Platforms, outsourcing, tech risks and the regulator

Out-Law Analysis | 18 Mar 2015 | 2:51 pm | 6 min. read

FOCUS: With the value of assets placed on UK wealth and investment platforms increasing, it is more important than ever that the technology underpinning those platforms is resilient and able to serve investors in a reliable and secure way.

City regulator the Financial Conduct Authority (FCA) "is set to look at platforms’ technology systems later this year", Money Marketing reported in January.

With the regulator due to outline the areas of risk it will focus its attention on in the coming year before the end of this month, we take a look at what some platforms in the market are doing to preserve the continuity and integrity of their services and what their obligations are under financial services rules.

A case study in tech change

Last year, the Edinburgh-based investment platform Nucleus implemented a major upgrade of the technology powering its platform. Andrew Smith, chief technology officer at Nucleus, told Out-Law.com that the new software it sourced from technology provider Bravura is pioneering, will help the company "scale effectively", and could still be used by Nucleus 10 to 15 years from now. He said Nucleus is confident the platform will not fall down under pressure of increased use.

"With the majority of assets on the platform held in model portfolios, the number of transactions and re-balancing being carried out on a daily basis had steadily increased over time," Smith said. "We identified the need for the platform to be able to continue to scale over the longer term to accommodate this substantial increase in assets, clients and trading numbers."

"We’re secure in the knowledge that we can grow and develop the platform now, knowing it can scale easily and with minimum overheads. Most importantly, our platform can now deal with an improved number of transactions as it is able to support a substantially heavier load which allows us to get on with growing the business unhampered," he said.

Smith said that Nucleus had "carried out a rigorous performance test" of its system before going 'live' with its software upgrade last June and that it is planning a further "full performance test" later this year. Other measures are in place to ensure the resilience of Nucleus' platform too, he said.

“Our on-site business analysts monitor system performance regularly and very closely to ensure that where we identify a certain scenario which could be a concern, such as a degradation, we can act quickly to rectify it," Smith said.

“A strict business continuity plan is carried out every six months. We have exactly the same platform kit replicated on dedicated servers on a secondary site with a real-time link and we can switch our operating systems between here and our secondary site in less than 20 minutes. Our servers here and off-site offer full flexibility and if we need to switch over just a part of our server to the secondary site to ensure the platform is fully supported 24/7, then we can easily do so," he said.

Nucleus is also prepared for a total systems failure, he said.

 “If we did have a catastrophic failure with our main server, we would switch to the secondary site, the worst case scenario being the loss of only 20 minutes-worth of trading data. At the same time, we would instigate a full communications exercise to ensure that all users were kept fully informed and all trades would, of course, be rectified."

Smith said that the Nucleus platform is tested for vulnerabilities every three months by an external provider. He said Nucleus' business analysis team takes "informed decisions around the points to action from the report" it receives from the supplier.

The picture elsewhere in the platforms market

Hargreaves Lansdown told Out-Law.com that it owns all of its IT infrastructure and developed it in-house. It said it also maintains the vast majority of that IT in-house but that it does make use of "carefully selected third parties for specific projects". However, it said that it does "buy in hardware" when it needs to and maintains it in-house.

The company did not say how long its IT infrastructure has been in place or specify if it has any plans to upgrade other than to say "investing in the IT infrastructure is an ongoing process". It said it has taken steps to ensure the resilience and ‘uptime’ of its platform services.

"We have invested heavily in ensuring we are able to meet the demands of our clients and the business, including sophisticated monitoring measures," a spokesperson for Hargreaves Lansdown said. "We also conduct regular capacity and disaster recovery tests which enable us to see if there are any improvements needed."

Standard Life said the underlying IT behind its platform is provided and maintained by technology provider FNZ and that the technology is the same as it was when the Standard Life Wrap was launched in 2006. The company told Out-Law.com that it operates a "substantial ongoing investment programme to support evolving adviser requirements" and takes steps to preserve the 'uptime' of the service,

"We have invested heavily to ensure the scalability of our infrastructure and review capacity on an ongoing basis," Standard Life said. "The platform is fully backed up daily and we have a full business continuity plan in place including recovery sites and backup servers. System performance is subject to constant monitoring and the results are factored into our scalability planning."

AJ Bell's investment platform is powered by both in-house and third party software. It said the company has "made a significant investment" in its IT. The company said it has "formal systems and controls" for ensuring data security and carries out regular reviews and testing, including regularly subjecting its systems to "penetration testing" by external experts.

AJ Bell also has a formal business continuity plan to fall back on "should an event occur that threatens the operation of the business", it said.

"We have a designated disaster recovery site with a leading specialist provider, and key personnel from across the business have been selected to form the core business recovery team if needed," AJ Bell said. Staff undergo training in disaster recover and participate in testing and "simulated events" to "ensure the plan remains robust", it said.

The regulation of platforms technology

The FCA does not regulate technology providers, only the financial services businesses that use them to build and maintain platforms on their  behalf. The FCA has stressed that the responsibility lies with firms to make sure their systems are up to scratch.

The FCA Handbook contains demands that firms put in place systems and processes that are "appropriate…to the nature, scale and complexity" of their business.

Platforms are also subject to rules on risk management and business continuity and, in particular, are required to "take reasonable steps to ensure continuity and regularity in the performance of its regulated activities". They must maintain a business continuity policy that ensures that, if they experience disruption to their systems, losses are limited, essential data and functions are preserved, and the provision of regulated activities is maintained.

Last summer, the FCA published a regulatory checklist for banks to consider if thinking about using third-party technology. The checklist, although not directly relevant, provides useful guidance on IT outsourcing for platforms.

The FCA's checklist identified the financial viability of outsourcing service providers, compliance with data protection laws, systems interoperability, incident management and ownership of intellectual property rights as issues for consideration when outsourcing. The regulator also stressed the importance of good governance by banks over their technology suppliers and recommended that banks put in place an "exit plan" for when their IT contracts with suppliers are due to come to an end.

In addition, for critical services, the FCA said banks should ensure the IT services they are outsourcing "are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our objectives".

Resilience and data security in financial services is an issue that regulators beyond the UK have also taken an increasing interest in. In September 2014, The Joint Committee of the European Supervisory Authorities (JCESA) said banks and other financial institutions "do not yet appear" to sufficiently understand the IT risks they face. JCESA represents the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority.

"Institutions should … reinforce IT controls and audits covering all parties along the value-added chain of IT (e.g. IT-service providers, third-party providers and IT-outsourcing providers)," JCESA said.

Whether the FCA decides upon taking a more direct approach to regulating platforms technology is unknown. With its fine of RBS last year, the regulator has, though, shown willingness to penalise regulated businesses that suffer technological faults that impact on consumers.

Whether IT is provided and maintained in-house or externally, platforms must be able to demonstrate they have the systems and controls in place to handle 'outages', minimise disruption and take speedy corrective action. It could be, with the Risk Outlook set to be published before the end of March, that the FCA will be taking a close interest in this area very soon.

John Salmon is a financial services and technology law expert at Pinsent Masons, the law firm behind Out-Law.com