Advising a bank, ahead of Brexit, on the IT strategy and governance needed to secure UK authorisation
Our client is a European headquartered bank with a presence in the UK since the early eighties. However, the prospect of Brexit led it to reconsider its strategic approach to the UK market, with the objective to transfer into a new wholly owned subsidiary, with its own UK banking licence.
In order to obtain this licence from the Prudential Regulation Authority (PRA), the bank needed to ensure that its IT systems and controls were managed according to UK and European regulatory requirements. Mason Advisory led the initiative to support the bank through this critical process, reporting to the bank’s Head of Brexit Implementation and to the UK CIO.
The first step in helping the bank gain its UK licence was to carry out a gap analysis of its current IT position compared to the licensed end state. A team from Mason Advisory carried out this analysis, based on our knowledge of the UK’s regulatory requirements and our own experience of UK industry best practice. We provided our client with a detailed report assessing its current IT maturity and setting out the roadmap of deliverables that would be needed for a successful UK banking application.
The client then asked us to lead the implementation project, based on the report we had produced. This led to an intensive programme of work over a period of approximately eight months to secure the licence, with further longer-term work ongoing.
The key deliverables and outcomes of our engagement are outlined below.
- Defining an IT strategy to support the UK bank, including a target development roadmap and organisation model.
- Developing an IT operating model which defined the functional capabilities required and how the IT organisation operates, including people and resourcing requirements and roles.
- Reviewing IT processes to ensure sufficient governance and controls are in place, with sufficient reporting and a clear escalation process where needed, together with a remediation roadmap to plug any gaps.
- Developing an enterprise architecture framework as a new capability within the UK bank, such that there was clear mapping of systems and data flows. This meant that root causes could be identified more quickly if any outages occurred and that, where changes to any systems were planned, a better impact assessment on other systems could be conducted, thereby supporting disaster recovery and operational resilience.
- Enhancing information security by building a strong relationship between IT and Information Security, and introducing a better, more formalised penetration testing regime. This covered key systems so that any potential vulnerabilities across the IT estate could be identified and fixed on an ongoing basis. Disaster recovery and business continuity planning was also strengthened. We facilitated the introduction of an Information Security Management System (ISMS) that would better align to ISO 27002.
- Strengthening IT governance such that the bank could better control and govern the enhancements that were needed through effective reporting schedules and a clear escalations hierarchy.
- Introducing a contract between UK and Group headquarters to define and document the IT services provided to the UK by HQ, and to set out ways of working between the two organisations who would be operating in a customer/supplier relationship. Under the old structure, this had not been needed before but was now a key requirement.
In addition, we helped the client meet two key milestones in its UK banking licence application.
- Application submission – this was required six months before the licence was granted, outlining the complete IT business plan – along with business plans for every other function in the business – and detailing how the deliverables would be achieved over the following months.
IT attestation – three months before the licence was granted, an attestation was required from the UK CIO committing to the UK regulator that the bank’s IT environment was fit for purpose, able to protect customers and had the necessary governance and controls. We worked to provide the UK CIO with all of the information and evidence points needed to enable the signing of the attestation.
Supported by our work on the IT components, our client was successful in obtaining a UK banking licence, on time and on budget.
The UK bank now has a significantly improved IT landscape, featuring:
- a clear IT strategy, with the aim to become more proactive rather than reactive
- clear governance, processes and controls, including over its enterprise architecture
- a new IT operating model that includes appropriate accountability and escalation procedures
- robust information security defences through more rigorous penetration testing
- a clear services agreement between the UK bank and group headquarters, providing clear understanding of service provision between the UK and HQ including the use of any third parties
In addition, our work with the UK bank has the potential to prove a model for other countries across the group, raising global minimum standards.