What a review of IT upgrades says about FCA’s plans for operational resilience

Nothing causes as much despair in the world of IT as an “upgrade” that goes wrong. For a financial services firm, a failed IT upgrade can cause severe disruption to customers and so the UK Financial Conduct Authority (FCA) has recently looked at how financial services firms update their technology. Its findings are a prelude to incoming rules on operational resilience.

Secrets to successful technology change

IT upgrades can be overlooked next to other higher-profile threats such as cyber attacks or data breaches but, according to the FCA, they are consistently one of the top causes of operational disruption. This is why the regulator is focused on how financial firms manage technology change.

The FCA concluded that stronger governance, day-to-day risk management, more widespread automation and more rigorous testing and planning all contribute to successful change activity. In particular, firms with governance arrangements that have been in place for more than a year experienced a lower proportion of incidents, the regulator said. Emergency changes, which often require firms to expedite the usual assurance and governance steps, made disruption more likely.

Another significant factor in the number and scale of disruptive events was the reliance on legacy infrastructure. More than 90% of the surveyed firms relied on legacy technology in some form to deliver their services. A lower proportion of legacy technology was found to correlate with a lower proportion of changes being marked as emergencies and a higher chance of those emergency changes being successfully deployed.

The message from the review is that financial firms should anticipate the problems that could arise from IT upgrades by focusing on the potential harm for their customers and the market. It is no coincidence that this is the approach the regulators will soon mandate across the industry via new standards on operational resilience.

Push towards operational resilience

Judging from high profile incidents in recent years, a “crash” in the context of financial services is as likely to refer to a system outage as a financial crisis. Whereas building resilience to the latter has been a long-standing objective of prudential regulation, preparing for the former is a relatively recent focus of the regulators.

In the last three years the FCA and the Bank of England (including the Prudential Regulation Authority) have developed new requirements which are intended to make the operational resilience of firms and of market infrastructure no less important than financial resilience.

At the centre of the proposals is a retelling of Murphy’s law (“if it can go wrong, it will go wrong”). Firms are told to start by assuming that disruption will happen to the systems on which their business services rely. A longer list of requirements then specifies how firms should prepare for this eventuality. The ultimate goal is for firms to set acceptable levels of disruption for their important business services and then remain within them.

Implementing a resilience framework

First published in 2019, the proposals are still in draft form due to an extended consultation period as a result of the pandemic. In the meantime, the European Commission has published its own draft rules which would impose new digital operational resilience standards for financial entities in the EU. Other jurisdictions, including Australia and Hong Kong, are also planning further policy work in this area.

In the UK, the regulators are due to publish their final rules in the coming weeks. For many firms this will be the cue to accelerate their operational resilience programmes which might have been put on the backburner while other projects, such as Brexit or the response to the pandemic, took priority.

Firms will be particularly interested in the timetable set by the regulators. The proposals envisaged an initial one-year implementation period to prepare for most of the rules to take effect and up to three years before firms must remain within acceptable levels of disruption. Given the amount of work envisaged by the new regime, this is a relatively short period to plan, build and operationalise a regulatory change programme. Designing an effective governance framework at the outset is likely to be critical to success.

Lessons learned from 2020

The regulators’ plans on operational resilience predate the pandemic but it would be a surprise if the outcome of that policy work had not been influenced by the events that have taken place since the consultation was launched.

It should be noted, however, that the business disruption caused by COVID-19 differs from most other operational risks. The pandemic was relatively slow, prolonged and symmetric in terms of the impact it had on the financial services industry. Other incidents, such as system outages and cyber-attacks, are short, sharp shocks, and often affect one firm at a time.

A separate incident from the last 12 months may be a better case study for firms to consider. When the FCA restricted the operations of Wirecard’s UK subsidiary in June 2020, it had an immediate effect on other regulated firms which relied on its services for operational support. This then had a knock-on effect for their customers. Some firms were able to respond more quickly than others to communicate swiftly and effectively with their customers and restore their business services.

The Wirecard incident and the FCA’s review into technology change provide a reminder of the origins of the regulators’ concerns. As they put the final touches to their operational resilience regime, the regulators may look to return the focus to non-pandemic-related disruption, including the relatively mundane IT upgrade.

Simon Treacy is a professional support lawyer in the Financial Regulation Group at Linklaters.

This article (subscription only) was originally published by Thomson Reuters Regulatory Intelligence.

Visit our operational resilience webpage for more information.