Categories

The March 2022 Operational Resilience Deadline looms. Are you ready? (Chris Hansen)

The recent internet outage caused by a fault with cloud computing service Fastly, which took down thousands of websites in multiple countries, was a painful reminder of the importance of operational resilience. Payment provider PayPal was among the most heavily-used services to be hit, and the failure was reminiscent of TSB’s IT meltdown in 2018 when nearly two million customers were locked out of their accounts for weeks following a botched migration to a new system. The event prompted a parliamentary committee report in 2019 calling on regulators to intervene to improve the operational resilience of the financial services sector, in the same way action had been taken to improve financial resilience after the financial crisis.

Two years on and regulators continue to look closely at the issue, and are forcing banks to adhere to ever-more stringent requirements. The European Banking Authority (EBA) introduced guidance for European (including UK) financial services firms on outsourcing software in 2019, which set out a new harmonised framework. All outsourcings entered into, reviewed, or amended after 30 September 2019 must comply with the guidelines, including a clause giving the EBA direct access to third-party software providers. The next six months should see a flurry of activity between banks and their lawyers as all existing outsourcing arrangements, other than those relating to cloud hosting services, must be updated in line with the guidance by the end of this year.

UK regulators are also laser-focused on banks’ operational resilience to ensure that financial markets remain stable and customers are not adversely affected. The Financial Conduct Authority (FCA) requires banks to carry out “scenario testing” between now and 2025 to ensure its systems are robust and able to hold up at all times. In carrying out the scenario testing, banks must, according to the FCA, “identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to the delivery of the firm’s important business services in those circumstances”. Where the bank relies on a third party for the delivery of its important business services, the FCA would expect it to work with the third party to ensure the validity of the firm’s scenario testing.

The Covid-19 pandemic has also brought the importance of operational resilience and back-up plans into sharper relief. Although financial markets held up remarkably well in the face of record trading volumes and volatility last spring, there were cracks which underlined the need to ensure business continuity at times of stress. In particular, banks which outsource their software to other countries can’t always assume that it will be “business as usual” when challenging situations arise, and need to consider that some countries may not have a consistent level of internet access at times of market volatility.

If there’s one positive we can take from the pandemic, it’s that it has massively accelerated the innovation cycle for both in-house IT teams and third-party software providers seeking to ensure operational resilience, and this is a trend we expect to continue. With most software development, the innovation cycle has three stages: validation, integration, insulation. Validation involves determining whether the software does what you want it to do; integration involves bringing the software into your existing architecture; and insulation involves making sure you’re protected if your third-party software provider fails. We think small fintechs are the keys to unlocking and driving this innovation, although reduced risk appetite from investors post-pandemic may mean that more unviable fintechs will fail.

The move to Software as a Service (SaaS) platforms has been rapid and is another conduit to innovation, yet many banks are still hanging on to their legacy, on-premises software solutions. SaaS advances innovation because it provides more frequent software updates and allows you to always be live with the latest version. Innovation is paramount in gaining and maintaining a competitive advantage. Pandemic or not, companies must continue to innovate, and some would argue the need is even greater during disruptive times.

Regulators may be putting more requirements on banks regarding outsourcing to third-party software providers, but they are firmly behind their use of SaaS providers and other fintechs. Fintech is a major focus in London retaining its position as a major trading hub post-Brexit, and the recent Kalifa review of UK fintech recommended a wide-ranging package of funding and measures to create a new regulatory framework for emerging technology, and highlighted the need to create an environment for its adoption.

The traditional way to mitigate the risk of outsourcing software (and thereby mitigating operational resilience risk) is to require the software developers to store the “source code” of the software and explanatory documentation in an escrow account. Source code is the sequence of logical statements and operations written in a human-readable computer programming language that controls the processing of data and the functionality of software. The source code and related documentation are released if a “release event”, such as the software developer filing bankruptcy or failing certain obligations under the license, occurs. Following the release event, the promise of a source code escrow is that the customer can obtain the code to maintain the software without the original developer.

But source code escrow is flawed and does not provide continuity. Under the terms of an escrow agreement, it typically takes many weeks for code to be released. It is then the client’s responsibility to compile, release and operate the software which is rarely feasible. By the time the expertise and resource have been found the damage has already been done. So instead, Adoptech takes a different, unique approach. If a SaaS provider fails, we are able to step in with a dedicated, customer specific, replica cloud environment, minimising the impact on customers and ensuring that business-critical software, data and operations remain available until a resolution is found. We can also help banks switch to an alternative SaaS provider within 24 hours if required. By offering this approach, we can help banks comply with outsourcing regulations and ensure operational resilience.

To conclude, as more and more banks outsource their software and the pandemic exposed cracks in some systems, regulators are more focused than ever in ensuring operational resilience in the event of financial market shocks or failed third-party providers. Compliance with the ever-changing regulations is crucial, as is the ability to “keep the lights on” when a major technical failure occurs. The technology industry is working inventively and tirelessly to change finance for the better and give banks and their customers the continuity of service that they need.

Source