My Lords, it is the responsibility of firms to ensure the resilience of their IT systems. However, the financial authorities take the resilience of the sector seriously, which is why the Financial Conduct Authority and the Prudential Regulation Authority recently completed a technology resilience review of the largest UK retail deposit-taking firms. The review’s outcomes have not been published, but the authorities are developing work plans to ensure that further improvements are made to IT systems, and customers protected.
Two years ago, the FCA said:
“We want to make sure that the banks have resilient IT systems in place that are able to cope with consumer demand, so customers aren’t left financially stranded or disadvantaged”.
It has not happened. HSBC alone had three systems failures in January, the latest last Friday, the most critical day of the month. Even the Bank of England systems collapsed at the end of 2014. Can the Minister say that the banks are devoting sufficient time and resource to long-term solutions and not just looking for an even more short-term patch? What assurance can he give that the FCA is really on top of all this?
My Lords, it is true that there have been incidents, but none as serious as the one that occasioned the “Dear Chairman” review in 2012. Since then, they have not been as serious as that. I assure the noble Lord that the FCA and the PRA are taking this very seriously. They have initiated a second “Dear Chairman” exercise, which has sought to assess the improvements made since the first exercise and the extent to which good resilience practices are embedded with those firms. The regulators are aware that firms are spending considerable amounts on their IT systems.
My Lords, given the significant dislocation and inconvenience caused by recent non-malign interventions on the bank systems, what degree of confidence does the Minister have that they are in a position adequately to protect against malign interventions, such as hacking, breaches of privacy, and theft of financial details and indeed of finance itself?
My Lords, it would be very unwise for anyone to say that they were totally confident that cyberattacks are totally protected against. What I can say is that the Government are taking it seriously, and the Chancellor has announced that they have doubled spending on cybersecurity to £1.9 billion. The Financial Policy Committee has been given a remit by the Chancellor specifically to look at operational resilience. The PRA has financial stability as its core remit.
The people who suffer most from this are indeed the customers, particularly on the last occasion—on what was probably their first pay day this year. What action are the Government ensuring is taking place to make sure that those consumers can be compensated without each of them having to take their own case and prove their own personal discomfort?
Of course, the point of setting up the regulatory system is that it is for the regulators to deal with consumer detriment, which is exactly what the Financial Conduct Authority has done. I believe that the banks involved in this have said that they would not allow consumers to suffer detriment.
My Lords, does the Minister recognise that part of the problem is that the long-standing banks have computer systems that go back a long way and which are often very difficult to modernise? They cannot suddenly turn off the whole of their system for a fortnight and put in a brand new one, so existing systems keep getting added to until the scope for mistake and failure if anything gets greater.
I accept that old IT systems are more difficult to modernise than starting from scratch. That is why many challenger banks are now in the pipeline, ready to compete with the older banks. The Government support challenger banks and encourage customers who wish to change their banks to do so, and 2.1 million customers have done so under the CASS system.
My Lords, the unmodernised IT systems that the noble Lord, Lord Flight, just described add to the cost of every transaction by every customer. Does the Minister believe that this is an issue of customer detriment that ought to be investigated by the FCA? Will he back long-term bank investors who have been calling for far more disclosure of how the banks spend their IT money so that they can identify risks and support the banks that are making the necessary long-term investment?
I agree that disclosure should take place within market norms, and that commercial organisations should be encouraged to disclose. I completely accept that. As far as the expense is concerned, it is a bit difficult; either we want the banks with old IT systems to bring them up to date or we do not, and to do so will cost money.
My Lords, what are the Government doing to pursue the perpetrators of fraud on the internet? The Select Committee several years ago recommended that the American practice be used, whereby those defrauded on the internet are required to report that fraud to the police before the bank is allowed to deal with it. Are the banks are obliged to report fraud to the police so that someone can pursue it in a co-ordinated way?
In support of my noble friend Lord Reid, this problem is getting exponentially worse. Is it not right to say that banking and the money markets are effectively part of our critical national infrastructure? As was just said, although we are now encouraging people to report attacks on their systems, there have been some huge attacks—for example, on the New York Stock Exchange—where victims have refused to comment on it because they are scared of denting investor confidence. It is crucial that these things are reported so that we can learn lessons and move forward.
I am not sure the noble Lord is correct that the problem is getting exponentially worse. However, I accept that the threat is evolving and changing all the time, and we certainly cannot be complacent. The Government have set up the Computer Emergency Response Team to co-ordinate responses to cybersecurity incidents that threaten critical national infrastructure, and it is certainly the case that the regulators require all firms to report any cyber-related or operation-related incidents in their IT systems to the regulator.