How can PSPs strive for effective operational resilience within an instant payments ecosystem?
By Otto Benz, Payments Technical Services Director, Global Payments, Lloyds Banking Group
In a digital world, there is an expectation that services will be provided in real time. Instant payments facilitate the supply of goods and services, and are therefore vital to ensuring the wheels of the economy keep turning. But as we move towards an instant payments ecosystem, how should payment services providers (PSPs) approach operational resilience? This article will examine the UK as a case study and set out key areas of focus.
The need for increased payments operational resilience
The Faster Payments Service came into being in 2008 – one year after the launch of the first iPhone. Faster Payments enabled UK customers to send instant electronic payments between accounts without cost, instead of relying on the three day processing cycle of Bacs. Uptake of Faster Payments has been steady– in 2018, more than 2 billion Faster Payments were processed, with a collective value of more than £1.7 trillion, alongside traditional BACS payments, numbering 6.4 billion payments with a value of around £5 trillion.
A scheme service degradation in July 2018 demonstrated the banking ecosystem’s growing reliance on Faster Payments, when more than 750 thousand payments were affected. The scale of the response to this outage was comparable to that of a VISA card acceptance outage that had occurred the previous month, which caused failed transactions across the UK and Europe. Such incidents can result in losses for PSPs, customer detriment, reputational damage and regulatory censure. Although not directly a payments failure, the TSB IT migration in 2018 is an example, where millions of its customers were unable to access online banking services.
There is now increased regulatory scrutiny and focus of PSPs’ resilience arrangements. For example, via the Payment Services Regulations. Regulation 98 sets out requirements for measuring and reporting operational and security risks to the FCA, and Regulation 99 compels PSPs to be more transparent about their responses to major incidents.
Further underlining regulator interest, last year the Bank of England in partnership with the PRA and FCA published a discussion paper on building the UK financial sector’s operational resilience. The paper focuses on the importance of banks and PSPs considering resilience through the lens of their key business services, and makes the case for setting tolerances for outages, beyond which it is simply unacceptable to go.
Regulators are clear they that don’t expect PSPs to anticipate and prevent every payments incident – in fact, they expect as much focus on incident management and recovery as on prevention. With that in mind, the following should be key areas of consideration for all PSPs:
- Identifying their most important business services, then mapping and assessing the systems and processes that underpin these business services, and ensuring an effective control environment;
- Determining and testing tolerances for disruption and in what circumstances;
- Investing in the ability to respond and recover from incidents, including effective customer treatment strategies; and
- Communicating timely information to customers, regulators and others.
How can PSPs succeed?
Each PSP will have its own unique set of considerations, depending on factors such as types of payments propositions, reliance on third parties and use of legacy systems. However, the following pointers will be relevant to all PSPs that send and receive instant payments and aspire to meet regulator expectations.
Firstly, PSPs need to identify their key business services. Starting at this high level helps PSPs to take a joined up, practical approach to resilience. For LBG, key business services include retail customers sending low value immediate payments to merchants and other beneficiaries to pay for goods and services. It also includes higher value instant payments sent for property purchases.
PSPs should then map all of the systems and processes that underpin them. We suggest reviewing each one to determine the customer, business and payments ecosystem impact of failure, then using this insight to assess the robustness of risks, controls and oversight arrangements. PSPs might consider a ranking system to ensure the right amount of focus is given to each one.
A high level of consideration should be given to complex processes that would have a high impact if they were compromised – particularly if they are outsourced to or managed by a third party. Generally, less focus is needed on simple processes with a low impact of failure, managed in-house and subject to a tight set of controls. Taking this approach one step further, ideally PSPs will model the likelihood and impact of a combination of systems and process failures.
Setting tolerances might feel abstract. Essentially though, PSPs are being encouraged to embed metrics that enable them to measure when a disruption would represent a threat to their viability, to customers and other market players and, where relevant, to financial stability. PSPs should use realistic scenarios to explore and test impact tolerance. Importantly, PSPs must express impact tolerances separately from their risk appetite and recovery time objectives, but also be able to explain the relationships between the three.
Investing in the ability to respond and recover requires a broad understanding of the customer impact, and again realistic scenarios can support this. For instant payments, PSPs must ensure robust systems are in place to safeguard data and enable payments to be replicated, and also invest in effective reconciliation and recovery procedures. PSPs should bring together input from colleagues across different areas of the business to ensure that treatment strategies are pragmatic and customer focused.
For communications in the event of a disruption, PSPs must develop communications plans for a range of audiences (customers, regulators, and other parties) and also a communications strategy. Focus here should be on providing the right messages at the right time, with the aim of maintaining customer, regulator and market confidence.
Finally, to facilitate all of the above, PSPs must invest in employing and developing people with the right skills – including the ability both to focus on the bigger picture and understand the detail, as well as keep a cool head in a crisis.
A look ahead
As instant payments become the norm, PSPs must continually invest in and evolve their approach to managing operational resilience. Resilience will continue to be a key area of focus for regulators – we await the follow up to the Bank of England’s discussion paper, with the real possibility that tolerance setting will become a requirement and not just a recommendation.
Otto Benz is Payments Technical Services Director at Lloyds Banking Group. Previous to working at Lloyds, Otto was Director of Strategic Payments at Virgin Money. He has over 20 years’ experience in retail and investment banking, managing large scale programmes of change and has held leading roles in strategy and operations.