UK Banks Should Show Their Backup Plans for Tech Failures
Banks and other financial services firms in the UK have been told to show their backup plans for technical failures within three months. They would have to show their ability to avoid damaging IT breakdowns and respond to cyber attacks.
The unprecedented rise in technology-related disruptions in the sector, in recent times, has made the Bank of England and the Financial Conduct Authority to set a deadline for financial services firms to show their backup plans. These firms would have to report back on their exposure to risks and also as to how they would respond to tech outages, by October 5. Specific issues in the recent past, like the issues that bugged payments firm Visa and customers of bank TSB being unable to access their online accounts, have effectively highlighted the vulnerability that the banking system has. It shows that a well-planned and well-executed cyber attack can throw out of gear the routine cycle of activities for many financial firms.
The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) recently issued a joint discussion paper (DP) about strengthening the operational resilience of financial services firms and financial market infrastructures (FMI’s). The FCA explains why the DP is relevant-“Operational resilience failures pose a risk to the supply of vital services on which the real economy depends. They can also threaten the ongoing viability of firms and cause harm to consumers and market participants. We highlight the risks posed by cyber-attacks and other disruptive operational incidents, and the financial system’s increasing reliance on and connectedness through technology and data. In this complex and changing environment, we want firms to be able to withstand, absorb and recover from disruptive operational incidents. Firms should manage their responses to these incidents in a way which considers the needs of those affected, including customers. This discussion paper is part of our ongoing collaboration and coordinated approach with the PRA and Bank aimed at strengthening firms’ operational resilience.”
A press release issued by the FCA also discusses the impact of operational disruptions on the economy; it says- “An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. ”
Thus all financial firms and insurers would have to demonstrate to the regulators the plans that they have in place for dealing with technical disruptions that might happen due to systems failure or a cyber attack.
In its report on this decision by the regulators, Reuters has included a joint statement issued by FCA Chief Executive Andrew Bailey and BoE Deputy Governor Jon Cunliffe. It says, “Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system”.
The Reuters report, dated July 5, further says- “The regulators suggested two days as an acceptable limit for disruption to a business service in one scenario spelt out in a consultation paper published on Thursday…Some customers of TSB bank were still unable to access online banking services over a month after its first outage in April, which followed a botched systems upgrade.”
The financial firms and banks would be set targets for recovering from cyber attacks and other service disruptions. If financial institutions fail to demonstrate adequate backup plans, the regulators could even make them take the necessary actions. These might include bolstering capital levels or investing in making their systems more resilient. It has also been made clear that it’s the senior management who is responsible for ensuring the resilience for any financial firm.