Cloud providers are a “source of systemic risk” for banks and need to be regulated, claim MPs

Profile picture for user ddpreez By Derek du Preez October 28, 2019
MPs on the House of Commons Treasury Select Committee reveal the findings of their investigation into the failure of IT services at the UK’s financial institutions.

Image of Canary Wharf skyline

A new Parliamentary report out this week suggests that regulators of the financial services industry should consider increased regulation for the cloud services market, given the concentration risks. 

The report released by MPs on the House of Commons Treasury Committee makes specific mention of cloud providers Microsoft, Google and Amazon. 

MPs on the Committee were investigating IT failures in the financial services sector, following a number of high profile incidents that have negatively impacted customers. The most recent - and high profile - of which was at TSB, which saw customers locked out of their accounts after the bank attempted to move to a new IT system. 

The failure cost the bank £330 million and saw 80,000 customers switch their account to a competitor. TSB is not the only bank to have been in the spotlight in recent years, with similar failures occurring at RBS and Barclays. 

The MPs’ report highlights that as the banking sector continues to move to digital services, and as bank branches and cash machines continue to disappear, customers are increasingly expected to rely on online banking services. 

However, MPs on the Committee state that the level of disruption to these services because of IT failures, is not acceptable. 

The report makes a number of recommendations that aim to improve the operational resiliency of the financial sector - one of which is increasing regulation for the cloud services market. 

Commenting on the report, Steve Baker MP, the Treasury Committee’s lead member for this inquiry, said:

The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable.

The Committee, therefore, launched this inquiry to look ‘under the bonnet’ at what’s causing the proliferation of such incidents, and what the regulators can do to prevent and mitigate their impacts.

The regulators must take action to improve the operational resilience of financial services sector firms. They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly.

For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off.

What to do? 

As noted above, one of the recommendations from the Committee is to regulate the cloud services market further. It notes that there are many cases where financial services firms are using the same third-party providers - such as Amazon, Google and Microsoft - and that regulators should highlight potential concentration risks and consider whether mitigating action is required. This is because the consequences of a major operational incident at a large cloud service provider could be significant, the MPs said. 

It notes that “where common providers are systemic, the Financial Policy Committee should consider recommending regulation to HM Treasury”. 

Other recommendations from the Committee include: 

  • Regulators of the financial services sector need to have the appropriate skills and experience in order to effectively intervene and improve the operational resilience of the sector. Regulators should consider increasing levies on the sector to ensure that they can hire the appropriate staff. 

  • Regulators must maintain a very low tolerance for service disruption by providing guidance on what level of impact should be tolerated. Firms cannot be allowed to set their own tolerance for disruption too high. 

  • Regulator must use the tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The Committee states that to ensure accountability for failures, “regulators must have teeth and be seen to have teeth”. However, current regulation has yet to see a successful enforcement case against an individual following an IT failure. 

  • The Committee states that firms are not doing enough to mitigate the operational risks that they face from their own legacy technology. Regulators need to ensure that firms cannot use the cost or difficulty of upgrades as excuses to not make upgrades to legacy systems. The Committee goes as far as to say that regulators should intervene if firms are not showing evidence of improving their legacy systems. 

  • Financial services firms should adopt a ‘when not if’ approach, ensuring that they have “robust” procedures in place in the event of an incident. Clear, timely and accuracy communications must ensure that customers are aware of the incident and that they receive advice on remediation timelines and alternative access. 

My take

Whilst the ambitions of this report are admirable, it doesn’t quite hit the mark for me. The underlying assumption is that more regulation and tougher responses to failings will somehow turn things around and force banks to consider the operational resilience of their systems. I’d argue that a more insightful conclusion would have been that banks need to rethink the way that they operate entirely. Rather than firefighting, what does a successful, modern, digital banking operation look like and how do we help them get there? As I said, I do understand the response by MPs, but to me it feels a bit like an old world answer to a modern problem.