UK asks banks for their tech-backup plans

Banks are moving to more sophisticated software solutions, but are their new systems fail-safe? Have they planned for tech-failures?
6 July 2018

Bank of England Governor Mark Carney. Source: Flickr / Mark Carney

In a digital world, banks are increasingly susceptible to operational disruptions as a result of technological breakdowns.

However, banking institutions are one of the most critical groups in the market, oiling businesses that drive the economy. When their (technological) infrastructure fails, all economic activity comes to a grinding halt.

As a result, the Bank of England (BoE) and the Financial Conduct Authority (FCA) in the United Kingdom (UK) feel it’s time to review and evaluate the backup plans bankers have drawn up, to react to such technological disruptions.

The regulators have directed financial services firms operating in the country to report back on their exposure to risks resulting from technology-related disruptions and present their plan to respond to such outages.

The BoE and the FCA have set October 5 as the deadline, giving banks plenty of time to evaluate, review, and react.

“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures (FMIs), or cause harm to consumers and other market participants in the financial system” said representatives Andrew Bailey, Jon Cunliffe, and Sam Woods of the FCA, the BoE, and the Prudential Regulation Authority (PRA) in a joint statement.

Recently, TSB faced a technology-outage leaving hundreds of thousands of customers stranded, and without access to their bank accounts and their money – when the bank attempted to upgrade its IT solutions.

In the aftermath of the incident, the bank’s CEO gave up GBP2 million of his bonus (US$2.66 million) of his bonus, it lost 12,500 customers, and spent more than GBP70 million (US$92.92 million) on repairing the damage.

“Firms and FMIs need to consider all of these risks when assessing the appropriate levels of resilience within their respective businesses. Dealing with cyber risk is one important element of operational resilience,” added the trio.

According to a discussion paper issued by the BoE, FCA, and the PRA, firms’ and FMIs’ processes, practices and culture need to work effectively to achieve the increased level of operational resilience that they and the supervisory authorities seek.

The three agencies outlined a potential supervisory approach for relevant institutions to strengthen their plan for dealing with technology-related disruptions:

# 1 | Preparation:

Firms and FMIs identify and focus on the continuity of their most important business services as a means of prioritising their own analysis, work and investment in operational resilience.

They set impact tolerances for their important business services and are able to demonstrate substitutability or the capability to adapt processes during a disruption.

# 2 | Recovery:

Firms and FMIs assume disruptions will occur and develop the means by which they can adapt their business processes and practices in the event of shocks in order to preserve the continuity of service.

# 3 | Communications:

Firms and FMIs have strategies for communicating with their internal and external stakeholders, including the supervisory authorities and consumers.

This should include how to handle the situation to minimize the consequences of disruption.

# 4 | Governance:

Firms’ and FMIs’ boards and senior management are crucial in setting the business and operational strategies and overseeing their execution in order to ensure operational resilience.