Out-Law News 3 min. read
06 Jun 2023, 2:47 pm
Digital transformation is unavoidable for financial services firms wishing to remain competitive.
Evolving customer demands and the need to increase efficiency means that there is pressure on firms to put services online. This pressure was building before 2020, but the pandemic accelerated the shift towards digital channels.
Alongside changes in customer expectations there has been technological and regulatory change which has resulted in increased competition in financial services markets. It means that firms that want to succeed in this increasingly competitive environment need to make sure that their technology systems can support digital offerings.
However, delivering digital transformation projects successfully is a challenge and, amidst increasing scrutiny of the resilience of firms’ core systems, there are potential implications for firms – and the senior managers that work for them – if things go wrong.
If firms want to work with artificial intelligence (AI) and machine learning solutions, to process data for the purposes of gaining customers insights and assessing risk profiles in a way that means they can provide more personalised services to their customers, they are likely to turn to cloud-based solutions.
The cloud offers firms digital infrastructure from which to offer customer-facing products and services, as well as a place to operate software and store and process data. Cloud solutions are also scalable to a firm’s needs, helping firms limit costs and control emissions.
However, moving from legacy systems to digital solutions is a complex process.
From a practical perspective, migrating data from legacy systems into cloud platforms is unlikely to be as straightforward as a 'lift-and-shift', and requires careful planning and testing – as well as planning for exit where not dealing with commercials and IP up-front can present challenges later.
There are regulatory issues to consider, with a central theme emerging in recent times being operational resilience – the expectations of policymakers and regulators in both the UK and EU in this regard continue to grow, and firms must ensure that they flow operational resilience requirements into services contracts.
Recent comments made by Ofcom about the UK cloud infrastructure services market specifically also highlight how regulators are concerned about interoperability and the risk of supplier ‘lock-in’, while concentration risk – risk associated with multiple financial institutions operating important infrastructure through the same cloud provider – has been on financial services regulators’ radar for years.
Cybersecurity is another vital consideration in what is a rapidly evolving threat landscape, where ransomware risk is particularly prevalent. There is increased emphasis on being able to show that appropriate cybersecurity measures have been put in place, and having a plan to deal with cyber incidents. However, the shift to cloud-based infrastructure, with its regular updates and patching, arguably offers firms better protection than in-house legacy systems.
Digital transformation projects could once be viewed as something senior managers could internally outsource to their IT teams to deliver, but not now.
Discharging senior management function responsibility in the context of complex technology change programmes is challenging and, in UK financial services, comes with both corporate and personal liability if not done effectively. It involves a broad range of risk management responsibilities, feeding into governance and assurance across the programme and extends to all involved parties – including third party suppliers and sub-contractors throughout the supply chain.
Recent action taken by the Prudential Regulation Authority (PRA) has emphasised how supplier contracting and oversight, alongside a laser focus on operational resilience risk, are vital in decision making. On 13 April 2023, the PRA confirmed that it had fined the former chief information officer (CIO) of TSB Bank plc (TSB), Carlos Abarca, £81,620 for a breach of the senior manager conduct rules.
Abarca was found to have responsibility for TSB complying with the PRA's outsourcing rules, and he was considered responsible for TSB's key outsourcing relationship with its main third-party supplier for the IT migration programme, SABIS. He was found to have failed to ensure that TSB had itself obtained sufficient assurance from SABIS that it was prepared for migration before giving assurance to the TSB board that this was the case.
Pinsent Masons hosted a webinar on technology transformation on 6 June 2023. Our panel of technology, cyber and information law experts considered how financial institutions can implement effective technology change programmes by addressing issues such as governance, oversight and risk management issues, and the role of operational resilience in technology change.
Other issues addressed at the event included commercial issues in technology contracts and the management of third party risk, data migration risks, the management of supplier disputes, and cyber risks when moving away from legacy systems.
Written by Anita Basi of Pinsent Masons.