Call for tougher action on ‘unacceptable’ financial services IT failures
28 Oct 2019
MPs are demanding regulators take action to reduce the current level and frequency of IT failures in the financial services sector, which a Treasury select committee report has branded ‘unacceptable’
28 Oct 2019
The committee’s inquiry found that with bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. These services, however, have been significantly disrupted due to IT failures, harming individuals left without access to their financial services.
It concluded: ‘While completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated. The current level and frequency of disruption and consumer harm is unacceptable.’
Recommendations to improve operational resilience include ensuring the accountability of individuals and firms, increasing financial sector levies to ensure that the regulators (named as the Financial Conduct Authority, Prudential Regulation Authority, and Bank of England) are sufficiently staffed, and ensuring that firms resolve complaints and award compensation quickly.
The report stated: ‘While the role of regulators in supervising operational resilience is still developing, they must ensure that their approach is agile to adapt to changing risks. They must maintain a very low tolerance for service disruption by providing guidance on what level of impact should be tolerated. The regulators cannot allow firms to set their own tolerance for disruption too high, to avoid lax operational resilience.’
The committee suggested the senior managers regime should be expanded to include financial market infrastructure firms, such as payment systems, and claimed the fact there was yet to be a successful enforcement case under the regime against an individual following an IT failure, might be evidence of an ineffective enforcement regime.
It also said firms are not doing enough to mitigate the operational risks that they face from their own legacy technology, which can often lead to IT incidents.
The report stated: ‘Regulators must ensure that firms cannot use the cost or difficulty of upgrades as excuses to not make vital upgrades to legacy systems.
Given the potential for short-sightedness, if improvements in firms’ management of legacy systems are not forthcoming, the regulators must intervene
‘Given the potential for short-sightedness by management teams, if improvements in firms’ management of legacy systems are not forthcoming, the regulators must intervene to ensure that firms are not exposing customers to risks due to legacy IT systems.’
The committee raised concerns about instances where financial services firms use the same third-party providers, notably for cloud services, arguing that this could be a source of systemic risk.
The report said: ‘The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant. There is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience.’
Steve Baker, the Treasury committee’s lead member for the inquiry, said: ‘The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable.
‘The regulators must take action to improve the operational resilience of financial services sector firms.
‘For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off.’