On 28 October 2019, the House of Commons Treasury Committee published a report on IT failures in the financial services sector. The report sets out a number of conclusions and recommendations following a series of written submissions from various stakeholders (see previous blog here). These recommendations include:

  • further regulatory intervention to improve the operational resilience of the financial services sector. The FCA and PRA must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks;
  • financial services providers must treat their ability to manage and prevent incidents with a level of seriousness appropriate to the significant impact when incidents occur;
  • the regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. The regulators should clarify standards, guidance and definitions for the industry on what incidents firms should record and report;
  • the regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth. The regulator should also consider the effectiveness of the senior managers regime (SMR) and assess whether there any barriers restraining them from enforcement against individuals;
  • the Government should expand the SMR to include financial market infrastructure firms supervised by the Bank of England to ensure that senior managers are held accountable for their management of operational incidents;
  • the regulators should increase financial sector levies to ensure they can hire much needed staff with expertise and experience in operational resilience;
  • there should be a focus on transitioning from legacy technology to newer technology. The regulators should have a strong framework to oversee firms’ assessments and challenge these where necessary, making use of their full range of tools to achieve this, including commissioning independent section 166 skilled person reviews; and
  • the cloud service provider market stood out as a source of concentration risk during the inquiry. The Government should urgently consider how best to regulate cloud service providers to ensure high standards of operational resilience.