Earlier this year we reported on various initiatives at Regulator and Government level looking at the operational resilience of IT systems in the financial services sector. One such initiative is the inquiry launched by the Treasury Committee in November 2018 in relation to whether there should be more regulation within the sector with the aim of improving operational resilience and protecting customers. On 29 October 2019 the report resulting from the inquiry was published.
As well as making a number of observations about the key operational risks affecting the sector, the Report makes a number of recommendations. These will affect both the financial services Regulators (the Bank of England, FCA and PRA) and regulated firms, and some may ultimately result in existing or new regulation being extended beyond those entities to other groups such as cloud service providers. The focus is firmly on operational recovery and accountability, with the end-goal of protecting a customer base which is now heavily reliant on online banking services.
Regulators are expected to take a more interventionist and proactive approach to operational resilience, in line with their approach to financial resilience.
As the number of bank branches and ATMs decrease and financial services firms increasingly make use of technology to improve their services, customers are ever-more reliant on digital channels to access services. As a result, even brief disruptions in service may cause significant harm to customers, as well as impacting a regulated firm’s viability or financial stability.
Operational incidents in the sector are increasing in frequency. Completely uninterrupted access to banking services is not achievable, but prolonged or regular IT failures are unacceptable and the current level of disruptions is too high.
Regulatory supervision of operational resilience may require a different approach to that of prudential and conduct risks.
Legacy technology, change management, third party relationships and cyber threats pose some of the biggest threats to operational resilience.
Regulators should provide clear guidance to regulated firms on setting impact tolerances in respect of service disruptions, and – while it is envisaged that regulated firms will fix their own impact tolerances – firms should not be permitted to set them too high.
To facilitate customer choice, firms should be required by the Regulators to provide clearer and more prominent reporting to the public regarding their operational resilience.
Regulators must be willing and able to step in and take a role during significant incidents. They must also hold individuals and firms to account in order to avoid repetition of mistakes but also to focus firms’ attention on managing risks. No successful enforcement action has yet been brought in relation to an IT failure, and the effectiveness of the current Senior Managers Regime needs to be reconsidered in that light (and should, in any event, be extended to FMIs).
Firms need to do more to ensure that use of legacy systems remains appropriate and that the risks such technology poses are mitigated, such as by moving to newer technology. Cost and/or difficulty of migration are not to be used as excuses not to take such steps.
It is vital for firms to have strong and well-rehearsed change management procedures, and sufficient skills and experience to manage change. It is recognised that cost and time pressures exist but those do not mean that firms are allowed to gamble with service availability. Regulators should review their approach to supervising large-scale changes and ensure that best practice and lessons learnt are shared with the industry.
Firms cannot use third party failures as an excuse for incidents, and the management of third party relationships needs to be improved.
Firms and Regulators are encouraged to continue to coordinate and share information in relation to cyber risks.
Cloud providers are a source of concentration risk and the consequences of a major operational incident at a major cloud provider could be significant. The Government should urgently consider how best to regulate cloud providers as the case for their regulation is "overwhelming".
Firms are correctly adopting a “when not if” approach to operational issues. Effective incident management – including clear, timely and accurate communications – is expected of regulated firms, as is rapid resolution of complaints and awards of compensation.
The Report urges the Regulators to publish their final policy and guidance following the joint Discussion Paper published in July 2018 (see: Is operational resilience as important to the Financial Services sector as Financial Resilience), including guidance on how the Regulators’ operational resilience requirements interact, and their expectations of firms in implementing them.
The Regulators are also urged to continue to engage with industry in developing operational resilience requirements further.
In the meantime, firms would be wise to bear in mind those steps suggested in our first article earlier this year.