John McKinlay considers the IT issues that face some of those entering the banking field
The emergence of 'challenger banks' in the UK is the one of biggest changes to the competitive landscape in financial services in recent times. Dozens of new banking organisations have been granted licences or are in the process of obtaining them. Technology and acceptance of new ways of consuming banking services drive the establishment of these banks. However, like any change to an established business model, new challenges and issues are thrown up.
When we think of these banks, one of our first thoughts might be that they have the opportunity to leave behind one of the biggest headaches affecting the large players in the market - that of complex and intertwined legacy IT systems which pose a major challenge to update and run efficiently. And while the challenger banks have the opportunity to design and select their systems from scratch, in practice they are often heavily dependent on a variety of legacy arrangements - either from their parent company or under contracts they enter into with other financial institutions or IT providers.
In this article, my focus is on challenger banks whose parent organisations are not themselves in the banking sector. One thing that characterises these arrangements is that the challenger bank may be highly dependent on the on-going support it receives from the parent, but without having complete control, or even significant influence, over these services. Given that it is common for a wide range of operational support to be given by the parent organisation, in the shape of IT, Telecoms, Payroll, Property, HR and Personnel, clearly this is not a trivial concern, for either the bank or its parent company.
So what are the issues?
Over and above the regulation that affects all businesses operating in the UK, banks are subject to an additional level of regulatory supervision all of their own. The whole sector, for understandable and sensible reasons, is highly regulated, and there is no sign of this burden reducing - if anything, the reverse is true.
Not only are banks generally therefore subject to closer regulatory scrutiny than most other industry sectors, but the detailed rules of the regimes governing the bank and the parent company will be quite different from each other. MiFID, the FCA's supervision provisions and principles and the SYSC rules make it necessary for a bank to demonstrate, among other things, proper control over its operations, the ability to scrutinise and audit arrangements (and to let regulators do so), and the right to deal with non-performance effectively.
While some dispensation from the strict application of SYSC rules is possible in intra-group arrangements, this applies only where the recipient of the services can control or has the ability to influence the service provider (i.e. the parent company), which might not be the case for a banking subsidiary. This means that the degree of informality which can often surround intra-group arrangements will not be permissible in these circumstances. Proper and robust contractual protection between the bank and parent will need to be in place, along with detailed governance and reporting provisions to deal with any issues as they arise.
Cybercrime and Data Security
In the past, the security and stability of banks was largely viewed as a matter pertaining to balance sheet strength. Now, the threat of attacks on the integrity and security of data is seen as equally (if not more) dangerous, both to individual banks and the sector as a whole. The regulators, including the Bank of England's FPC, the PRA and FCA, together with the Treasury and other government agencies, have all taken steps to ensure that, within their remit, the banks are fully addressing the current and incoming risks from cyber-attacks.
As an example, the FPC has launched the CBEST framework, which provides for intelligence-led penetration testing to be carried out and the results reported, to expose vulnerabilities in the sector. At present this regime is voluntary and limited to the major financial organisations in the UK, but it is realistic to think that this framework will be extended in some form to all financial institutions, including challenger banks. This could pose problems for their parent organisations whose systems may require significant upgrading to ensure they can stand up to the challenge of such testing.
Another aspect of cybersecurity is dealing with the 'insider threat'. Insider threat is a major risk for all organisations. The boundaries of organisations are more porous than ever, with mobile working, BYOD, cloud, outsourcing and third-party contracting, so the pool of potential 'insiders' is ever-growing. In addition, banks need to recognise two distinct categories - the 'malicious' insider and the 'accidental' insider. The profile of a malicious insider varies; while it could be someone specifically planted for this purpose, in many instances it will be a disaffected or coerced employee or supplier, often someone who has been with the organisation for a number of years. In the case of the 'accidental' insider, the key issue is to ensure that personnel have the right level of training for their role and their access to data, as the lack of such training is the major contributing factor to this threat. Any policies which have been put in place in the parent organisation to cope with such matters will need to be re-considered in the context of the specific threats faced by a banking organisation.
More generally, while good practice dictates that any organisation which suffers a cyber-attack or a data security breach should respond promptly with information to their customers and other impacted parties, the legal duties to respond vary from sector to sector. While the Data Protection Act operates across the board, a company outside the banking sector may decide that it requires a certain period to fully investigate a security breach before it communicates this to any third party for areas where personal data is not immediately impacted. Its subsidiary bank, on the other hand, will be required to follow the FCA/PRA supervision provisions, principles and rules on reporting breaches of security (for example the Principles for Business 11 which requires the bank to inform the regulators of anything affecting the bank that the regulators would reasonably expect notice of). In practice, this could require very swift notification, particularly for major incidents which impact the bank's reputation or which could result in serious detriment to a customer. These could be exactly the sort of incidents that a company outside the banking sector would wish to have longer to analyse before discussing externally.
The services which are being provided to the bank are often dependent on third-party contracts, many of which will be longer term, group-wide arrangements which may have been put in place before the bank came into being. These third-party contracts might not be in the format, or contain the content, that would be common in the banking industry. As an example, 'early warning' obligations on suppliers are common in service agreements for banks, as are provisions giving the right to terminate a contract because of a regulatory concern, and detailed requirements for pre-employment personnel checks on suppliers' staff. The bank must be aware of the risk which can arise if these terms are absent from a contract between the parent company and a third party.
In addition, the bank will be one stage further removed from the contract, and may not have the rights to participate in governance meetings or to receive basic information on the services. Certainly it will take more organisational effort on the part of both the bank and the parent company to ensure that the range of information that normally flows between contract parties is replicated for the bank .One of the key issues, for example, is that a bank (under interpretation of FCA's Principles for Business 3) should obtain sufficient information from suppliers to enable it to access the impact of outsourcing a function on its systems and controls - which could prove a challenge if a bank is relying on general assurances from an internal group function about a service being provided by a third party.
The SYSC 8 framework applies (either directly as rules for outsourcing of critical or important operational functions or alternatively as guiding principles for less significant arrangements), and requires banks to consider the whole life-cycle of a contract, from the initial selection of the relevant third party through to effective contract management and detailed planning for exit.
It should also be appreciated that allowing a subsidiary to use a third-party contract could create issues for the parent company. The fact that the bank relies on this contract could constrain the options available to the parent company to deal with poor performance. For example, this introduces complexities into the rights to terminate a contract. Even if the parent's own business could cope with the termination of a supply agreement, the bank's might not, and so planning for exit or renewals will need to factor in the concerns of the bank and its regulators.
Finally, one question that should be considered is how similar or otherwise are the cultures of the organisations, and how might this impact on the arrangements? Various factors affect culture. For example, each is likely to have quite a different position in its respective market - the parent might be a significant and long-established force, whereas the subsidiary bank will be a new player. In addition, each organisation will have its own leadership teams with its own strategy and agenda. As a result, there will be different behaviours and risk-appetites, which will impact in different ways. This could extend, for example, to the type of third parties each are willing to deal with, the duration and form of contracts used, and the internal controls in place to guard against things going wrong. To avoid a constant 'clash of cultures' (and the bank always coming second best), there must be a common understanding on how to deal with concerns which are relevant to both organisations.
Why is this important?
Already in the UK there have been examples of regulatory fines due to inadequate intra-group arrangements in the banking sector. As has been noted already, regulatory scrutiny is increasing year by year and therefore it is vital that these arrangements are designed and managed with the interests of the bank given due prominence and importance.
It is also vital that these issues have board level attention, and are not left to the preserve of the individual business areas (such as IT, HR or Operations) to deal with in isolation. Boards who cannot show that they are aware of and in control of these matters run the risk of being censured by regulators.
Overall, it is clear that simply by having a banking subsidiary, an organisation will open itself up to risks and expectations of a different order, and will be expected to have the systems and processes in place to deal with them. The regulators are now much more assertive in proactively taking steps to ensure this is the case. It is therefore vital that these systems used by challenger banks, and the processes and personnel which support them, are designed with these requirements in mind.
John McKinlay is a partner at DLA Piper UK LLP and head of IPT in Scotland.