Conclusions set out in report published by the House of Commons Treasury Select Committee.
The House of Commons Treasury Select Committee has published a report on IT failures in the financial services sector.
The report makes the point that with bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. However, these services have been significantly disrupted due to IT failures. This adversely affects customers left without access to their financial services. Although completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated. According to the Committee, the current level and frequency of disruption and consumer harm is unacceptable.
The Treasury Committee’s report has made a series of recommendations to improve operational resilience, including ensuring accountability of individuals and firms, increasing financial sector levies to ensure that the relevant regulators (the Financial Conduct Authority, Prudential Regulation Authority, and Bank of England) are sufficiently staffed, and ensuring that financial services suppliers resolve complaints and award compensation quickly.
The number of IT failures is increasing, with the impact ranging from inconvenience or harm to customers though to threats to a firm’s viability. However, the Committee finds the lack of consistent and accurate recording of data on such incidents concerning.
It says that the regulators must intervene to improve the operational resilience of the financial services sector, as has been required recently with financial resilience. To do so, they must also ensure that they have the appropriate skills and experience. If this proves challenging, the regulators should increase the financial sector levies so that they can hire staff with the required expertise and experience. While their role in supervising operational resilience is still developing, they must ensure that they have an agile approach so that they can adapt to changing risks. They must maintain a very low tolerance for service disruption by providing guidance on what level of impact should be tolerated. The regulators cannot allow firms to set their own tolerance for disruption too high, to avoid lax operational resilience.
Further, the regulators must use the tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The Senior Managers Regime should be expanded to include Financial Market Infrastructure firms, such as payment systems. To ensure accountability for failures, regulators must be, and be seen to be, robust. However, the Committee points out that it has yet to see a successful enforcement case under the Senior Managers Regime against an individual following an IT failure, which may be evidence of ineffective enforcement. If future incidents occur without sanction, the UK parliament should consider whether the regulators’ enforcement powers are fit for purpose. The regulators must provide the Committee with the outcome of their investigation into the TSB IT failure as soon as possible.
Firms are not doing enough to mitigate the operational risks that they face from their own legacy technology, which can often lead to IT incidents. Regulators must ensure that firms cannot use the cost or difficulty of upgrades as excuses to not make vital upgrades to legacy systems. Given the potential for short-sightedness by management teams, if improvements in firms’ management of legacy systems are not forthcoming, regulators must intervene to ensure that firms are not exposing customers to risks due to legacy IT systems. When firms do embrace new technology, poor management of such change is one of the primary causes of IT failures. As time and cost pressures may cause firms to cut corners when implementing change programmes, the regulators must adopt a proactive approach to ensure that customers are protected.
There are many cases where financial services firms use the same third-party providers, such as cloud services. The regulators should highlight potential concentration risks and consider whether mitigating action is required. Where common providers are systemic, the Financial Policy Committee should consider recommending regulation to HM Treasury. During the Treasury Committee’s investigation, the cloud service provider market stood out as such a source of systemic risk. The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant. There is, therefore, a considerable case for the regulation of cloud service providers to ensure high standards of operational resilience.
When IT failures occur, the impact on customers can be harmful, so firms should be adopting a ‘when not if’ approach, ensuring that they have robust procedures in place if there is an incident. When incidents do occur, poor customer communications can exacerbate the situation. Clear, timely and accurate communications must ensure that customers are aware of the incident and that they receive advice on remediation timelines and alternative access. When customers complain, the time taken for some customers to hear an answer is shocking and unacceptable. Firms must resolve complaints and award any compensation quickly.