The UK government’s Treasury Select Committee is raising the stakes on accountability for IT failures within the financial services industry, describing the current level and frequency of operational disruption and consumer harm as “unacceptable” in a report published on 28 October, 2019.
“With bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. These services, however, have been significantly disrupted due to IT failures, harming customers left without access to their financial services,” according to the committee’s statement on the report. “While completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated.”
Strong Demand for Accountability
Over the past year, UK regulators have been reexamining the current supervisory approaches to operational resilience with the goal of developing a framework that aligns better with the assumption that failures are bound to happen, and institutions need to be better prepared for when, not if, those adverse events occur. The committee’s report is the latest indication that operational resilience supervision is gearing up to become one of the largest regulatory and compliance obligations financial organizations face in the coming years. Although the committee does not have direct supervisory powers over the financial industry, it is influential in directing policy, and UK regulators are accountable to it in the exercise of their work.
While the role of regulators in supervising operational resilience is still developing, the committee has specific views on where the ongoing effort should be heading. For instance, it wants not just banks to be held more accountable but also individuals within the sector who are responsible for services compromised by IT outage and failure. The committee also extends its demand for accountability to regulators, who are the target of some of the strongest language in the report. For instance, the report states that regulators “must have teeth and be seen to have teeth” to ensure accountability for failures. The regulators are encouraged to use the tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience and to apply their enforcement powers to ensure failures do not go unpunished.
“If future incidents occur without sanction, Parliament should consider whether the regulators’ enforcement powers are fit for purpose,” the report states.
Additionally, the committee calls on regulators to:
- Intervene to improve operational resilience and have the skills and experience necessary to do so – and, if necessary, raise a levy in order to have the appropriate funding.
- Prevent the industry from setting tolerance for disruption so high that it leads to lax operational resilience.
- Ensure banks cannot use the cost or difficulty of upgrades as excuses to not make vital upgrades to legacy systems.
- Adopt proactive measures to protect customers from firms that may be cutting corners when implementing change programmes in response to time and costs pressures.
- Bring within the regulatory perimeter systemically important cloud providers such as Microsoft, Google and Amazon, especially given the concentration risk they potentially present.
What It Means for the Financial Industry
With the latest report, individuals most closely connected with operational resilience and involved in making key decisions over budgets and resources connected with IT change implementation are now on notice. This is particularly true for individuals who are in the scope of the Senior Managers Regime (SMR), the accountability and responsibility regime introduced after the financial crisis to hold individuals within the U.K. financial services sector accountable for conduct and prudential risks. It is worth noting that the committee recommends that the SMR be expanded to include Financial Market Infrastructure firms, such as payment systems.
Financial institutions need to make sure they can respond when an IT outage does occur, remembering the “three Cs” that make up an effective response plan:
- Communication – provide clear, timely and accurate communication
- Complaints – handle and respond to complaints effectively
- Compensation – determine and pay out compensation quickly
Questions for Boards and Senior Management
Going forward, institutions should be prepared for increased regulatory scrutiny of their resilience practices. This includes being able to demonstrate that they have identified critical business services and functions and are monitoring and testing their resilience against worst-case scenarios. They should be prepared to provide assurances to regulators that they have set appropriate impact tolerances around the level of disruption they can absorb if their most important business services fail. Firms should also be prepared to show that they have implemented systems and processes that would allow them to continue to provide services in an extreme but plausible event.
The following questions should help stimulate a discussion on operational resilience at the board level and among the senior management team:
- What is your organisation’s operational resilience response? How can you demonstrate that the end customer is central to the operational resilience response? In what ways is the topic of operational resilience viewed as a conduct risk as much as an IT or organisational issue? How consistently and accurately do you capture data and report on the impact of IT failures and outages on customers?
- Which scenarios does the organisation use to determine and test its response to an operational resilience event? How can the organisation demonstrate the scenarios are extreme but plausible in the same way that financial stress tests examine the resilience of the organisation’s capital?
- Do the scenarios include a customer and other stakeholder communication plan, identifying and responding promptly to complaints and resolving compensation claims? Does the organisation have the agility to efficiently mobilise an effective response within a short timeframe? How have the “three Cs” been tested and processes demonstrated to be effective?
- Which legacy systems are critical to the institution’s services to customers and what is a realistic assessment of their vulnerabilities? What is the longer-term strategy for legacy systems, to upgrade or replace them?
- How does the cost/benefit analysis, return on investment or business case for upgrading or replacing legacy systems demonstrate the level of urgency expected and the risk of disruption to customers?
To learn more about operational resilience, visit https://www.protiviti.com/UK-en/operational-resilience.