Treasury Committee and operational resilience in financial services

The Treasury Committee has published a report (the Report) highlighting key operational risks within the financial services sector and steps that regulators should take to force regulated firms to reduce both the frequency and duration of IT incidents within financial institutions.

The Report stems from the Treasury Committee’s inquiry into IT failures in the financial services sector which was launched in November 2018. As part of the Inquiry, the Treasury Committee heard representations from all three regulators (the FCA, PRA and Bank of England) and considered whether there should be greater regulation within the sector to improve operational resilience and protect customers. The Report sets out the Treasury Committee’s views in this regard.

Amongst other things, the Treasury Committee suggests that IT failures within financial institutions has led to increased risk of harm to customers, particularly in light of increasing reliance on digital banking services by customers. The Treasury Committee acknowledges that although completely uninterrupted access to banking services is unachievable, prolonged IT failures should not be tolerated.

Recommendations

The Report makes a number of recommendations including the following.

Strengthening regulators: regulators should ensure that they have the appropriate skills and experience within their teams to regulate this area effectively and should consider increasing levies to finance the cost of hiring personnel with the required skillset and experience to enable them to do so. The Report also highlights the need for regulators to have (and to be seen to have) “teeth”, and point to the lack of successful enforcement action following IT failures within organisations as a potential sign of an ineffective enforcement regime.

Accountability: regulators should hold financial institutions and the individuals working for them accountable for their role in IT failures and poor operational resilience. The Report also recommends that the Senior Managers Regime is extended to include “Financial Market Infrastructure” firms, bringing recognised payment systems, central securities depositaries, and central counterparties within the ambit of the regime.

Regulators must also be willing and able to step in and take a role during significant incidents, to hold individuals and firms to account, in order to both avoid a repetition of mistakes and focus firms’ attention on managing risks.

Impact: Regulators must maintain a very low tolerance for service disruption by providing guidance to firms on the maximum level of impact that can be tolerated. The regulators should not allow firms to set their own tolerance for disruption too high, to avoid lax operational resilience.

Legacy systems and upgrades: one area of risk identified by the Treasury Committee relates to legacy systems and organisations’ reluctance to upgrade the systems, which may result in IT failures. Regulators must ensure that firms cannot use the cost or difficulty of upgrades as an excuse not to make vital upgrades to legacy systems. At the same time, migrations to new technology systems should be properly managed, with appropriate resources being dedicated to facilitate this.

Concentration risks: regulators should be aware of and highlight potential concentration risks where firms use the same third party service provider. Regulators should also consider whether any mitigation is required to address these concentration issues. The Report calls out cloud service providers as a source of “systemic risk”, highlighting the need for these providers to ensure high standards of operational resilience.

Third party service providers: given the prominence of IT failures caused by third party service providers, regulators should improve risk management of third party relationships and consider amending their guidance if they do not see a good standard of management of third party service providers by financial institutions. In addition to the above, firms should not use third party failures as an excuse when IT failures occur.

Business continuity and resilience: financial institutions are correct to take a “when, not if” approach to IT failures and should ensure that they have appropriate procedures in place to deal with IT failures effectively. The Treasury Committee proposed that firms be required to provide more prominent public information about their resilience, to allow customers to make informed decisions about which firm they use.

Next steps

The Report urges regulators to publish their final policy and guidance for firms on how their different operational resilience requirements interact, and their expectations on firms when implementing them.

It will be interesting to see whether regulators develop new regulation or leverage existing regulations and guidance to implement some or all of the Treasury Committee’s recommendations – for example, the Outsourcing Guidelines finalised by European Banking Authority (EBA) earlier this year, which the Report suggests could be leveraged to address some of the concerns raised in the Report (for example, concentration risks) – see our separate articles on the EBA Guidelines. Either way, it appears that regulators are under pressure to regulate further and issue harsher fines to drive improved operational resilience in financial services.