Thanks to the UK’s new Open Banking initiative, the scale of IT problems within the financial services sector has become apparent, with major banks typically suffering well over one outage per month, according to a report published by the BBC. With this in mind, the Financial Conduct Authority (FCA) published an updated discussion paper in December, detailing new requirements to help strengthen operational resilience in the sector.The document encourages firms to consider the impact of disruption and the many reasons for which it can occur, i.e. technology failures, cyber-attacks and weather-related and other environmental incidents. This can have significant impact this has on the people, businesses and financial markets that rely on the products and services businesses provide. To remedy the current situation, the report proposes four core areas of focus: visibility, thresholds, testing and third-party management.
The report stipulates that firms need to identify and document the people, processes, technology,facilities and information that support their important business services (also known as ‘mapping’). By mapping systems and processes based on the business services they support, firms can bring more transparency to, and improve the quality of, decision making, thereby improving their overall resilience and availability. The term ‘business service’ here refers to something that, if disrupted, would be most likely to cause intolerable levels of harm, to its customers, to the firm itself or, to the broader financial system.
The report also advises that organisations in the financial services sector must set ‘impact tolerances’ for each important business service. These are thresholds for the maximum level of disruption tolerable before consumer protection and/or market integrity becomes compromised.
Impact tolerance is expressed through specific outcomes and metrics, which the report stipulates should always include the maximum length of time that a disruption can continue. It can also comprise other considerations, such as the volume of disruption, for example, the number and types of consumers affected or a measure of data which has been breached, stolen or lost. When setting impact tolerances, banks need to consider any factor which will drive a significant increase in demand
for business services, as these are the times when availability is the most critical. Once this has been set, organisations can set about finding ways of expanding their impact tolerance – for example, hosting private datacentres within co-located facilities or arranging for workplace recovery solutions.
Given the huge importance attributed to the ability to view and access funds by both business and consumers, firms must regularly simulate a range of severe but plausible disruption scenarios and conduct lessons-learned exercises to invest in their ability to respond to real-life disruptions. This shouldn’t only focus on preventing incidents from occurring or the probability of the incident taking place, but the response and recovery actions firms would take to protect the continuity of operations.
Scenarios can be based on anything from the loss or reduced provision of technology to the unavailability of facilities, key stakeholders or third-party services. An effective method of conducting tests is to base scenarios on previous incidents or near misses from across the financial sector and in other sectors and jurisdictions. Firms could also consider future risks, such as evolving cyber threats, technological developments and business model changes. An example of this can be seen in The
Bank of England’s recent announcement of its plans to perform climate change-related stress tests on the UK’s top banks and insurers, to assess how firms would deal with more frequent weather events and mass sell-offs of “brown assets” – those considered detrimental to the environment.
Technology is driving huge changes in the operational landscape of the financial services industry.
This is perhaps best reflected in the rise of cloud-native challenger banks, that are quickly setting the agenda in terms of enterprise agility and customer experience, effectively redefining how firms in the sector succeed. However, the rapid adoption of new and revolutionary technologies like cloud computing are also expanding the risk landscape in the financial services sector at an unprecedented rate. Firms now not only have to be aware of the resilience of their own systems, but also must be
able to trust in the resilience of third-party providers and the technology solutions they provide.
Firms must take the due diligence to ensure the third parties they use to connect with their customers adhere to similar standards as they do. For example, third-party providers may exist outside of a firm’s regulatory perimeter or in multiple jurisdictions with different, or lower quality, resilience requirements.
Firms should therefore thoroughly investigate how third-party relationships could undermine their ability to absorb disruption, asking questions such as: which legal jurisdiction is the provider subject to? What are the physical security characteristics offered by the provider (i.e. physical controls in the data centre or staff vetting)? Are there suitable arrangements for dispute resolution? With the right backup and cloud storage provider effectively acting as a first line of defence against both expected and purely circumstantial disruption, businesses will be able to establish an infrastructure built with resilience and prepared for every eventuality.
In increasingly complex and fast changing business environment, organisations must be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. The financial services sector must be aware not only of the threats of disruption which come from within and outside, but also the ability to anticipate threats. Being resilient and ensuring availability will be critical for UK banks and our economy as a whole.