Introduction
In late November 2019, the Bank established that an audio feed of certain of the Bank’s Press Conferences had been misused by a third party supplier in order to supply services to clients of a related company for a subscription fee and without the Bank’s permission.
The supplier’s use of the audio feed was wholly inappropriate and without authorisation. The Bank, therefore, took immediate action to ensure that the supplier played no further role in the Bank’s Press Conferences and referred the incident to the Financial Conduct Authority (“FCA”).
Whilst the Bank is confident that the contents of the Bank’s policy announcements (for example the Bank’s interest rate decisions) themselves were never compromised, the incident raised questions about the controls relating to the Bank’s Press Conferences. In December 2019, the Court of Directors of the Bank (“Court”) commissioned a review by the Bank’s Internal Auditor (“IA”) and Independent Evaluation Office (“IEO”) into: (i) the incident; and (ii) the Bank’s relevant internal processes (the “Review”).
The Review made a number of findings and recommendations as to how certain of the Bank’s relevant internal processes and procedures could be improved (the “Findings and Recommendations”).
The Bank fully accepts the Findings and the Recommendations. This document details how the Bank has addressed and/or intends to address the Findings and Recommendations.
In the interests of transparency, the Bank is publishing the Findings and Recommendations of the Review, as well as the Bank’s response.
Recommendation 1: Technology, Communications and Security should review the way technology is used to support Press Conferences and media interactions.
The security of the Bank’s communications is vital to maintaining the trust of the public. To ensure that the suppliers and organisations associated with the Bank’s press engagement relating to the decisions of its policy committees are sufficiently well governed and controlled, the Bank has implemented the following improvements:
- all suppliers involved with the Bank’s press engagement relating to the decisions of its policy committees will each be monitored by a designated senior manager from the Bank;
- in line with the recommendation that there should be single accountability for Press Conferences and related media interactions, accountability will rest with Executive Director for Communications;
- any material changes to service provision of a particular supplier will now require the consent of the Executive Directors of each relevant Directorate; and
- any installation of new hardware relevant to the Bank’s communication of policy decisions by any such supplier will now be subject to risk assessments by the Technology Directorate.
In addition to the improvements outlined above, and in line with the Findings and Recommendations, the Bank has:
- updated the risk assessments of all suppliers providing services relating to the Bank’s external communication of the decisions of its policy committees;
- conducted a review of all technology hardware, security arrangements and operational activities supporting the Bank’s media engagements relating to the decisions of its policy committees, and updated internal processes and controls accordingly;
- ensured that all related technology hardware is, where possible, secured in a single location and, in any event, subject to appropriate access controls;
- compiled a detailed inventory of existing third party equipment used to support Press Conferences and media interactions relating to the decisions of its policy committees on Bank premises; and
- determined that, in the event that the Bank does not have the specialist internal expertise required to assess the relevant equipment, an individual of appropriate seniority at the third party supplier will be asked to provide assurances regarding the purpose and use of their equipment.
Recommendation 2: The Bank should identify and risk assess outputs across the Bank that could potentially be market sensitive and where there are latency implications.
Once the Bank had established the misuse of the existing audio feed, the Bank took steps to implement a single source – and low latency – audio feed of the Bank’s Press Conferences relating to the decisions of its policy committees as swiftly as possible. The low latency feed is now operational and will be used when the Bank is able to host physical Press Conferences on its premises.
The Bank has also conducted a detailed review of the processes and systems used by the Bank for publishing all of its other potentially market sensitive information. These fall into two categories: (i) key market information and data published by the Bank; and (ii) Bank policies, publications and speeches.
Key market information and data published by the Bank
The Bank has assessed the potential latency implications of its various market sensitive publications. The Bank often uses a number of channels to ensure that its publications of key information and data are available to the market as quickly as possible. Where multiple channels of publication are used, one channel may be fractionally faster than the other(s). In light of this:
- where more than one channel of distribution is used for the publication of key market information and data and one channel may be a fractionally faster, the Bank will clearly indicate which channel is likely to provide the faster access to the relevant data; and
- any such latency considerations will be a key feature in the design of any future Bank publication systems.
Bank policies, publications and speeches
The Bank regularly publishes consultation papers, discussion papers and final rules. Such publications are generally published on the Bank’s website and are, therefore, available to all relevant stakeholders at the same time.
Senior members of the Bank also regularly make speeches on a broad range of topics relevant to the Bank’s objectives. The text of those speeches is published on the Bank’s website at the start of the relevant speech. In the past, the Bank has generally provided embargoed copies of key speeches and other publications to accredited journalists. This practice has served to ensure that journalists are given sufficient information – in a timely manner – to be able to scrutinise the Bank’s work. In turn, this supports a wider external understanding of the Bank’s work.
However, the practice also runs the risk that the contents of the speech or publication may be disseminated externally, pre-publication and/or to different participants at different times. Improved technology has increased the scale of the risk.
Having reassessed the balance of risks, the Bank has decided to end the practice of circulating embargoed materials to journalists in advance, unless this would hinder the Bank in achieving the full impact of its actions and/or its wider objectives in a crisis management context.
However, once the Bank is again able to host physical Press Conferences on its premises, the Bank’s most sensitive releases – the Monetary Policy Report and Financial Stability Report – will continue to be disseminated in advance to accredited reporters under the recently augmented, extensive “lock-in” security arrangements for such press briefings which were in place for the publication of the January 2020 Monetary Policy Report.
Recommendation 3: The Bank should continue to strengthen and align its various vendor risk assessments, particularly with respect to niche suppliers, and ensure there is appropriate oversight of associated contractors.
The Bank has made a number of improvements to its vendor management processes since 2018. In particular, the Bank introduced a new Supplier Code of Practice (Code) in July 2018. The Code is part of a robust supplier management framework.
Since March 2019, all new Bank suppliers are subject to a detailed risk assessment process before on-boarding.
In addition, in response to the Review, the Bank has:
- rolled out further training across the business to fully embed an understanding of the Bank’s current processes; and
- commenced work to further assess how to ensure the appropriate categorisation of certain complex contracts, for example, where there are niche suppliers, multi owned contracts and potential latency related risks and/or where the supplier has access to market sensitive information.
Although the relevant supplier in this case was subject to contractual obligations requiring it to protect the Bank’s confidential information and disclose relationships with affiliated entities in accordance with the Bank’s conflict of interest policies (“Our Code”), the supplier failed to comply fully with the requirements set out in Our Code. In order to guard against such an incidence of non-compliance going forward, the Bank has updated:
- the standard contractual arrangements in place with Bank suppliers to ensure that the Bank is able to take action in the event of a breach by that supplier of Our Code and/or the relevant contractual arrangements; and
- policies to ensure that there are consistent oversight and escalation processes in place in relation to breaches by any third party suppliers.
Recommendation 4: The Bank should emphasise in its training for Senior Management the need for effective and early identification and management of risks (such as reputational risks and/or information security threats) including where information is shared with the Bank by external parties.
The Bank has robust procedures in place to ensure that external allegations about staff and regulated firms are investigated and followed through in a timely manner. However, the Bank will provide further training for Senior Management to embed an effective and proactive approach to the identification and management of risks, including prompt action in relation to information shared by external parties.
Recommendation 5: The Bank should adopt consistent processes to identify and respond to firms that advertise inappropriate access to Bank information.
The Bank already employs technological solutions to identify a wide range of various threats to the Bank.
Where the Bank identifies inappropriate access to Bank information and/or affiliation to the Bank, the Bank’s current processes aim to ensure that such inappropriate use is dealt with swiftly and effectively.
In line with the Findings and Recommendations, the Bank will assess whether even more can be done to monitor the web and social media so that it can trawl more exhaustively for material that could pose a technological or reputational risk to the Bank and ensure that Legal, Communications, Security and Technology are involved where it is identified that external parties are advertising inappropriate access to Bank information.
Concluding observations
More broadly, this incident raises questions about the current scope of the regulatory regime.
In 2014, the Bank (in conjunction with the FCA and HM Treasury) published the Fair and Effective Markets Review (“FEMR”). FEMR made 21 recommendations designed to ensure that Fixed Income Currency and Commodities markets are fair and effective, and enhance the measures put in place to tackle issues highlighted by prior serious misconduct cases, a number of which specifically concerned FX markets (including agreeing a single FX Global Code).
Whilst the FX Global Code is not binding, it has improved behaviour and can be considered when assessing senior managers’ behaviour under the Senior Managers Certification Regime. At an international level, the Bank has already reached out to colleagues across other central banks, and put them on notice of this risk of misuse of audio access.
We have also reminded market participants of their obligations under the FX Global Code and UK Money Markets Code (including at the official market-wide committees) and, in particular, the overarching obligation under the Codes to behave in an ethical manner to promote the fairness and integrity of the markets.
One recommendation relating to the FX markets arising out of FEMR (recommendation 3b, to create a new statutory civil and criminal market abuse regime for spot foreign exchange, drawing on, among other things, work on a global code) was not enacted.
There is a question as to whether the decision not to take this recommendation forward merits reconsideration. HM Treasury may, therefore, want to consider whether an extension of the regime is desirable when an appropriate opportunity arises.
Finally, looking beyond this particular incident, it is increasingly challenging to ensure a genuinely level playing field in markets where even small differences in the speed of access to market-sensitive information can be significant. The Bank will continue to discuss this issue with market participants and to share best practice in light of the Bank’s experience with counterparts internationally.