United Kingdom (and EU regulation)

PRA letter to Treasury Select Committee on IT failures in the financial services sector

By Simon Lovegrove (UK) and Arup Sen on October 10, 2019 Posted in Senior Managers, United Kingdom

On 8 October 2019, the House of Commons’ Treasury Select Committee (Committee) published a letter (dated 16 September 2019) from Lyndon Nelson, Deputy CEO, PRA, following up on his appearance before the Committee on 24 July 2019, as part of its inquiry addressing IT failures in the financial services sector.

During the hearing, Mr Nelson promised to provide the Committee with further details concerning examples of “where the Senior Managers Regime or accountability structures have bitten firms that have not upheld their responsibilities” particularly in the context of IT incidents and failures”.

In the letter, Mr Nelson points out that the PRA introduced the Chief Operations Senior Management Function (SMF24) in November 2017. SMF24 covers the most senior individuals responsible for “internal operations and technology of a firm”. The intention behind this function is to clarify and strengthen responsibility for a range of areas of increasing importance to the regulators’ objectives including: business continuity; cybersecurity; information technology; internal operations or outsourcing. Before being appointed to this position, an individual must be approved by the PRA and FCA. To date, 20 interviews for the SMF24 role have been conducted.

The introduction of SMF24 has been well received and a number of firms have highlighted the positive effect on their governance through its implementation. In particular, it has compelled them to allocate clear responsibility at an appropriate senior level for areas such as cybersecurity, which previously may have been relegated to “technical issues”. By doing so, firms have improved board and executive committee engagement on these areas.

Given the recent introduction of SMF24, Mr Nelson explains that the PRA does not have any public examples where SMR or accountability structures have “bitten firms” in relation to IT failures’, but this does not preclude the FCA from doing so in the future. However, as regards current investigations, Mr Nelson states that the PRA is looking for both firms and senior managers to account for their actions in respect of matters that fall broadly under the banner of ‘operational resilience’. This would include, but is not limited to, IT outages. These PRA investigations are focused on exploring potential weakness in the role and responsibilities of senior individuals in the decision-making and oversight of the potentially affected area.

Mr Nelson concludes the letter by explaining that in many, and most, cases, the PRA’s various formal and informal supervisory tools help promote and strengthen accountability when used as part of day-to-day supervision. He adds that the Senior Managers and Certification Regime has played an important part in the PRA’s ability to do so.