/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
UK regulators crack down on bank IT outages

UK regulators crack down on bank IT outages

UK regulators have put together a set of requirements designed to strengthen the operational resilience of financial services players.

The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have published a shared policy summary and co-ordinated consultation papers designed to help prevent the kind of prolonged technology problems seen recently at TSB and others.

The policy proposals makes it clear that companies and Financial Market Infrastructures (FMIs) "are expected to take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest".

Specifically, firms and FMIs would need to:

  • identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system
  • set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate
  • identify and document the people, processes, technology, facilities and information that support their important business services
  • take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios

Andrew Bailey, chief executive, FCA, says: "It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome.

"Disruptive events can have a high impact on consumers and businesses so firms and FMIs need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response."

In a speech to industry players, Bailey's colleague, Megan Butler, offered a blunt warning: "This is not a box ticking exercise.

"This is not about what you are willing to, or think you can, ‘get away with’, because you think the worst is unlikely to happen. We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen."

Comments: (2)

Steve McGinness
Steve McGinness - Cognizant - Glasgow 05 December, 2019, 14:21Be the first to give this comment the thumbs up 0 likes

Reading between the lines, this message is that while you may talk about business continuity and disaster recovery and may have plans in place for such, you need to provide evidence that these plans are robust and will ensure that your services can withstand the outages that we have seen recently.  Paying lip service to ensuring continuity of service is no longer acceptable.

Paul Love
Paul Love - Konsentus - Nottingham 05 December, 2019, 16:05Be the first to give this comment the thumbs up 0 likes

In the "good old days" we used to switch to the DR site once a year - practice makes perfect!