The Financial Conduct Authority (FCA) is to assess the resilience of ageing IT systems used by British banks and building societies, after recent outages left customers unable to access funds.
High street banks continue to experience service disruption due to legacy IT, with Royal Bank of Scotland customers unable to pay with debit cards or withdraw cash in December, a year after a high profile outage which cost the lender £175 million to resolve.
The FCA will now join with the Prudential Regulation Authority and the Bank of England to assess how banks manage their exposure to IT risks, how engaged boards are with improving IT resilience, and whether they have the necessary expertise to challenge executives.
The review will follow up on a letter sent to the heads of major banks in 2012 by the FCA's predecessor, the FSA, requesting internal assessments of critical IT infrastructure. The regulators aim to find out what progress has been made since this time, and whether rules around system resiliency need to be tightened to prevent more outages.
The regulators will report back on findings in early 2015, the FCA said in a statement.
"To access and manage our money we depend on the banks' IT systems to be reliable. But IT outages continue, interrupting key banking services,"said Clive Adamson, FCA director of supervision.
"We want to make sure that the banks have resilient IT systems in place that are able to cope with consumer demand, so customers aren't left financially stranded or disadvantaged.”
The FCA has already launched a separate investigation into RBS' infrastructure, after a failed upgrade to a CA7 batch processing systems in 2012 led to millions of customers being unable to access funds in their bank accounts. The investigation, launched in April 2013, could lead to an enforcement action against the bank.
Its latest review follows announcements by number of banks that they will invest in improving legacy environments, with RBS CEO Ross McEwan pledging to spend on upgrading IT after “decades” of underinvestment. Barclays has also recently outlined plans to address IT complexity, reducing the number of servers it owns by 6,000 since H1 2013, as well as decommissioning and retiring legacy applications.
According to Peter Roe, financial services analyst at TechMarketView, the point of the FCA review is unclear.
“The banks are well aware of the problems, and are doing all they can to alleviate the issues of legacy systems and insufficient capacity which are leading to the outages, so I am not sure the FCA is going to bring anything new to the table,” said Peter Roe, financial services analyst at TechMarketView.
“The customers of the banks are the most important regulator. If banks let their customers down they will feel it in their P&L, so they are probably the most immediate judges of banks performance and IT strategies,” he told ComputerworldUK.
Andrew Holley, founding partner at financial sector IT services provider, Holley Holland, said that regulators need to be wary of adding to the mountain of regulation already facing banks.
“Over the past few years, the banks have invested heavily to improve on client services through online and mobile banking, as well as making significant investments in complying with the regulations that the FSA, the PRA and the FCA have laid down,” he said.
“In addition to managing change and making investments, the banks are also obliged to maintain a stable and highly available operating platform for their clients 24x7, while providing ever higher levels of feature functionality and services.
“In carrying out their reviews, it is important that regulators appreciate the challenges facing the banks, not least because some of those challenges are being laid on the banks by the regulators themselves.”