The FCA starts enforcement proceedings against RBS for IT failure

This article was first published in Thomson Reuters Accelus on 7 November 2014.

The action against RBS, for the delayed processing of customer accounts, comes at a time when the FCA is conducting its thematic review into IT resilience. According to officials, this sends a clear message to senior managers of banks and insurers with highly automated, inflexible and complex legacy systems.

"Given that older legacy systems are often not fully documented and that senior managers' understanding of the potential inherent risks and vulnerabilities associated with such systems is far from perfect, breaches will inevitably occur and more FCA enforcement action will follow," said Gavin Davey, a technology specialist director at accountancy and business advisers Moore Stephens.

In the case of RBS, the FCA unusually announced last year that, jointly with the Prudential Regulation Authority, it had started an enforcement investigation into the 2012 IT failure. This has now led to enforcement proceedings. An FCA spokesman declined to comment.

The timing could not be more sensitive given that the FCA is engaged in a thematic review into IT resilience in banks and building societies. The regulator started the review in the summer and it plans to report the results in the first half of next year. Separately, the Treasury Committee is probing the regulators about cyber security.

An RBS spokeswoman declined to comment on any timing around the FCA's enforcement proceedings, to which the bank first referred in its announcement of its third quarter results.

She said, however, that the bank had set aside £280m in provisions for items that included, without giving any further breakdown, litigation and conduct costs around the IT incident, and this would cover, she said, any regulatory fine. The spokeswoman went on to say that this was part of the bank's £780m in provisions, including £400m against potential conduct costs after foreign exchange investigations and a further £100m provision for payment protection insurance.

According to Gavin Davey, the enforcement proceedings demonstrate the FCA's commitment to moving its focus onto technology and cyber risks. "The risk of getting it wrong is greater for the big banks and insurers who have inherited complex systems compared with for the smaller, more agile new banks. This is ultimately a board issue, not just one for the CIO," Davey said.

He said technology is ultimately the CEO's responsibility. To blame IT people and operations in this case was easy, but they were "between a rock and a hard place", and they often had limited budgets to do what they knew was needed.

Gavin continued, "The FCA said in its 2014-15 business plan that it wants to examine how well boards understand IT risks. In my experience, many senior executives still see IT as a black box. Senior executives at RBS had to get a better understanding of IT risks and there was much at stake. You only need to see the downfall of the CEO of Target who had to leave the company following the major cyber-breach in December of last year."

The issue is company-wide. According to Davey, executives must ensure that those managing IT risk have adequate support. "Technology risks have not had enough focus from the regulators but the tide is clearly changing."

Davey said, banks' and insurers' legacy systems had got added to over the years, and it could be difficult to understand the impact that changes to one area might have elsewhere. Another difficulty was to test systems fully, given many were required to operate 24/7.

He said that banks accelerating the transformation of their business models to a digital platform, like Lloyds, were increasing the risk exposure of technology failure and FCA action. Banks should ensure systems are fully documented, particularly where they might remain in place for some time. Managers should strengthen testing processes to find any unexpected impact on other areas of the system. An effective and timely incident management and recovery process was essential.

He said large banks and insurers had regulatory responsibilities to operate appropriate technology systems to meet customer needs but the sheer difficulty of managing technology risks such as cyber, software changes, and security made this a significant challenge.

"The IT risk can be reduced but not 100 percent eliminated. Systems will go wrong because it is impossible to test 100 percent. Firms need to focus on their early warning mechanisms to ensure that problems do not escalate to the extent that customers are affected," Davey said.

Cyber security is another side of the technology issues that are challenging both the FCA and the PRA. In an evidence session this week on fraud and cyber security, unrelated to the action against RBS, the Treasury Committee heard that fraud levels reported by banks might substantially understate the true scale of the problem.

"I will be writing to the banks and regulators to obtain a fuller picture on this issue," said Andrew Tyrie, committee chairman.


Simon Gallagher

Related links