Pefkos - stock.adobe.com
Banks given three months to report on how they respond to outages
UK financial services regulators get tough on banks over their ability to recover from IT outages
UK banks and other financial services firms have been asked to report on their ability to respond to IT outages and cyber attacks, and want to set maximum acceptable time for systems to be down.
As part of a discussion paper the Bank of England (BoE) and the Financial Conduct Authority said firms under their remit can report their exposure to risk and their plans to respond to IT outages by 5 October. It also said maximum acceptable time for systems to be down, which will differ from firm to firm.
The BoE said firms are not being ordered to report back. "In our operational resilience discussion paper, we have not ordered UK banks and other financial services to report on their ability to respond to IT outages and cyber-attacks. The discussion paper seeks to commence a dialogue with the financial services industry on achieving a step change in the operational resilience of firms. We aim to generate debate about the expectations regulators and the wider public might have of the operational resilience of our financial services institutions. Our hope is to receive feedback from a broad range of stakeholders."
As recent events have shown, IT outages at financial services providers can cause serious disruption to the lives of people and businesses. Banks today are highly reliant on IT systems to run and the ability to get these back up and running quickly after an outage is vital – and regulators now want firms to prove they can do this within two days of systems going down.
The recent IT failures at TSB and Visa, which caused major problems for customers, have triggered action by regulators. The BoE’s Financial Policy Committee (FPC), which attempts to find and prevent risks to the UK financial system, also recently said it is developing a new framework of minimum services that must be provided during IT failures.
In May, TSB customers experienced major IT problems when the bank botched the migration of millions of customer accounts to a new core banking platform.
Customers were locked out of their accounts, money appeared to disappear for some, while others were even able to see other customers’ accounts. Problems were still being experienced by customers a month after the problems began and TSB was unable to quickly identify the problem.
Read more about the recent IT outages
- Credit card payment processor moves to assure customers that last Friday afternoon’s downtime was not the work of hackers.
- TSB’s very public IT problems will send shivers down the spine of IT teams at large banks that are yet to migrate to new core banking systems.
- After a weekend of the RBS and NatWest outage, accounts are still not back to normal for banking customers.
Then, in June, millions of businesses across the UK and Ireland were unable to accept credit card payments when a hardware failure caused major service disruption at card payment giant Visa.
The FCA said: “The challenges for operational resilience have become even more demanding given a hostile cyber environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.”
“An operational disruption such as one caused by a cyber attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and [financial infrastructure providers], and cause harm to consumers and other market participants in the financial system,” added the FCA.