“Government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary”
The frequency and severity of financial services IT failures is “unacceptable” MPs warned today, calling for regulators to be given expanded powers to ensure improvements are being made by businesses across the sector.
“Firms are not doing enough to mitigate the operational risks that they face from their own legacy technology” the Treasury Committee agreed in a new report, highlighting bungled change management as a leading cause of recent outages.
Businesses may be cutting corners to reduce change management cost, they warned: “Poor change management is one of the primary causes of IT failures… It is important that firms have strong and well- rehearsed change management procedures. We are concerned that time and cost pressures may cause firms to cut corners when implementing change programmes, for example by compressing testing schedules.”
Guy Warren, CEO, ITRS Group, told Computer Business Review in an emailed comment: “Operational resilience has deteriorated over the last few years as the number of digital channels and volumes of transactions have increased, with very little pause for thought.
“Retail banks have failed to keep pace with the investment in technology and process to ensure acceptable levels of performance and availability. First you had the technology used by the bank’s teller, then ATMs and call centres came in, more recently banking websites, and now mobile banking. Instead of a clean shift between each phase of technology, it’s been layered one on top of the other, so that new technology and channels are running in tandem with legacy technology. The resulting impact for consumers ranges from inconvenience to increased vulnerability to outages and fraud.”
The Treasury Committee has called for the Senior Managers Regime (which requires firms to have a ‘statement of responsibilities’ saying what senior managers are responsible and accountable for) to be expanded to include financial market fnfrastructure firms, i.e payment system providers.
“To ensure accountability for failures, regulators must have teeth and be seen to have teeth”, they noted in the report, published today.
Financial Services IT Failures: “Regulate the Cloud”
With many financial services companies moving applications to the cloud, the Treasury Committee raised growing concerns about “concentration risk” during the inquiry.
“This market is already highly concentrated and there is probably nothing the Government or Regulators can do to reduce this concentration in the short or medium term,” the report notes, bu “the consequences of a major operational incident at a large cloud service provider could be significant, and not just limited to the financial services sector. The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable.
“The Government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary.”
The committee is not the only entity to have raised that prospect recently.
The Bank of England said in June that it plans to publish a new supervisory statement describing the Prudential Regulation Authority (PRA)’s modernised policy framework on outsourcing arrangements, “including a focus on cloud technology, and setting out conditions that can help give firms assurance on its use,” amid concerns over concentration risk and lack of substitutability.