The UK’s Financial Conduct Authority (FCA) has urged the country’s financial services sector to better prepare for systemic technology outages. The FCA added that UK financial services providers should make plans for continuity of service in “severe but plausible scenarios,” including the failure of a third-party service provider. The call to arms has been issued ahead of the full implementation of the FCA’s PS21/3 rules on operational resilience in March 2025 and follows the worldwide disruption to thousands of businesses caused by a faulty software update released by endpoint protection provider Crowdstrike.
The FCA said that financial institutions should review their third-party risk controls and ensure that the responsibility for service monitoring and outages is outlined clearly in contracts with third-party service providers. “We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions,” said the FCA.
Spectre of Crowdstrike looms over the financial sector
The operational resilience of the UK’s financial sector has been front and centre of FCA policymaking since December 2019, when the regulator consulted the industry on a proposed tightening of the rules surrounding how banks should prepare themselves for catastrophic scenarios. The resulting set of rules, PS21/3, called for financial institutions – including banks, building societies, insurers and investment exchanges – to “identify their most important business services [and] set impact tolerances for the maximum tolerable disruption.”
Originally coming into force in March 2022, UK financial services firms have until 31 March 2025 to fully comply with PS21/3. Though the definition of a catastrophic scenario is fairly wide for such a business, encompassing everything from bank runs to institutional fraud, the resilience of the sector to technological disasters is also a preoccupation for the FCA.
“As early as 2009, algorithms accounted for up to 60% of trading in major US exchanges,” the FCA’s chief executive, Nikhil Rathi, told attendees of the regulator’s International Capital Markets Conference earlier this month. “What used to take 10 to 50 traders now happens on one computer. And a single glitch can run haywire through global infrastructure.”