Financial technology expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said: “The FCA’s findings are consistent with the approach regulators are taking across the world towards financial services technology risk”.
“Amongst its findings, the FCA has focussed on a lack of visibility of change across supply chains that have the potential to result in incidents and disruption. Obtaining assurance within third party contracts around effective communication of change and the ability to track third party changes were highlighted as some of the steps to take in order to address these risks,” he said.
The FCA’s report was based on analysis of over one million production changes implemented by a sample of firms of varying sizes and business models over the course of 2019, supplemented by a number of questionnaires and industry workshops. In general, changes were managed effectively by the industry during this period, with only 1.6% of technology changes resulting in an incident. However, due to the sheer volume of changes, this still amounted to over 13,767 incidents in 2019, of which 14% had a customer-facing impact – or around 80 customer-facing incidents per sample firm.
The research also found that major changes were twice as likely to result in failure, at a rate of 3.8%, or 2,600 total incidents. Emergency changes were slightly less likely to result in failure than other types of change, with a rate of 1.5%, which the FCA said could reflect stronger risk awareness by firms when it came to implementing emergency changes.
Financial firms rely heavily on third party providers for the delivery of business services, with third party teams accounting for 30% of the development activity conducted by firms in the FCA’s sample. However, most of the sampled firms did not track third party changes. Of all IT failures reported to the FCA by regulated firms in 2019, 18% were caused by third parties, of which 22% were due to third party change activity, the FCA said.
The FCA found a positive correlation between firms having well-established change management governance arrangements, in place for a year or longer, and change success rates. Governance arrangements should be reviewed regularly, including on an ad hoc basis following major changes, the FCA said. Firms that continually managed risks as part of day to day project management, and which had access to a wide range of technical and business knowledge, also tended to experience fewer incidents.