Representatives of the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Bank of England recently gave evidence to the House of Commons Treasury Select Committee in relation to IT failures in the financial services sector.
Alison Barker (the FCA’s Director of Specialist Supervision), Lyndon Nelson (the PRA’s Executive Director of Regulatory Operations and Supervisory Risk Specialists) and David Bailey (the Bank of England’s Executive Director of Infrastructure) answered questions put to them by Members of Parliament.
Their answers revealed a number of interesting points which firms may want to consider in light of other work the regulators are carrying out in this space.
The regulators discussed the need for firms to balance resources between taking pre-emptive action to prevent disruption and understanding how to react and recover when an incident does occur.
Alison Barker noted that firms should not “focus on prevention at the expense of what to do when something happens.”
Firms were also encouraged to address incidents more broadly instead of focusing purely on resolving the IT problems. For example, it was noted that firms should communicate with customers more effectively, particularly with the speed with which news can spread on social media. The risk of a run on a bank in the event of an incident and the possible need for banks to increase their liquidity to respond to this was referred to as a potential risk associated with customers reacting on social media.
The responses given made it clear that boards and senior managers are expected to be accountable, (for example, in relation to the risks associated with legacy IT systems).
While firms can outsource work, senior managers cannot “outsource the responsibility for overseeing” that work and must understand the impact where there are systems, and other, failings.
Lyndon Nelson revealed that the PRA currently has a number of IT failure related enforcement cases being progressed and that the senior managers and certification regime (SMCR) “bites”.
David Bailey called for the SMCR to be extended to financial market infrastructure firms, as was recently recommended by the Financial Policy Committee.
The evidence given to the Select Committee underlines the focus regulators are placing on operational resilience, with Alison Barker describing it as one of the FCA’s “core priorities for the past three years”.
A consultation paper following on from the joint PRA/FCA discussion paper on building the UK financial sector’s operational resilience is expected in October of this year. With a large number of responses to the discussion paper recorded, we await the proposals with interest.