FCA risk outlook highlights need for broader debate on cloud adoption in financial services, says expert

The regulator's risk outlook identified a "lack of technological resilience", the complexity of IT systems, the tension between the need to innovate and simultaneously operate existing infrastructure and "a lack of IT expertise at board level" as "significant challenges" financial firms face. It warned that a failing with technology "poses both conduct risks and potentially a systemic risk".

The FCA said it plans to "focus on identifying the impact of operational resilience risks in the firms likely to cause the most disruption to markets and consumers resulting from an incident, and how firms deal with such risks and impacts".

"Weaknesses in systems and a lack of expertise may expose firms to the increasing risk of cyber-attacks, posing risks to consumers and markets, though this is an issue that also applies to new entrants as well as firms with legacy systems," the FCA said. "These attacks are inevitable but firms need to ensure that they have defences and plans in place to deal with them."

Expert in financial services and technology Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com, said that issues with legal IT systems in the financial services sector are well documented and that there is growing argument that cloud-based systems might help enable both the innovation firms desire as well as stronger security.

"There is an interesting debate to be had about whether cloud technologies are evolving such that they are becoming as secure or even more secure than legacy systems," Dunn said. "Cyber attacks are rapidly evolving and there is a question mark over the ability of legacy systems to keep up, whereas firms can take advantage of greater flexibility offered in the cloud and the technological expertise of cloud providers in regularly updating their offerings."

In its business plan for 2016/17 that the FCA has set out alongside its risk outlook it outlined its intention to notify firms of its "expectations ...with regard to effective IT and operational resilience, and working with them to understand their capabilities in this area".

The FCA said: "This will include the ability for firms to identify key assets, manage and protect them appropriately, be able to detect when things go wrong, respond and recover effectively, as well as having the necessary governance in place to manage the risks and learn from experiences. We will also continue to carry out reactive work when outages occur to understand their impact on consumers and markets and how firms respond to them."

A further focus of the FCA's work in the upcoming year will be on supporting initiatives to help address cyber crime, it said.

The regulator also announced its plans to act on a recommendation contained in the recent Financial Advice Market Review (FAMR) and establish a dedicated unit to "support firms with automated advice models with the potential to deliver affordable and accessible financial advice to consumers".

The FCA will also progress its regulatory technology (regtech) initiative and confirmed that it will open a new 'regulatory sandbox' "this spring" to "give firms which meet our eligibility criteria a safe space to test innovation without immediately having to meet all the normal regulatory requirements", it said.

The regulator said it also wants to deepen its understanding of the use of big data by insurers and its impact on competition.

"We will use the results from our call for input on big data use in the general insurance sector to better understand how big data affects customers and whether it fosters competition," the FCA said. "We will also analyse how our regulatory framework affects big data developments to decide whether we will conduct a market study or take a different approach. This will be our first detailed study of big data and we will use what we learn in our work with other sectors."

Among the other things the regulator said was that it wants to see "firms managed in a way that promotes appropriate culture and behaviours". Financial regulation expert Josie Day of Pinsent Masons said that the importance of financial firms having a good culture and governance framework in place is increased by the fact that senior staff can now be more easily held to account for failings.

Competition law expert Jenny Block of Pinsent Masons, the law firm behind Out-Law.com, said: "The recognition of how technology is transforming the financial services industry is embedded throughout the business plan, including a reflection on impacts on competition and innovation. These transformational changes have the capacity to encourage new market entry as well as increasing customer choice in other respects by creating more sophisticated tools to make comparisons between products and service providers easier."

"There is also a welcome recognition that FCA policies may themselves have the potential to stifle competition which should feed into better targeted interventions and regulation more generally," she said.

On Wednesday digital-only bank Atom launched in the UK. Atom chief executive Mark Mullen said the start marked "the start of a remarkable transformation of the banking landscape for everyone".

"Our approach will be to constantly evolve and extend our offering, with monthly updates to our app and a dedication to providing a better value, greater transparency and a much more innovative banking experience," Mullen said.