New FCA report highlights technology change risk to consumers

Failed technology changes are one of the main causes of operational disruption in the financial services sector, accounting for a quarter of high severity incidents that cause harm to consumers and the market, according to research by the regulator. It has published a report of its findings, including steps that firms can take to protect consumers from harm and disruption in the market.

The FCA found no single measure increased the likelihood of success of a technology change or update. Instead, its research showed that a combination of stronger governance, day-to-day risk management, increased automation and more robust testing and planning tended to reduce disruption and contribute to successful deployment.

Other factors identified by the regulator included a lower proportion of legacy IT infrastructure, which meant that emergency 'quick fixes' were less likely to be needed; smaller, more frequent releases of new technology delivered using agile methodologies; better visibility of third-party changes; and allocating a significant proportion of the overall IT budget to technology change activities.

Financial technology expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said: "The FCA's findings are consistent with the approach regulators are taking across the world towards financial services technology risk".

"Amongst its findings, the FCA has focussed on a lack of visibility of change across supply chains that have the potential to result in incidents and disruption. Obtaining assurance within third party contracts around effective communication of change and the ability to track third party changes were highlighted as some of the steps to take in order to address these risks," he said.

The FCA's report was based on analysis of over one million production changes implemented by a sample of firms of varying sizes and business models over the course of 2019, supplemented by a number of questionnaires and industry workshops. In general, changes were managed effectively by the industry during this period, with only 1.6% of technology changes resulting in an incident. However, due to the sheer volume of changes, this still amounted to over 13,767 incidents in 2019, of which 14% had a customer-facing impact - or around 80 customer-facing incidents per sample firm.

The research also found that major changes were twice as likely to result in failure, at a rate of 3.8%, or 2,600 total incidents. Emergency changes were slightly less likely to result in failure than other types of change, with a rate of 1.5%, which the FCA said could reflect stronger risk awareness by firms when it came to implementing emergency changes.

Financial firms rely heavily on third party providers for the delivery of business services, with third party teams accounting for 30% of the development activity conducted by firms in the FCA's sample. However, most of the sampled firms did not track third party changes. Of all IT failures reported to the FCA by regulated firms in 2019, 18% were caused by third parties, of which 22% were due to third party change activity, the FCA said.

The FCA found a positive correlation between firms having well-established change management governance arrangements, in place for a year or longer, and change success rates. Governance arrangements should be reviewed regularly, including on an ad hoc basis following major changes, the FCA said. Firms that continually managed risks as part of day to day project management, and which had access to a wide range of technical and business knowledge, also tended to experience fewer incidents.

The report also identified a number of additional 'risk factors' that firms should be alert to. These included the change project being "dependent on other projects delivering their objectives"; projects implementing technologies not previously used by the organisation; and reliance on third parties.

Financial regulation expert Andrew Barber of Pinsent Masons said: "As the FCA highlighted in its explanation of why it conducted the review, a number of significant IT failures in the last 10 years have shown the importance of effective technology change management. This is a particularly important consideration for management, given change related incidents are consistently one of the top causes of operational disruption".

"Firms looking to implement change that want to try and avoid incidents should carefully review this report. While each business will be unique, senior managers should learn from the successful practices of others - and from where change has not been implemented well. Ongoing failings by firms and their management in this area may well lead to scrutiny by the FCA, with the relevant managers then open to potential action under SMCR," he said.