At the end of 2018 the UK Treasury Committee announced that it would launch an inquiry into information technology (IT) failures in the financial services sector. The Treasury Committee has stated that it will appoint a specialist advisor to help provide analysis and aid the inquiry.
The past 18 months have seen numerous IT failures in the financial services sector. Equifax, Barclays and TSB have all suffered incidents, to name a few. TSB is arguably the highest profile case, when 1.9 million customers were logged out of their online banking accounts for up to a month and with some customers also claiming to have been able to view other customers’ bank details. This occurred after the bank attempted to migrate customer information from its former owner to current owner Banco Sabadell.
The inquiry by the Treasury Committee is set to explore the common causes of such operational incidents, to better understand what consumers have lost as a result of the failures, and also to determine whether regulators such as the Bank of England Prudential Regulation Authority and the Financial Conduct Authority have the necessary ability and power to hold firms involved to account.
The committee is now in the process of collecting written evidence through its evidence portal on a number of topics which contribute to the inquiry. These topics include:
- The extent to which operational incidents are becoming more frequent, and how the prevalence of such incidents may change in the future as consumers and firms come to rely more heavily on technology;
- the common causes of operational incidents, and the extent to which there exist single points of failure and/or other sources of concentration risk in the financial services sector, and lessons to be learned from the operational incidents witnessed in recent years;
- the incidence of multiple old legacy systems and the nature of their connectivity, and the impact of retrofitting web-based/mobile systems to legacy systems;
- the risks associated with integrating banks/systems, following takeovers and mergers, for example, the quality of relevant technical documentation;
- the impact of outsourcing on operational resilience and the ways in which consumers typically lose out as a result of operational incidents, including inconvenience and vulnerability to fraud;
- examples of best practice with respect to firms’ responses to and handling of operational incidents, including approaches to communicating with customers, identifying and addressing the causes of incidents, and handling customer complaints and compensation;
- the ability of the regulators to ensure firms are adequately guarding against service disruptions, and whether they have the relevant skills to hold appropriate parties to account in the event of significant operational incidents;
- approaches to operational resilience in different jurisdictions;
- the opportunities and risks presented by the application of new technology in the financial services sector with respect to operational resilience;
- what should be considered an appropriate level of tolerance for operational disruptions?
The enquiry does not come as a surprise, given the string of failures that have marred the financial services sector of late. The announcement also arrives just days after the Bank of England’s doomsday banking test and the Financial Conduct Authority’s announcement that in the 12 months up to October 2018 there was a 138% increase in technology failures among banks and financial services companies, and an 18% rise in cyber incidents.
Responses are due by 18 January 2019.