Regulation  

Advisers urged to have platform failure back-up plan

Advisers urged to have platform failure back-up plan

Advisers are likely to face increased scrutiny from regulators if the platform provider they recommend to clients suffer system outages, technology experts have warned.

Technology and compliance experts have said advisers should assume their platform will suffer an outage at some point and put together contingency plans for when it does, to avoid scrutiny from regulators.

At the start of July the Financial Conduct Authority, together with the Bank of England and the Prudential Regulation Authority, published a 48-page paper on the need for the financial services sector to make its technology more resilient to cyber attacks and outages.

Article continues after advert

It came after the problems faced by Visa, TSB, Aegon and Aviva, which all saw technology failures preventing them from offering their full service.

The paper stated senior managers should take responsibility for creating back-up plans if their systems go down but it also highlighted the issue of outsourcing, stating boards and senior managers needed to have oversight of any activities which were provided by third parties.

Andrew Husband, partner and head of operational resilience at KPMG, said: "Boards are already taking this seriously but overseeing an extensive network of third parties is a complex task which is getting ever harder as the asset management landscape evolves. The regulator’s discussion paper aims to raise the bar and continually challenge the sector on this issue.

"Firms are certainly likely to be subject to increasing regulatory scrutiny if they fail to provide a suitable level of monitoring and oversight of outsourced providers and this has had a critical impact on business services."

Under existing regulations, firms have to understand the extent of their outsourced activities and perform risk assessments. This includes assessing supplier criticality and ability of firms to change provider should this need to happen.

Mr Husband said the discussion paper built on the existing requirements and was moving towards a step up in boards' and senior managements’ oversight to more clearly identity and understand "critical service providers".

Caroline Bradley, group risk and regulatory director at Tenet, said: "We review the terms and conditions of any outsourced provider, as well as undertake due diligence to understand their security measures and what their contingency plans are in event of a system outage or cyber attack, but ultimately, this is obviously not something that we can prevent.

"In the case of a platform, the risk lies with that outsourced provider and they would bear the liability for any cyber attack or outage. Customer services issues may arise that advisers will have to manage if they recommended a provider with poor systems and controls, so robust due diligence is key."

The three regulators said firms should establish the resilience of any outsourced providers and make sure they have a plan in place if these suffer an outage themselves.

They also said boards and senior management should assume individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options.