The Bank of England is expecting financial institutions to be a bit less rubbish when IT goes wrong, it said today.
The TSB fiasco that led to customers being unable to access their accounts, followed up by widespread fraud, has caused the BofE's Prudential Regulation Authority (PRA) along with the Financial Conduct Authority (FCA) to kick off a formal investigation.
Other recent events have also higlighted the vulnerabilities of banking tech: first there was the Visa debacle, when payment processing ground to a halt due to a hardware failure on 1 June, causing retail mayhem over Europe.
And then, traders were forced to swap making money for making morning tea after the London Stock Exchange spent an hour longer in bed last week following an unspecified IT problem.
In response to the jump in frequency and severity of the incidents, the BofE's Financial Policy Committee (FPC) is putting together a new framework around resilience and risk, and a discussion paper will be published, according to a BofE senior supervisor who spoke to the Financial Times.
It is likely that the FPC framework will set minimum service levels to keep the economy ticking over in the event of a plausible disruption. The definition of "plausible" will be something to watch out for.
Lyndon Nelson, deputy chief executive of the PRA, stated the blindingly obvious in a speech given at the 20th Annual Operational Risk Conference:
"We have seen an increase in the number of operational incidents – be they caused by internal failures or from external attack." He then went on to express concern regarding the potential over-reliance of banks and financial institutions on the dominant cloud providers.
Nelson worried that "the dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their cloud providers". He also expressed concern that firms may find themselves with a supplier unable to meet financial regulations or force compliance.
He further added that financial institutions should also be regularly testing their incident response and contingency plans, something many IT professionals would regard as Standard Operating Procedure. ®