The government has outlined its recommendations to cut bank IT failures

The parliamentary committee has published a damning indictment of the sector's recent IT issues

UK | United Kingdom  >  England  >  London  >  Financial district  >  skyline / Gherkin / Shard
Dil (CC0)

An influential parliamentary committee has delivered a damning verdict of the UK banking sector's IT resiliency and called for greater regulatory oversight to force banks to better protect against, and respond to, costly and frustrating IT outages.

In its IT failures in the Financial Services Sector report, published this week, the House of Commons Treasury Committee deemed the UK's financial services sector to be responsible for unacceptable levels of IT failures, adding: “The current level and frequency of disruption and consumer harm is unacceptable.”

The committee, chaired up by Mel Stride, Conservative MP for Central Devon, called on lawmakers and regulators – including the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England – to intervene where financial services firms aren't doing enough to avoid and respond to IT outages that affect customers.

"Further regulatory intervention is needed to improve the operational resilience of the financial services sector, as was required over the past decade for its financial resilience. The Regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks," the report concluded.

These calls echo those made by the same committee – which, granted, will have looked very different at the time – in January 2016, where the chair at the time, Andrew Tyrie, called on the Bank of England to do more to help avoid banking IT outages.

The rise of the online banking outage

The FCA reported in 2018 that financial services outages had increased by 187 percent in the past year, 65 percent of which were from retail banks. One of the most high profile of these was the failed migration of a core banking system at TSB bank, which locked millions of customers out of their accounts for weeks.

Read next: IBM 'had not seen evidence' of rigorous testing ahead of TSB migration disaster

The most common cause for incidents according to the FCA is 'change management', with third-party providers the most to blame after that, followed by software issues, cyber attacks, hardware issues and human error, in that order.

The report recommended that financial services providers implement "strong and well-rehearsed change management procedures" as well as ensuring they have robust risk management procedures in place and "sufficient skills and experience to manage change".

The committee did note that it was conscious of the difficulty involved in the banking sector when it comes to modernising often-brittle legacy systems, but concluded: "We do not believe enough is being done by firms to mitigate the operational risks they face from their own legacy technology, such as by moving to newer technology."

The committee was also informed by some high-profile banks that they were seeing fewer outages as of late, with Barclays, for instance, giving evidence that technology issues had dropped by 15 percent between 2016 to 2017 and a further 13 percent from 2017 to 2018. Similarly RBS said that the number of the most critical, customer-impacting incidents, had reduced from 318 in 2014 to 19 in 2018.

What the committee recommends

The suggestions range from linking senior pay to operational resilience levels, to issuing best practice guidance and fostering better industry-wide collaboration, to help avoid firms making the same change management or technology procurement mistakes as one another.

"Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but also to focus the attention of senior management on the risk of incidents and incident management," the report stated. "The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth."

Some of the recommendations certainly read more like common sense than anything else, such as demanding that firms have adequate recovery plans in place in case an IT failure occurs, or to implement stringent testing criteria when making potentially impactful changes, and building resiliency into cloud-based systems.

The paper also calls for regulators to implement more stringent public reporting criteria so that customers can make more informed choices regarding firms that are, or are not, as focused on operational resilience. Regulators "should also consider the need to expand current reporting requirements, to cover broader services provided by firms," it said.

One of the more unique recommendations was for senior pay at financial institutions to be linked to operational resilience: "If the Regulators observe that firms are not adequately taking operational performance into account when determining remuneration for senior staff within financial services firms, they must intervene."

The committee also called for greater transparency from firms when incidents do occur. It states: "Clear, timely and accurate communications must ensure that customers are aware of the incident and that they receive advice on remediation timelines and alternative access. Customers have the right to this information."

Read next: How Monzo is rewriting the rulebook when reporting data breaches

The report proposed several changes to the way key regulators oversee the sector, with the aim of cutting incidents down in the future.

One such recommendation focuses on skills and training programmes to ensure that regulators have the supervisory skills, expertise and experience to effectively investigate and respond to incidents. The report recommends increasing levies on financial services firms to help fund this. "We do not expect to hear after the fact, perhaps in reaction to a major incident, that supervisory resources were inadequate," it added.

It also recommended that the FCA steps up its efforts to "ensure that firms are resolving complaints and awarding any compensation quickly and take action where this is not the case".

Responding to the report, Stephen Jones, the chief executive of industry body UK Finance said: "Operational resilience is crucial in a modern financial system and the industry continues to invest billions to ensure systems, human and digital, are robust and secure. When incidents do occur, firms work around the clock to minimise disruption and get services back up and running as quickly as possible.

"The industry conducts sector-wide exercises with regulators to ensure it is prepared to respond effectively to any major disruptions or events as part of its continued commitment to maintaining the resilience of the financial system.

"UK Finance continues to engage with government over how coordination between regulatory authorities could be improved, seeking to avoid overlapped or rushed mandatory change programmes that impact firms’ ability to protect their customers.”

Copyright © 2019 IDG Communications, Inc.

  
Shop Tech Products at Amazon