The Treasury Committee has told UK bank regulators they must do more to force banks to improve their woeful record on IT.
Recommendations include increasing the levy paid by the banks so regulators can afford to hire better staff.
But the committee also believes there is a strong case to start regulating cloud providers to reduce risks associated with the concentration of banking infrastructure on the big three platforms – Google, Microsoft and Amazon Web Services.
The MPs looked at the horrible history of UK banking systems failures. The poster child remains TSB's serial migration screw-ups in 2018: the bank blamed middleware for the failure, which saw customers lose access to accounts, the bank website and mobile app for over a week. TSB's lacklustre performance in front of the Treasury Committee may well have helped convince MPs that stronger regulation is now required.
TSB boss Paul Pester was called back before the committee to explain how 1,300 customers also had their accounts fraudulently accessed thanks to the migration failure and a 70-fold increase in fraud attempts.
Prolonged IT failures should not be tolerated
The committee noted that as a result of bank branch closures and disappearing ATMs, the resilience and availability of mobile and web-based banking is more important than ever before. But the number of incidents appears to be increasing and there is still a lack of consistency and accuracy in recording such service blackouts.
In 2018, the number of IT incidents reported to the Financial Conduct Authority (FCA) increased by 187 per cent, with 65 percent of them occurring in the retail banking sector.
The report said that while some level of failure is inevitable, disruption has been far too frequent: "It is crucial that the regulators must not allow firms to set their own tolerance levels for disruption too high."
The committee believes the regulators already have tools in place to achieve this using the Senior Managers Regime – which requires banks to "have an explicit senior management function with responsibility for information technology" – but said there has yet to be a single enforcement case using this for an IT failure. It further called on the swift publication of investigations into the failures at TSB.
The report noted that "completely uninterrupted access to banking services is not achievable" but said "prolonged IT failures should not be tolerated".
The MPs also took a detailed look at what actually causes banks' downtime. It pointed out that though banks often boast about their modern systems, the reality is that digital services can be laid on top of legacy platforms rather than replacing them entirely.
These legacy systems are a risk factor in themselves because they are often so complex as to be almost unmanageable or rely on knowledge held by retired staff. Cost cutting since 2008 has made this situation worse, the report said. But migrating away from these systems is another risk factor – poor change management was blamed for 20 per cent of incidents reported to the FCA in 2018.
Future issues? Let's talk about cloud, baby...
The Treasury Committee also looked at emerging risks to banks' operational resilience. Chief among these is the move to cloud-based services. Some cloud provision can be more resilient than individual bank infrastructure. But the risk of concentration – a limited number of suppliers providing common services to several banks – is high.
One suggestion made was for banks to map their processes so that regulators could see where concentration risk lies. The committee rejected fears raised by the Prudential Regulation Authority that creating such a map would be dangerous because it could be used as the basis for an attack.
The committee said the clearest example of concentration risk was the cloud providers, and that a major incident would have implications far beyond financial services.
The report states: "The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable. The government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary."
The report includes many recommendations for banks as well. These include adopting a "when, not if" attitude to failures, accuracy and openness of communication with customers, and a far faster response to customer complaints after IT incidents. ®