On Wednesday, the UK's Financial Conduct Authority will begin to oblige the providers of personal and business accounts to publish information that will help customers to compare services available on bank accounts run by different providers. Banks will have to report all major operational and security incidents and tell customers whether 24-hour helplines are available for them.

The relevant law is the Banking (Information about Current Account Services) Instrument 2017. This has introduced BCOBS 7 into the FCA rulebook. This part of the conduct-of-business sourcebook (COBS) requires each firm to publish information about its provision of personal current accounts. It abides by the Payment Accounts Regulations' definition of a consumer, namely a natural person acting for purposes which are outside his trade, business, craft or profession.

The pressure for banks to report system failures is further compounded by the Bank of England's and the FCA’s fast-approaching deadline of 5 October, by which time they must tell the regulators about their exposure to risks and how they will respond to outages. With customers enjoying more banking options than ever, banks are concentrating on finding new ways to mitigate risk.

Financial service firms in general are moving faster and faster away from a product-centric approach to cybersecurity and towards the compartmentalisation of their vital applications. They are also concentrating on making each app - such as online banking or interbank payments - secure in its own right so as to prevent a domino effect if one area comes under attack.  

Their infrastructures, however, remain outdated and they can therefore find it difficult to work out how to build new apps into their networks and make them communicate with one another in real time. This is a crucial first step when it comes to writing security policies for individual apps, and consequently preventing operational and security incidents, according to Nick Hammond at World Wide Technology.

Hammond told Compliance Matters:  “Financial service firms are under significant pressure to be both quick and transparent when it comes to reporting operational and security incidents. To alleviate this pressure and maintain stringent security, they are working towards ensuring a high level of application assurance. The rules of the past called for yearly tick-box compliance exercises, but the new regulations necessitate continued assurance of critical applications. The complex nature of existing systems throws a spanner in the works, though. Legacy infrastructures were often built with different and sometimes conflicting metrics over the years, meaning that an intricate patchwork of applications communicate with each other in complicated ways. The network of opaque interdependencies creates a big hurdle for banks, which means that many are drawing on infrastructural expertise as the first step towards securing their internal software. By gaining insight into infrastructure, firms can create a real-time picture of the entire network and be confident when rationalising the way in which different applications share data in this-or-that system. They can then fit the right security policies to each segmented application, preventing unnecessary or illicit data flows."