Financial Conduct Authority  

FCA blames over-confidence for providers' IT issues

FCA blames over-confidence for providers' IT issues

The Financial Conduct Authority has warned it sees "no immediate end in sight" to the escalation in tech and cyber incidents in the financial services industry.

In a speech delivered at Bloomberg in London today (November 27) Megan Butler, executive director of supervision, investment, wholesale and specialists, at the FCA, said the regulator was "deeply concerned" at the increasing number of technology outages.

Ms Butler said many of the incidents had been linked to re-platforming and outsourcing failures, citing TSB’s IT migration earlier this year as the most prominent example.

Article continues after advert

TSB has been plagued by IT issues since April, when the bank began moving customer data from a system controlled by its former owner, Lloyds Banking Group, to a new system built by its new owner, the Spanish banking group, Banco Sabadell.

Ms Butler stressed while the FCA believed innovation has had a positive impact on UK finance, new technologies created threats that were extremely difficult to anticipate and posed a fundamental challenge from a regulatory perspective.

She said: "Everyone knows that firms need to make regular changes – of varying size and complexity – to technology estates, and that from time to time things will go wrong.

"But we are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date."

The regulator has seen a lot of recent outages caused by relatively small changes, usually made on a weekday evening, Ms Butler said.

In her address, Ms Butler referenced cross-sector analysis published by the FCA today, in which 300 firms had completed a survey on tech and cyber resilience between 2017 and 2018.

Respondents to the survey described the management of tech and cyber changes to be a strength in their business, but Ms Butler said this level of confidence "simply isn’t supported by the data collected on the ground".

Ms Butler emphasised that cyber security was not just a technology risk, but a human risk; irrespective of firm size or sector.

She said: "Computers are perfectly neutral regarding their output. It is your people  who decide whether to use them for a specific reason, and what the purpose of that is.

"That use can be intentional or unintentional, sender or recipient, attacker or victim. We’re humans, we make mistakes."

Of the respondents to the FCA’s survey, 90 per cent had said they operated a cyber awareness programme, but the regulator reported businesses are struggling to identify and manage high risk staff - including those who deal with critical and sensitive data.

Last week the Treasury Committee launched an inquiry into IT failings in the financial services industry, to examine the technological capabilities of institutions and their ability to guard against service disruptions.

rachel.addison@ft.com