LONDON (Reuters) – British regulators should impose higher levies on banks if they need more resources to stop big IT glitches and should consider regulating cloud service providers such as Google, UK lawmakers said in a review on Monday.
FILE PHOTO: The Canary Wharf financial district in London, Britain, June 25, 2019 REUTERS/Hannah McKay/File Photo
The review was launched after a major IT meltdown last year at TSB, part of Spain’s Sabadell, which left thousands of customers locked out of their online accounts. The issue led to the resignation of TSB’s CEO Paul Pester.
Many market infrastructure services and technology that banks use are outsourced and the review said firms cannot use third party failures as an excuse when incidents occur, drawing attention to suppliers of cloud computing.
“The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant,” the review said. There is a considerable case to regulate cloud service providers.
With bank branches and cash machines disappearing, more than 70% of adults rely on digital services, leaving them vulnerable to IT glitches such as those also seen at Barclays and Visa last year, parliament’s Treasury Select Committee (TSC) said in its review.
Lawmakers said they accept that completely uninterrupted access to banking services is not achievable, but that prolonged or regular IT failures are unacceptable.
The Financial Conduct Authority and the Bank of England must take action, said Steve Baker, the lawmaker that led the review.
“They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly,” Baker said.
Glitches are often due to changes to Britain’s patchwork of ageing “legacy” payments systems, but firms must not use the cost of upgrades to “cut corners” or as excuses to not make vital upgrades, the review said.
The Bank of England (BoE) last year aired setting “tolerances” for banks to recover from cyber attacks and IT disruptions, with targets for maximum allowable outages linked to a combination of benchmarks like volume of business and market shares.
Britain has introduced the senior managers regime, or SMR, to make named senior officials at financial firms directly accountable for operations they are responsible for so that regulators can take enforcement action.
Senior officials at market infrastructure firms, such as payments systems like Visa, which suffered an outage in 2018, should also be brought under SMR, the review said, echoing comments last year from the BoE’s Financial Policy Committee.
Lawmakers said regulators were taking too long to report back on what happened at TSB.
Stephen Jones, chief executive of UK Finance, which represents banks and financial firms, said the industry worked with regulators to ensure it could respond to any major disruptions or events.
“UK Finance continues to engage with government over how coordination between regulatory authorities could be improved, seeking to avoid overlapped or rushed mandatory change programmes that impact firms’ ability to protect their customers,” Jones said.
Reporting by Huw Jones; Editing by Susan Fenton