City regulators have told banks and financial firms they may have to set an acceptable “maximum outage time” after an IT meltdown, after the TSB failure that led to some customers losing access to accounts for more than a month.
In a joint initiative by the Bank of England and the Financial Conduct Authority, firms have been given a 5 October deadline for reporting on their exposure to risks and how they will respond to outages.
The Bank and FCA suggested two days as an acceptable limit for disruption to a business service, under one scenario in the consultation paper.
UK regulators have been alarmed by the payments chaos which followed a hardware failure at Visa that hit millions of transactions across Europe in June, weeks after a botched IT upgrade at TSB resulted in turmoil for the bank’s customers.
“As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers,” said officials in a discussion paper, which is likely to be followed by new sanctions and penalties for firms failing to meet standards.
The discussion paper alludes to TSB’s issues, saying better back-up plans are needed at financial services firms and that outsourcing to third parties overseas is a “challenge”.
TSB’s service collapsed after an IT upgrade managed by its Spanish parent group, Sabadell, involving external consultants in Madrid.
“Additional challenges occur where firms operate internationally or oursource a significant level of activities to third parties,” said the joint FCA and BoE paper.
Financial firms will have to demonstrate to regulators that they have a plan for when crucial systems such as online banking or payment services are disrupted, either by systems failure or deliberate attack.
A common feature among IT outages has been customers being left in an information vacuum, complaining on Twitter but failing to receive an explanation of what is happening or when it will be resolved. The FCA and BoE said better communication with customers would be a crucial part of assessing companies after an outage.
“The speed and effectiveness of communications with the people most affected, including customers, is an important part of any firm’s overall response to an operational disruption,” it said.
Firms failing to maintain adequate back-up plans could be required to take action such as bolstering capital levels or investing in making their systems more resilient.