This is a question we invariably ask during our annual survey, and this year was no exception.
Usually when we talk about technology in this market, we tend to be focused on the efficiency benefits that newer more flexible systems offer. That, or the ability to provide automated documentary evidence of compliance.
Those two considerations are enormous, but there is arguably a much, much bigger reason to talk about tech. The risks it now poses, particularly in a market so highly regulated as financial services in the UK.
Readers will all be only too aware of the mind-blowing impact that a technology failure can have, not just on one company or industry, but on worldwide services.
On 19th July 2024, cybersecurity firm CrowdStrike issued an update to all clients using its Falcon Windows sensor, software designed to protect firms from cyber attacks aiming to strike at the functionality of Windows programming. It didn’t go according to plan. Around 8.5 million Windows hosts were hit with a blue screen of death, sending international airlines, hospitals, banks and countless other businesses around the globe to a grinding standstill.
This wasn’t even a co-ordinated deliberate cybersecurity breach or attack. It was just a mistake. It serves to illustrate the scale of devastation caused should an IT system fail. It also exposed just how interconnected the world is – and how reliant on one single provider.
In UK financial services, this is a very serious consideration. The reputational damage caused by an outage in online banking services is huge – banks are still haunted by the catastrophic tech failure in 2018 of one high street provider, which exposed millions of customers’ details during what should have been a simple data transfer from one platform to another.
It is more serious than this still, however. Particularly when it comes to the personal responsibility held by regulated persons under the Financial Conduct Authority’s (FCA) senior managers regime.
These positions, held by very senior company executives, often at board level, have a significant burden to carry when it comes to business decisions. Those include the appointment of permitted third-parties – classified as an authorised person, an exempt person for whom an authorised person is accepting responsibility, or a person lawfully carrying on a regulated activity in another European Economic Area State.
Third-party processors fall into this category, with the FCA rules specific that a firm B appointing another firm A which carries on home finance activities under a properly documented outsourcing agreement is responsible for that firm’s actions and service.
The FCA handbook states: “Firm A undertakes to co-operate fully with Firm B in relation to any complaints arising from Firm A’s performance of the outsourced activities, even if the complaint is made after Firm A has ceased to carry on the outsourced activities for Firm B.
“Firm B accepts full responsibility for the acts and omissions of Firm A when carrying on the outsourced activities and must pay any redress due to the customer.”
The rule extends to firms taking on activities outsourced by firm A – in other words, an authorised firm is responsible for any fallout caused by those it contracts out services to, and, to any firms that firm sub-contracts to.
It’s the senior manager on the hook – to the tune of up to a year in prison if things go wrong.
The risks and returns of technology are shifting from a focus on outside risk to scrutiny of internal processes and it’s major.
This is an important point today in a market where technology is supplied by many players offering different models and ultimately commercial value. Indeed, using best of breed on a plug and play basis is a very legitimate way of delivering agility and improvements into operations incrementally without tying organisations up in knots in costly projects.
Yet lenders and financial institutions are not supermarkets. The same rules that apply to banks and other providers do not apply to Amazon and Ocado as an example.
So, the challenge is to acknowledge the nuances and difficulties and deliver within a tightly controlled regulatory environment.
This means the externalities of partnerships and interoperability really matter. Preferred suppliers with track records of delivery are commanding more and more of the access points to lenders because there is, rightly or wrongly, a perception that it is safer than introducing an unknown into the infrastructure. We heard this time and again in our survey this year.
Tech is changing but so is the way we deal with it and the companies selling it in UK Financial Services.
Steve Carruthers is business development director at MSO Mortgages
