UK financial services regulators tell banks to own their IT disasters

The UK’s three financial services regulators have told finance firms what they expect them to do to minimise disruption in the event of operational problems, including IT outages.

In a consultation paper, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority have jointly published new requirements that finance companies and financial market infrastructure firms (FMIs) must adhere to reduce the negative impact of operational failures.

As last year’s TSB banking disaster showed, a major IT failure can have huge detrimental effects on customers, and put financial services companies themselves at financial risk. TSB said that its botched migration, which left millions of customers unable to bank, cost it a total of £330m, which included compensating customers, additional resources, fraud and forgone income.

In fact, IT outages at banks are common, but they often have little impact on customers. However, the problems for TSB customers caused by last year’s outage has forced regulators to re-evaluate their rules.

The regulators stressed that organisations should “take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest”.

FCA CEO Andrew Bailey said: “It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption, even during severe operational events. The proposed new requirements are aimed at achieving this outcome.

“Disruptive events can have a high impact on consumers and businesses, so firms and FMIs need to know where the risks to their service delivery lie and to make sure they are prepared for any service disruption by testing their planned response.”

TSB’s IT failure occurred in April 2018 during the migration of customer accounts to a new core banking platform. As a result of systems going down, millions of customers found themselves locked out of their accounts, some saw money disappear from accounts, and customers were also targeted by cyber criminals.

Problems identified during an investigation included the decision to perform a “big bang” migration without fully understanding the risks and the fact that there were no expert external advisers for the project as a whole. An inquiry also found that TSB did not fully understand the capabilities of its IT services arm, which was running the project.

To avoid this level of disruption in future, the regulators said in the latest announcement that financial services businesses “need to prioritise plans and investment choices based on their impacts on the public interest”.

The latest consultation paper also calls for better communication with customers when things go wrong. “If disruption occurs, firms are expected to communicate clearly, for example providing customers with advice about alternative means of accessing the service,” the regulators said.

They said that businesses should: identify which services could cause the most harm if disrupted; set a maximum level of disruption that could be tolerated by different services; identify and document the people, processes, technology, facilities and information that support their important business services; and ensure they can remain within their impact tolerances in a range of “severe but plausible disruption scenarios”.

Sam Woods, CEO of the Prudential Regulation Authority, said the consultation marks the next stage of integrating operational resilience into the regulatory framework.