The Financial Conduct Authority (FCA) has published the outcome of its extensive review into the effectiveness of technology change management in the Financial Services sector. The report identifies a number of risks and problems facing firms that introduce new technology in the pursuit of innovation, disruption, or operational efficiencies. The review looked at nearly a million 'production changes' implemented by firms, seeking to identify the impact on customers and the key causes of failures or operational disruption.
While the opportunities offered by new technology to leverage digitalisation are clear, the process of change can present significant operational risk. Service outages present an increased risk to customers reliant on firms' services, and can lead to an increased threat of regulatory enforcement activity (as well as the associated reputational risk to the firm and public loss of confidence). The FCA is applying greater scrutiny not only to the operational resilience of regulated firms implementing such changes, but also to the governance and oversight of the changes themselves.
Low incidence but high volume
Although only 1.6% of technological changes resulted in incidents, because there are so many technology upgrade projects underway, that still meant 13,767 incidents arose due to technology change in 2019 alone.
High customer impact
Of the 'high severity' customer-facing incidents in that period, nearly a quarter (24%) arose from technological change.
Impact of legacy technology
Perhaps the most interesting finding from the FCA's investigation was that reliance on existing infrastructure and software - or 'legacy technology' - whilst implementing changes was linked to higher rates of incidents.
While it might be expected (as the FCA found) that the inertia of legacy technology is acting as a drag-anchor to prevent firms from moving to newer, more innovative technologies, it might also be expected that keeping familiar systems and tools in place as new technology is put in place would ease the transition from old to new.
That was not the case: the FCA's investigation suggested that reliance on legacy technology only served to highlight the deficiencies in the legacy technology and the operational friction between old and new, leading to the need for more urgent, emergency changes, with lower success rates. Maintaining reliance on the legacy technology while trying to implement the new was a primary cause of operational incidents.
The conclusion appears to be that agile firms that are founded with newer technology, or have the resources and competence to introduce wholesale change, are more likely to avoid operational disruption. This suggests that newly established FinTechs are likely to remain the best placed to take advantage of the most up-to-date and innovative technologies available to firms and to consumers.
Unsurprisingly, the FCA identified that firms that had well established governance arrangements, effective risk management procedures and higher budget allocation to implementing technological changes – and which released updates more frequently and used agile delivery techniques – were more likely to be able to implement their technological changes with more success, and with fewer incidents (or fewer serious incidents) than those who did not.
In addition to the difficulties raised by legacy technology noted above, the FCA identified three other main risks face by firms in implementing technology changes:
Visibility of third-party changes
Firms that were reliant on third-party software were often not able to monitor changes in that software effectively, which could have negative effects. Nearly a third of development activity came from firms on-boarding third party software and, given the heightened operational risk, this was also the top cause of incidents.
Firms have a non-delegable obligation to take a risk-based approach to ensure they have appropriate systems and controls in place to identify and manage the operational risks from reliance on third parties relating to 'critical or important' functions (SYCS8.1), important operational functions (Reg. 26 EMRs 2011 and Reg 25(3) PSR 2017) and generally under the FCA's Principles for Business.
The FCA has had in place guidance on the use of third-party IT services since 2016. Given the impact of reliance on third-parties for technological change, and the operational disruption arising from such reliance, we expect an increased focus from the FCA on this area in the near future. This follows its wider consultation on operational resilience in CP19/32 (which closed in October 2020) and the increased focus on resilience arising out of the COVID-19 response.
Effective oversight of major changes
When implementing major changes, firms often rely on a 'change advisory board' (CAB) to provide oversight of the changes. Although, most respondents to the FCA's enquiries about these governance arrangements indicated that they were confident about their ability to assess risks and approve major technologies, it is likely there was a degree of response-bias in these comments (respondents being overly positive about their own actions), given that they do not appear to be supported by the FCA's wider findings.
The FCA found that there was a tendency towards CABs 'rubber-stamping' implementation without effective challenge: in 2019, CABs approved over 90% of the changes reviewed, often without any challenge or rejection. This raised important questions about the effectiveness of CABs and, in particular, the competence of the individuals appointed to sit on those boards.
As noted in our Insight on digital risk, there is a growing need for boards to include senior management with digital experience, particularly where there is a need for oversight of major business changes, to ensure regulatory compliance and personal compliance with statutory duties (in particular, section 174 Companies Act 2006). Continued concerns about the effectiveness of management oversight of technological change are likely to lead to increased regulatory focus on this area.
Reliance on manual testing / review
The FCA's review found that automating testing and review processes would not only reduce the financial burden of assurance, but could actually increase confidence through ease of repeatability and consistency of review throughout the process. However, there is also concern that automated testing lacks the flexibility to respond to the need for specific testing, if it arises.
Osborne Clarke comment
Technological change is an inevitable requirement for Financial Services firms to innovate and stay competitive in an evolving market. It is essential that firms have the competence and resources to implement those changes effectively, and without disrupting operational resilience. Better-prepared firms are more likely to be able to maximise those advantages and avoid regulatory enforcement activity.
Firms need to ensure they are investing in their operational resilience, including having clear lines of senior management accountability and responsibility. Failure to have adequate systems and controls in place may result in enforcement activity from the FCA, including fines.
This is an issue that financial services regulators are looking at in other jurisdictions, with the Monetary Authority of Singapore recently releasing updated guidance on technology risk management, emphasising the need for strong oversight and governance, and the risks associated with third-party technology providers.
As the financial services industry embraces increased levels of remote and flexible working, having an understanding of how technology change might affect the services being provided (and in turn, the outcomes for consumers and the market) should be high up on the list of firms' priorities.
If you would like to discuss any of these issues, please contact one of our experts below, or reach out to your usual Osborne Clarke contact.