Nearly every firm has experienced systems outages and the Financial Conduct Authority has fined several banks in the past. As a result of the weaknesses they conducted a ‘Dear Chairman’ exercise where, as detailed in Tracey McDermott’s (Acting Chief Executive) letter,1 clear weaknesses were identified:
- insufficient oversight of technology at Board level;
- weaknesses in the firms’ 3-Lines-Of-Defence model and IT risk management arrangements; and
- improvements required to disaster recovery (DR) capabilities
These failures are fundamentally bigger failures than of internal systems: they are conduct and culture failures. They reflect a poor risk culture whereby leadership have failed to take ownership for the risk and therefore this risk has not been adequately sized, managed or monitored and further adequate resources have not been allocated to it.
Banks, insurers, and capital markets firms are encouraged to address these conduct and culture failures in order to move forward:
- Undermining value of technology: The old notion of “If it ain’t broke, don’t fix it” has provided firms with a mistaken view of technology and firms have failed to realise the importance of technology(Flinders, n.d.)2. Adding or migrating new technology solutions to existing core systems not only slows down the performance of the system but also makes the system more complex and expensive to maintain. The failure to understand the weaknesses in the systems and associated risks, controls and processes has led in our view to vast underinvestment in IT. Recent IT outages and disruptions where bank users were not able to access their accounts and make payments has focused firms’ (and regulators’) attention on this weakness.
- Inadequate business ownership: Firms are not retaining or maintaining knowledge of their ageing legacy systems. Individuals within the business are not taking ownership for making routine updates, for documenting system architecture, seeing to it that staff understand the systems, or that multiple users can properly employ these. Due to improper training and lack of knowledge of complex legacy systems the likelihood of making errors increases. It also has a negative effect on strategic and governance decision making around systems additions and changes. This often results in an overly complicated systems landscape that is too vast and demanding to be managed and owned by untrained and much stretched business representatives.
- Senior management is encouraged to value technology. This means taking ownership of systems and architecture, building their understanding of the resources and capabilities available and championing its development. It is easy to underrate and undervalue the importance of system controls and processes in the absence of an effective top-down ownership of systems, resources and capabilities. Board meetings should cover updates on systems issues and senior management should challenge any new business strategy/product launch/process change to bring sufficient attention to the systems involved. Investment in IT should be accompanied with a strong focus on technology risk management culture in order to mitigate risks that may arise due to unidentified vulnerabilities like phishing, hacking etc.
- Chief technology officers should have a seat on all banking boards. As part of their role, they should make sure business strategies are aligned with managing technology risks and the wider technology strategy.
- Business owners and champions should be assigned and incentivised for all critical systems within the firm. They should promptly bring issues to management’s attention, make sure users are trained, and processes, procedures and systems architecture mapped. They should be consulted on any planned business change and given time to conduct detailed feasibility testing.
Banks, insurers, and capital markets firms are encouraged to come to terms with these conduct issues and consider how they affect their business. The future of financial services firms is being driven by technology and a failure to value the importance of systems and infrastructure right and therefore invest appropriately will cause large firms increased difficulties in satisfying customers (and regulators). For the slow to respond institution, this may well mean that they cease to compete with new market entrants.
- Financial Conduct Authority letter to Andrew Tyrie. Access at https://www.parliament.uk/documents/commons-committees/treasury/Correspondence/Letter-from-Tracey-McDermott-FCA-to-Treasury-Chair-19-10-15.pdf
- “Big Banks’ legacy IT systems could kill them,” ComputerWeekly. Access at: http://www.computerweekly.com/news/2240212567/Big-banks-legacy-IT-systems-could-kill-them