Stronger regulations needed to fix banking IT problems, say MPs

A HM Treasury Committee report on why IT failures happen at financial services companies has called for stronger regulations, which could include higher levies in the sector and cloud suppliers coming within the financial services regulator’s watch.

The House of Commons committee launched an inquiry into IT failures in the financial services sector in November 2018. This followed a string of major IT outages that caused consumers problems, such as TSB account holders being locked out of their accounts after the bank carried out a major IT migration.

In its latest report, the Treasury Committee said: “With bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. These services, however, have been significantly disrupted due to IT failures, harming customers left without access to their financial services.

“While completely uninterrupted access to banking services is not achievable, prolonged IT failures should not be tolerated. The current level and frequency of disruption and consumer harm is unacceptable.”

Current developments in the financial services sector, such as the move to public cloud services, should be under closer scrutiny, the report said. With a small number of suppliers dominating the sector, there is a risk that a failure at a single company could become a major industry-wide incident.

“The regulators should highlight potential concentration risks and consider whether mitigating action is required,” said the report.

It also suggested the Financial Policy Committee should consider recommending IT supplier regulation to HM Treasury.

“The cloud service provider market stood out as such a source of systemic risk. The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant,” it said.

“There is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience.”

It also recommended that the overall regulation of IT in financial services should be more robust. “Regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks,” it said. 

The report said higher levies in the sector and holding individuals to account could be used as tools to coerce banks into action to reduce IT issues. “The regulators must use the tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience,” it added.

It also called for “clearer and more prominent public reporting” of failures to help customers make more informed choices when selecting a financial product.

With consumers becoming more tech-savvy and and with an increasing number of companies offering financial services using fintech, customers are more interested in the IT resilience of banks.

“It is very difficult for customers to determine which financial services providers are operationally resilient, and to make clear comparisons across the industry,” it said.

“The regulators should require to empower customers to make informed decisions regarding which provider they use, and to increase firms’ focus on operational resilience.”

The inquiry was originally launched following major IT outages at financial services companies, which caused major problems for customers. Most notably there was a huge IT meltdown at TSB during the migration of customer accounts to a new core banking system.

The IT problems at TSB started in April 2018, when the bank moved millions of customer accounts from the Lloyds Banking Group IT system that hosted them to a new banking platform, known as Proteo4UK.

Problems included customers being locked out of their accounts, others reporting money disappearing from online accounts – and some were even able to see other customers’ accounts.

It is not just retail banks that need to improve. In 2018, there was a major service disruption at Visa that left millions of businesses across the UK and Ireland unable to accept credit card payments. Visa blamed a hardware failure for the problems.

Steve Baker, lead member on the inquiry at the Treasury Committee, said the number of IT failures that have occurred in the financial services sector and the harm caused to consumers is unacceptable.

“The regulators must take action to improve the operational resilience of financial services sector firms,” he said.

“They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly.

He added that financial services companies should come clean about the causes of IT failures when they occur.  

“For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut off,” said Baker. “For too long, we have waited for a comprehensive account of what happened during the TSB IT failure.”