A couple of weeks ago, in the aftermath of the TSB and Visa IT problems, I wrote about the increasing importance regulators are attaching to IT resilience. This Wednesday, following Lyndon Nelson’s deceptively wide-ranging speech, it makes sense to return to the subject.
His underlying themes are interconnectedness and the continuing high pace of change, and, like many regulators, he uses historical comparisons to partially disguise what is quite a radical message.
But where Andrew Bailey, a few months back, used the 1846 repeal of the Corn Laws to make a point about Brexit and the importance of free trade, Lyndon Nelson here uses a variety of more personal examples, starting with the development of the AMT network from virtually nothing 30 years ago, to demonstrate how profoundly the operational risk landscape has changed since.
Of these two themes, interconnectedness seems to me to be the one that raises most alarms for regulators. There are three main reasons for this:
1. First and foremost, it challenges all their normal approaches to prioritisation, explicitly acknowledging that areas otherwise seen low risk can, from an operational perspective, become the source of major problems. In this, it bears some resemblance to financial crime.
2. It partly disempowers the regulator, reducing below an acceptable level the degree of confidence it can have that the major bases are covered. Over time, if regulators and firms can build up a genuine history and identify patterns of weakness, this position may improve.
3. Finally, it runs counter to the prevailing regulatory narrative that regulation is predominantly forward-looking. Such confidence is usually displayed by those new to the coalface and is quietly but conspicuously absent from this speech, which, while majoring on the importance of preparedness, doesn’t shy away from the scale of the challenge. And the need to be able to recover when an incident occurs.
Looking at it in the round, the scale and scope of the challenge presented here – which seems entirely realistic to me – logically requires a shift in the regulatory mindset.
Financial regulation, with the conspicuous exception of financial crime, operates on the basis that it has few conscious opponents. In other words, financial services firms essentially aim to comply with regulation rather than actively subvert it. This largely conditions how regulators approach their work, and enables them, in general, to maintain constructive relationships with the firms they regulate.
Clearly not all resilience and continuity issues have a conscious opponent at their source. But the existence of the possibility, coupled with the partly ageing, multiply-layered nature of the operational landscape, realistically reduces the extent to which firms (and Senior Managers) can be held responsible for specific issues.
Two potential ways forward spring to mind:
1. Agree with firms an accelerated timetable to modernise, and so simplify and significantly strengthen, the IT systems of the biggest firms
2. Recognise more explicitly and publicly that problems will occur, both through cybercrime and via more conventional routes, and shift the regulatory emphasis towards how firms respond when these happen. This would include their communication with customers and arrangements to provide appropriate redress.
There needs to be a more open public discourse about the realities of regulation in the 21st century, involving politicians, the media and consumers as well as firms. This speech is a good start.
Lyndon highlights the risks posed by cyber and other operational incidents, given the financial system’s increasing reliance on technology and data. It is important for firms to have the ability to withstand, absorb and recover from operational incidents.