New rules being introduced next year by the Financial Conduct Authority, to force banks to publish details of major security and operational incidents, instead of hearing about them on Twitter, is great news in principle but in practice its effectiveness might be limited.
Forcing banks to report security and IT incidents will enable people, who are engaging with banks digitally, to compare the service levels being offered beyond interest rates and charges. With consumers demanding digital services today, and banks promoting them obsessively, it’s time banks were compared of their IT and cybersecurity competencies.
It will be interesting to see which banks have the most IT glitches as there seems to be one or two a month. It should force banks to sort out the cause of these problems, which is often the complexity of their IT infrastructures. New digital first banks could really show how much better they are when it comes to digital services. On cyber security banks tend to stay quiet and sweep incidents under the carpet after dealing with them internally, so it will be good to get a better idea of what they are being hit by.
What might be interesting and up for debate is what constitutes a “major” security or operational incident? One short mobile app outage might be minor but if it happens three times in six months it might be major.
A contact of mine that works in IT in the UK banking sector said he thinks this is a good idea but expects banks will play down incidents so they don ‘t have to be reported. He said an independent organisation might have be involved to decide what is reported and how.
He said it might also lead to bad behaviour as teams try to finesse their operations to make the metrics look good rather than doing the right thing if the two are not aligned. “For example – the case of the blocked toilet [at a bank I worked at]… the helpdesk would close calls when they passed a problem to the maintenance team instead of when the problem was fixed. But the maintenance team had a 24 hour service level for blocked toilets, so the helpdesk received dozens of calls for the same blocked toilet and closed each call within a few minutes as the instruction had already been passed to the maintenance team. The performance metrics for the helpdesk looked wonderful as they had handled a large volume of calls and closed them all within a few minutes. The truth of course was it was only one incident and took a day to fix. So the metrics did not reflect reality at all. The helpdesk reported 50 calls all closed within 5 minutes and the maintenance team reported 1 call closed within 24 hours. Two views of the same incident.”
But he said in principle the FCA’s idea is a good one, although tough to do in practice. “I have been involved in internal reporting with many banks over the years and they struggle to do this as well as they would like as it is more complicated than it sounds. There is a vast amount of data, performance metrics, key performance indicators, balanced scorecards and so on already in use within these firms, but they don’t often measure the same things in the same ways so you won’t be comparing apples to apples. There are several industry surveys that attempt to normalise some IT performance data and share it between participants but it has proven very difficult to do on a like for like basis.”
His two key points are: What is being measured would have to be defined extremely carefully and in great detail to avoid banks interpreting the requirement differently; and to ensure this is done consistently across banks, it would probably need to be done independently rather than rely on the banks to report the
“No bank will want to look the worst so they will do what they can to avoid that, which may include how they define incidents, their ability to assemble data quickly or accurately, statistical adjustments such as omitting exceptional cases that sway the core numbers etc.”
He said measuring these things publicly may also lead to unintended consequences such as “incidents being played down internally to avoid public reporting, rather than assigning a high priority and fast escalation to ensure a quicker fix.”
“So any reporting will need to be considered very carefully and may well be ignored by the public if it is not independent and trustworthy,”