Analysis: The City responds to the publication of Andrew Tyrie’s letters to the banking industry.
UK consumer banking technology was thrown into the spotlight this week with the publication of letters sent to the CEO’s of RBS, HSBC and Barclays about the resilience of their IT systems.
The letters, along with recommendations for addressing IT shortcomings, came from the chair of the Treasury Select Committee of MPs, Andrew Tyrie, who examined the issue of cyber failures in banking between June and November 2015.
The letters to the CEOs, as well as recommendations to the Bank of England and the Financial Conduct Authority (FCA), have now been made public.
Among the recommendations are that "the banks need great IT expertise at main Board and subsidiary Board level", and that "much greater resources should be put towards modernising managing, and securing banks’ IT infrastructures." Tyrie also recommended that "legal, regulatory and structural and cultural changes are needed to the way that banks mange their cyber security risks."
City watchers welcomed the intervention from the influential MP.
Tim Focas, director of financial services at City think tank Colloquium said: "The call from Tyrie for banks to get their technology houses in order is long overdue. Many of the glitches have been a direct result of banks to neglected updating their outdated IT infrastructure – which has left millions of businesses in the limbo as a result."
The British Bankers’ Association acknowledged the significance of Tyrie’s intervention, and the importance of financial institutions having resilient IT systems.
A BBA spokesman said: "Consumers and businesses rightly expect to be able to get on with their day-to-day banking activities without interruption. Individual banks and the industry as a whole therefore take any "glitches" – where customers are unable to access their banking services – very seriously. As part of this commitment, the banking industry invests significant sums in IT infrastructure each year – with more than £2bn spent each year for the last five years. In fact, £3.2billion was spent in 2014 alone.
"This is a complex challenge and unfortunately bank systems can occasionally be affected by glitches. In these cases the industry works hard to ensure services are restored as quickly as possible."
Dealing with the complexity is not helped by a lack of technical knowledge at the top of the banks. In its ‘Bridging the Technology Gap in Financial Services Boardrooms’ report, Accenture found that only 6% of board members and 3% of CEOS in the 109 banks it looked at had a background in technology.
While those in the financial services industry often gripe about regulation, Focas believes that the increase in regulation is pushing banks to take the issue of IT resilience more seriously. "We are starting to see many of the big players forcing the updating of their IT systems up the boardroom agenda this year. As a result, expect compliance officers and IT directors alike to have plenty on their plates over the coming months," he said.
In the aforementioned report, Accenture said that this increased regulatory focus was highlighting the need for banks to improve technical knowledge.
RBS were one of the banks focussed on by Tyrie while looking into cyber resilience, due to the major IT glitch in 2012 that caused severe disruption for customers. The bank has also previously been the victim of a significant cyber attack.
Simon McNamara, Chief Administrative Officer for RBS, has made clear in his response that his firm is making progress in the area of cyber resilience. It has introduced a variety of measures since that 2012 incident, and has invested £750 over three years in order to boost cyber resilience. It is also continuing to invest £150m a year into those improvements.
Notably, RBS has reduced the complexity of its batch processing system which was at the heart of the 2012 issue, and has implemented a mirror bank. The latter development has enabled the bank to have a 92% success rate on transactions during an incident, up from 43%.
"Any disruption caused to our customers is unacceptable," said McNamara. "The substantial investment we’ve made in recent years has put significantly more resilience in our systems, reduced the number of incidents impacting our customers and put us in a better position to fix any issues much more quickly. We are working very hard to simplify this bank at every level, including our technology."
With more and more banking being done online and on mobile phones, there has also been a notable increase in cyber attacks against financial services:
Limor Kessem, Cybersecurity Evangelist, IBM told CBR that "The list of cybersecurity attacks targeting the financial services and banking sectors has certainly spiked at the beginning of the 2016, but the safety of consumers and the institutions themselves can be assured by ultra-vigilant CISOs and increased levels of threat sharing between organisations. 2016 will be a challenge for security professionals, but one that we can, and no doubt will rise to meet head on."
Technology was always going to be a growing concern for those in the banking industry, but with regulators and powerful MPs watching them now too, there will be nowhere to hide for the next bank to suffer a glitch or be the victim of a hack.