Resilience is one of today’s major talking points for businesses. They are asking whether they have the capability to navigate the next economic storm, whether the business is sustainable, or if they have the right talent now and in the future. Not only that, but organisations are also focusing on their technology and infrastructure – and in particular critical components such as payment systems – to ask whether they are resilient enough to cope with disruption, whether caused by accident or malicious intent.
In the financial services sector, we are seeing more questions around our own resilience crop up in requests from clients as part of payment service proposals. These can cover a range of areas, including what our security policies are and how we test them, and the availability of our channels and what our contingency plans are.
In our client conversations, discussions about cyber-attacks are becoming commonplace with questions such as the types of cyber-attack, how we would deal with it and how we have built in resilience. They want to make sure that as their banking provider, nothing will disrupt business-critical activities.
And it’s not just our customers but also our regulators that are asking us what steps we are taking in addition to establishing standards, guidelines and governance frameworks to deliver a resilient service offering.
One of our regulators – the PRA, has set out its expectations for the operational resilience of firms’ important business services, including payments. It addresses the risks that follow from the interconnectedness of the financial system together with the complex and dynamic environment within which we work.
As a bank, we understand how embedded our systems are now in companies’ sales processes – if the payment process fails at our end, then the whole client-side system can go down. As such, we are required to adhere to the PRA’s expectations of a maximum level of tolerable disruption, including the duration of that disruption.
Clients tell us that visibility of payment and related data flows is critically important – for many consumer-facing, high volume businesses, billings and payments can be the beating heart of the organisation. Any slow down or stoppage in the systems and data behind the billings and payments can have a considerable knock-on and immediate effect.
As James Marshall, Head of Treasury at Virgin Media O2, tells us: “Our banking systems and payment systems are very much part of our overall customer journey. So, resilience is critically important. We can’t have any hangover into the next day. We have a reputation to be mindful of and established relationships to protect. Any spike in delayed payments will directly impact customer relations.
“For our resilience, we need data coming back from all of our financial services providers that is accurate and timely, and we need visibility of the cash side – we have three large components for our business (cable, mobile and business) and we overlay on top of those all of our corporate financing and other treasury activities such as interest payments. So, if we stop having visibility of cash being received into any one channel of the business, it makes running the rest of the business harder.”
In an ideal world, the service provider will have identified that there is a problem before customers begin to call. But when they do call, service providers should be able to say what they are doing to fix the problem and how they are managing it in the meantime. The provider should also be able to identify whether there will be any knock-on effects and whether the outage has created further issues.
Of course, it is far better to ensure that the process runs smoothly first time so that there is no need for such intervention. This is why we would advocate that clients regularly and rigorously test their own systems and ensure the infrastructure is resilient and robust. This may not be limited to their own systems but may extend to others such as those offering data connectivity and specific solutions.
If testing reveals shortcomings, companies need to look at the investment case for an upgrade, but also the costs if something goes wrong. With so many new developments in the payments space (such as ISO 20022), we would expect most businesses to have a roadmap for the payment systems that would incorporate external developments as well as the need for their own business resilience plans.
Marshall recognises that payment providers and banks are very much part of a team and need to be brought on board during any systems upgrade, ensuring that the whole ecosystem is compatible. Again, testing the system during such a process is vitally important to make sure it produces the right outcomes before being released into customer-facing systems.
Alongside infrastructure, businesses must have protocols in place so that if a payments system fails, team members know the processes and procedures they need to follow.
Often, a board-level discussion is required, setting out how protecting the payments system will protect the whole business. The board will need to understand the consequences of failing to ensure that the system is resilient. Failures might be low probability, but they can be high impact.
Andy Stalmanis is Treasurer at Bibby Financial Services, an invoice finance provider. He recognises the importance of resilience in the business’ payment systems, as any outage could have direct consequences for Bibby’s customers.
“We provide working capital finance to small and medium sized enterprises – we collect money from receivables and at the same time provide an advance to our clients. As we collect money into several thousand accounts, we need to know that that money is coming in, and we need to deal with it efficiently. But we are also supporting SMEs, and they need their cash straight away. This is why it is so important to have resilient payment systems in place.
“Wherever possible, we want to carry out these functions in an automated way – matching collections to receivables. And when we send out client payments, they need to be correct.”
This article is based on the panel discussion at the recent ACT annual conference session on resilience, sponsored by Barclays.
Mike Rigby is Head of UK Specialist Sales, Corporate Banking, Barclays
Barclays Bank PLC is registered in England (Company No. 1026167) with its registered office at 1 Churchill Place, London E14 5HP. Barclays Bank PLC is authorised by the Prudential Regulation Authority, and regulated by the Financial Conduct Authority (Financial Services Register No.122702) and the Prudential Regulation Authority. Barclays is a trading name and trade mark of Barclays PLC and its subsidiaries. Find out about the Financial Services Register.