The end of legacy systems is nigh
25 July 2019
The Treasury Select Committee (TSC) heard from representatives from the PRA, BoE and FCA on 24 July, in what we believe to be the last session in its inquiry into IT failures within financial services. This follows earlier sessions with industry representatives, as well as PwC and TheCityUK where we discussed our recent report on operational resilience.
The questions in this latest session were predictably wide-ranging as the committee members looked for assurance from the regulators on how well prepared financial services firms are to withstand operational disruption, and to find out more about future plans to enhance the industry standards as well as develop the regulators’ own capabilities. Two key themes stood out for us.
Firstly, the PRA laid out that one of the desired outcomes of the forthcoming regulation (resulting from the Discussion Paper) is that reliance on legacy systems will be dramatically reduced for critical business services, if not eliminated entirely. In driving firms to look at their business services through a customer lens, and to consider their plan B in the event of disruption, they will quickly realise the time to recover their legacy systems will not meet the expectations of the world going forward. This is on top of the long-standing problem of a dwindling pool of experts with the in-depth knowledge of such systems. Maintaining the currency of technology estates was a key topic in one of our recent round tables with firms and continues to be a key debate. We shouldn’t underestimate this impact given the extent of the legacy technology installed in financial services. It’s also an area where there remains a lively debate: as we have said before, legacy and fragility are not interchangeable.
Secondly, we also want to explore a recurring theme from the session that is devilishly simple to talk about, but proves to be an Achilles’ heel to many firms in practice: the importance of communication. It is the final step in the process to improve operational resilience set out in the Discussion Paper and may be the most important part. Clear and confident communication can help to fill the gap in uncertain times. Poor communication, on the other hand, can undermine a firm’s response and even make things worse.
Perceived issues with customer communications was one of the driving forces behind the TSC inquiry. Failures at firms which affected many consumers are often in the spotlight not only for the underlying cause of the incident but for the manner in which firms have kept customers informed throughout the journey, and compensated for any losses. A key channel to tap into here is social media and the regulators are already on board with that. The FCA monitors social media to identify early warning indicators of issues in firms. The PRA have introduced simulated social media feeds into their practice exercises with firms to make them more lifelike and to test how firms can effectively they can keep their customers up to date and avoid panic. The PRA also referenced an incident within a member country of the Basel Committee of Banking Standards (BCBS) which saw a local bank suffer liquidity issues when social media messages led to a bank run. While this may be one localised example it has prompted the PRA and BCBS to consider whether the liquidity framework needs to factor these risks in.
The Committee resurfaced a proposal, raised last week with Barclays, Starling and Visa, that the industry should commit to resolving customers complaints more quickly. This could involve setting out standard timeframes to complete customer redress. There appeared to be support last week in the chamber and certainly no opposition from the regulators. However, in certain instances, such as suspected data corruption, firms may need to slow their response to make sure that remedial actions don’t exacerbate the problem.
We all recognise by now the impact the UK discussion paper has had in changing the narrative on operational resilience. While it is easy to tie yourself in knots on technical concepts like stress testing and impact tolerances, let’s not lose sight of some key messages which apply regardless of how big your firm is, or what sectors you operate in:
- Understand your customers and the critical services you provide;
- Understand how you deliver your services, legacy systems and all, and the plan B if a component fails; and
- Communicate clearly and confidently with your customers and other key stakeholders on how you’re putting things right.
We will share more on our interpretation to the regulatory approach to operational resilience in the period leading up to the Consultation Paper publication.