A-Team Insight Blogs

Regulators Discuss SM&CR and IT Failure at UK Parliamentary Hearings

Share article

The UK’s parliament’s treasury committee recently held a series of hearings on IT failures in the financial sector. Over the course of the hearings, at which representatives of the Bank of England, the Financial Conduct Authority and the Prudential Regulatory Authority spoke, the regulators discussed work completed and work in progress around operational resilience in general, and IT resilience specifically.

Held at the end of July, the hearings focused on the causes of IT failures at financial services firms over the past couple of years. While much of the discussion focused on the impact of outages on consumers, regulators identified an underlying problem within banks regarding the patchwork nature of their IT estate – both in terms of hardware and software, with the possibility of a significant IT failure causing considerable systemic risk.

Using SM&CR as a lever

At the heart of the problem is the vast technology estates that most banks run, with 30,000 servers or more, according to Guy Warren, CEO of ITRS Group, who gave evidence at a set of earlier hearings. In an interview he pointed out that banks’ servers have to coordinate to deliver services, and often they are a mix of very old technology, such as mainframes, and newer technology. In the hearings, the regulators joked about bank code that stretches back to the 1970s. According to Warren, this layered infrastructure has built up because banks have tended to add to systems rather than replace old ones.

These older systems can be much less resilient than newer technology platforms, and the combination of old and new tech can make overall processes within banks fragile. As well, managing change in this type of environment is very difficult, and “change” is a significant cause of IT failures at banks.

Regulators at the hearing were clear that they want to see banks upgrade their infrastructure. “I am hoping that the discussion paper [Building the UK’s financial sector’s operational resilience], when we make it to policy, will effectively eliminate” old code and systems, said Lyndon Nelson, deputy chief executive of the Prudential Regulatory Authority (PRA). “If you think about it, the firm will have to think about what services to provide to the consumer, for example, and what is in the production line to get that service to them. Our best estimate is that, if there is a legacy system in there, their response time or their recovery time is going to be a lot higher. So, the policy, I think, is going to drive out that.”

Key to this is going to be the SM&CR, says Warren. The new focus by regulators will mean that if financial services firms “can’t afford to do the business, then they should make that decision. But you can’t underspend and then just complain that it’s hard to do all this. It’s all doable but it just costs you money and time to do it. Regulating the person will step that up… that really focuses you and your organization on resolving your key risks and key issues.”

Under SM&CR, the Chief Operations Senior Management Function (SMF 24) will be the person responsible for the resilience of operations. Ultimately, says Warren, the SMF 24 role will have to call out known risks as well as improvements that their employer needs to make. Says Warren, “Within most financial institutions, IT has been a cost centre and a secondary function, often reporting into the COO rather than having a seat at the top table. But actually, financial institutions cannot operate without IT, and IT is a revenue channel for them and should be seen that way.”

Regulators were clear about this in the hearings. “This is where accountability for the resilience in the firms’ operations comes in,” said David Bailey, executive director of financial market infrastructure at the Bank of England. “As part of the [operational resilience] discussion paper, we are very much holding boards accountable. Also, both my colleagues at the PRA and the FCA have the senior managers regime, where they can place specific accountability on individuals to be responsible. That will include, for example, understanding what risks are being run by legacy IT systems.”

At the end of the hearing, the PRA’s Nelson said that there were “a few” enforcement cases making their way through the system at the moment that directly relate to IT failure. While it’s unlikely that significant enforcement efforts will happen in advance of the full roll out of the final operational resilience policy document, says Warren, firms should keep in mind the possibility that UK regulators may want to make an example of firms with significant IT issues in the medium-term.

Below is a list of some of the key materials cited by regulators during the hearings.

Recent publications from the UK regulators

Ongoing consultations and documents to come

  • Recently published draft guidance on how firms should think about dealing with vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers. Vulnerability becomes an acute issue during periods of operational difficulty, according to Barker.
  • The PRA and FCA plan to issue a consultation paper in October that is a follow-up to the paper they published in July 2018, DP 18/4: Building the UK financial sector’s operational resilience. The consultation paper should contain some specific proposals for firms.
  • The PRA and FCA are creating a supervisory framework around operational resilience, which will include “where they will prioritize their review and resources.”
  • The Treasury published a call for input on the Financial Services Future Regulatory Framework Review Call for Evidence: Regulatory Coordination, in late July, which will explore how regulatory change impacts resilience, and particularly IT systems.
  • A document outlining lessons learned from recent scenario exercises around cyber resilience will be published by the PRA soon. It should have within it a number of work programmes, including:
    • Data integrity – How firms will handle the possibility that key operational data, including consumer information, could be corrupted during a failure
    • Major incident – How the regulators and industry should handle an event where a major institution becomes incapacitated.
  • The Basel Committee is looking at recalibrating its liquidity policy to take account of potential runs on financial institutions fuelled by social media.

Leave a comment

Your email address will not be published. Required fields are marked *


Related content


Recorded Webinar: Best Practices for Integrated Regulatory Reporting Across Multiple Jurisdictions

The regulatory reporting obligations of financial institutions have mushroomed in scale over the past decade, leaving firms facing a raft of different requirements to provide increasingly granular metrics on their transaction, valuation and collateral data to a number of regulatory authorities. While many of these reports draw from the same core data set, the nuanced differences...


Broadridge Acquires FundsLibrary in European Data Push

Broadridge Financial Solutions has completed its acquisition of European fund data specialist FundsLibrary in a bid to boost its pan-European regulatory communications and digital data platform, which supports the lifecycle of fund data, documents, and regulatory reporting for the investment industry. FundsLibrary’s solutions enable fund managers to increase distribution opportunities and help them comply with...


RegTech Summit Virtual Global

Regtech Summit Virtual will explore how business and operating models have adapted post COVID and how RegTech can provide agile and enhanced compliance for managing an evolving risk and compliance landscape. As the dust settles, we will look at the outlook for the global RegTech industry, where Regulators are focusing as they get back to business, and deep dive into global regulatory priorities for the rest of the year and into 2021.


Entity Data Management Handbook – Sixth Edition

High-profile and punitive penalties handed out to large financial institutions for non-compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations have catapulted entity data management up the business agenda. So, too, have industry and government reports on the staggering sums of money laundered on a global basis. Less apparent, but equally important, are...