UK Treasury Committee says regulators must act to reduce IT failures in financial services
Ageing IT systems, failed outsourcings and cyber-attacks have been common causes of disruption to business in the financial services sector. A parliamentary committee has concluded that the current level and frequency of disruption and consumer harm in financial services is “unacceptable” and “prolonged IT failures should not be tolerated”. The ball is now in the regulators’ court to respond.
The shift to digital services
Following a number of high profile service disruption incidents in the financial services sector, the House of Commons Treasury Committee has published a damning report on IT failures in the financial services sector. The Committee reports that incidents are increasing in number and can have significant impacts which may go beyond consumer harm to undermining the viability of a firm and potentially even to the stability of the financial system as a whole.
The report suggests that root cause of the problem has been the shift to more digital financial services and examines common causes of IT incidents and emerging risks to operational resilience. The main thrust of the report, however, is the role of the various regulators in the sector in both reducing the number and impact of IT failures in financial services.
The report sets out a series of recommendations with some key messages for regulators:
- Focus on operational resilience welcomed: The Committee calls on the UK financial services regulators to prioritise their policy work on operational resilience which should include “practical and effective” requirements and clear guidance to firms on impact tolerances.
- Regulating the cloud: The market for cloud services stood out as a source of concentration risk during the inquiry. According to the Committee, the case for the regulation of cloud service providers is “overwhelming”.
- Applying the Senior Managers Regime to market infrastructure: The Committee urged the Government to extend individual accountability rules for banks and insurers to also apply to financial market infrastructure overseen by the Bank of England such as payment systems.
- Bearing teeth: The Committee considered that regulators must “have teeth and… be seen to have teeth”, i.e. use their enforcement tools to hold individuals and firms to account for their role in IT failures and poor operational resilience.
- Regulators need more resources: The Committee suggested that regulators should increase their expertise dedicated to operational resilience, particularly at senior levels, and increase industry levies if needed to cover the cost.
- More incident reporting may be needed: The Committee recommended that the regulators assess the accuracy and consistency of incident reporting and consider whether current requirements should be expanded to cover more services.
- Resilience disclosures: The Committee proposed that firms should be required to provide more prominent public information about their resiliency to allow customers to make informed decisions about which provider they use.
- Discriminatory technology: According to the Committee, the regulators should monitor the discriminatory potential of artificial intelligence and machine learning and set clear guidance for the sector. In the Committee’s view, firms should not use this technology if these risks cannot be rigorously identified and mitigated.
What happens next?
The report concludes the Committee’s inquiry into IT failures in the financial services sector which was launched in November 2018. A separate inquiry by the Committee into service disruption at TSB in 2018 is ongoing.
We are also awaiting the Bank of England, PRA and FCA consultation papers on operational resilience which are due to be published shortly.