The UK’s Prudential Regulation Authority (PRA) – a division of the Bank of England – has told a government committee that financial services firms are using legacy software systems “extensively”, with some still writing over code from the 1970s. This is despite evidence that outdated systems lower operational resilience, the PRA says. Lyndon Nelson, Deputy CEO of the PRA, was speaking at a Treasury committee evidence session on IT failures in the financial services sector on July 24th.
Also speaking were Alison Barker, Director of Specialist Supervision at the Financial Conduct Authority (FCA), and David Bailey, Executive Director for Financial Market Infrastructure at the Bank of England. Nelson said that the PRA often sees firms using outdated systems, including mainframe computers running software written in COBOL code, and said this “cannot carry on.” He cited software problems experienced in 2012 by RBS – when some 17m customers were unable to make online transactions – as “largely a legacy issue”, suggesting firms are unaware of the risks they run by using these systems.
RBS was fined £42m in 2014 over the outage. Nelson also said that legacy systems pose recruitment problems, as new employees no longer know how to work with them. Reinforcing findings from the Bank of England’s joint discussion paper on operational resilience published in 2018, he said resilience: “is as much about people and processes as it is about silicon.” Nelson, Barker and Bailey also contested the idea that the volume of regulatory change, driven by new technologies, is increasing operational risk for financial firms. Barker said that consumer demand necessitates change, as expectations around bank services develop. “[There is] lots of innovation in the financial space,” she said. “As regulators, we welcome that.” The question is not whether change should be made, but rather: “How do firms manage change?”. Bailey added: “Change can bring risk, but not making change can also bring risk.” Nelson said that now is the time for financial services to leave legacy systems behind and become more agile. He advised companies to be aware of when their systems will become obsolete, know how to replace them, and to: “Think ahead of the curve” in order to preempt technical problems. When asked by the committee whether the PRA has objected to mergers and acquisitions between financial services firms due to concerns over a company’s operational resilience, Nelson said: “We have and we will.”
