on how firms should think about dealing with vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers. Vulnerability becomes an acute issue during periods of operational difficulty, according to Barker.
- The PRA and FCA plan to issue a consultation paper in October that is a follow-up to the paper they published in July 2018, DP 18/4: Building the UK financial sector’s operational resilience. The consultation paper should contain some specific proposals for firms.
- The PRA and FCA are creating a supervisory framework around operational resilience, which will include “where they will prioritize their review and resources.”
- The Treasury published a call for input on the Financial Services Future Regulatory Framework Review Call for Evidence: Regulatory Coordination, in late July, which will explore how regulatory change impacts resilience, and particularly IT systems.
- A document outlining lessons learned from recent scenario exercises around cyber resilience will be published by the PRA soon. It should have within it a number of work programmes, including:
- Data integrity – How firms will handle the possibility that key operational data, including consumer information, could be corrupted during a failure
- Major incident – How the regulators and industry should handle an event where a major institution becomes incapacitated.
- The Basel Committee is looking at recalibrating its liquidity policy to take account of potential runs on financial institutions fuelled by social media.