Finance sector regulator the Financial Conduct Authority (FCA) is expected to fine the Royal Bank of Scotland (RBS) tens of millions of pounds following a major IT problem that locked customers out of their accounts for days. But is a fine the best way to persuade banks to upgrade the outdated technology at the root of the problem – or just a box-ticking publicity exercise?
To an unhappy RBS customer, a multimillion-pound penalty might sound an appropriate punishment – but it could prove the opposite, if all it achieves is to create the illusion of progress while giving the bank a cheaper alternative to improving the IT systems at the heart of the issue.
Regulators use Capital Adequacy Ratio tests to check banks have enough capital to absorb a certain level of loss. Banks' cyber security was put to the test last year, as Operation Waking Shark 2 tested thousands of staff at London’s major financial institutions with a simulated cyber attack on systems.
But banks are built on large and complex IT systems and there are no such regular, industry-wide IT tests, despite the risk to the economy of a prolonged failure in the finance sector. Experts say banks should be subject to regular IT stress testing.
Read more about banking IT
- Big banks' legacy IT systems could kill them
- How endemic is IT under investment in UK retail banking?
- Banks still handicapped by IT legacy
- Bank legacy systems will remain until CIO life expectancy increases
- RBS pays customers extra £50m for IT failure
- FSA demands review of RBS software failure
- Did IT problems force Santander out of RBS deal?
- UK financial regulator FCA probes RBS IT failure
- RBS enters fifth day of software failures
- UK bank IT systems "a long way from being robust"
CA-7 batch process glitch
In 2012 RBS, NatWest and the Ulster Bank customers were locked out of their accounts for days as a result of a glitch in the CA-7 batch process scheduler, which froze 12 million accounts. Customers were left unable to access funds for a week or more as the banks manually updated their account balances.
RBS admitted it had underinvested in IT, and that was the cause of the problem. "For decades, RBS failed to invest properly in its systems,” said RBS CEO Ross McEwan in 2013. “We need to put our customers' needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on.”
This IT disaster spurred the finance regulator into action. According to Sky News, the Prudential Regulation Authority (PRA) wrote to a number of banks, asking them to provide more details about the availability, resilience and recovery capabilities of their IT systems. The PRA gave the banks – believed to include Barclays, HSBC, Lloyds Banking Group and Santander UK, as well as RBS – until mid-December 2014 to answer its questions.
But will RBS's fine motivate the banks – which today rely totally on IT – into taking the right action?
One IT professional in a major European bank said fines will only work if they make IT investment a lower-cost option. “Fines would get banks to upgrade IT if they cost more than allocating additional budget to IT.”
“Banks focus on the economics so, if the fines are small or non-existent, there is less incentive to fix the IT. But bigger fines would help CIOs put the case for greater investment in IT.”
Alternative routes to upgraded banking IT
He said another effective method of compelling banks to upgrade IT would be to benchmark them against each other and tell customers the results. “Regulators could benchmark the banks and publishing relative levels of IT maturity, investment and outages, so customers can get an idea of who has the best and most reliable IT.”
But he said wholesale legacy technology replacement is still unlikely: “I don't think they will. There is a lot of mainframe software out there in Cobol or PL/1 and it's not going away any time soon.” He said the main driver will probably prove to be competition from other firms taking market share or offering cheaper services by having a lower cost base.
“The banks already fear this. There could soon be PayPalBank, Amazonbank, Facebank, and so on. Maybe the online payday loan firms can go mainstream as well in future, by offering additional products. Firms like Funding Circle are now advertising on TV, as is PayPal. I'm not sure the big banks will compete very well with a vast influx of new tech-based financial providers offering creative products at better prices.”
“IT is opening up the financial services arena hugely and the banks are only just waking up to it. I think the public is more open to new brands than a few years ago and – if they have confidence in regulation to protect them – there will be less resistance to trying a new brand.
"I think people are disillusioned by what the banks have done in recent years, and may actively look for alternative providers.”
It has already cost them millions in compensation and will cost £500 million a year in additional investments in technology to sort out the issue
Mandatory IT auditing for banks
Chris Skinner, chairman at the Financial Services Club, does not consider the RBS fine a good idea. “They’ve been punished enough by reputational damage. It has already cost them millions in compensation and will cost £500 million a year in additional investments in technology to sort out the issue, so this fine is just rubbing salt into the wound.”
But he said that it will focus attention on the IT systems. “It will certainly encourage them to invest in sorting out their legacy mess. Banks cannot survive with systems from the 1980s and earlier.”
He said another option to get banks to improve things would be to impose mandatory tests on systems in the same way bank liquidity is tested. “There should be an annual audit test for systems compliance as systems risk is as threatening as market, credit and liquidity risk.”
Skinner thinks banks will only replace legacy systems when the “systems break or when a vendor can show them a viable alternative to replacing the engines while the plane is flying”.
Can fining the taxpayer fix the problem?
Gareth Lodge, analyst at Celent, believes fining RBS will have little impact over and above sanctions already in place. “In effect, because it is state-owned, the fine is on itself. RBS is paying far, far more in compensation already and the fine is far, far less than it’ll cost to fix the issues.”
He said banks will soldier on with IT that fails every now and again. “The banks already spend huge amounts on IT. I’d draw the comparison with the NHS – or the government. We all know there are problems that need fixing, but the 'how' is less clear, without massive cost and disruption.”
Lodge said the RBS issue in 2012 was IT-related but not a problem with the technology itself. “It was human error. Even if RBS had had a state of the art system, the issue could still feasibly have happened. Look at all these high-tech trading systems and then how many times we still get fat finger trades. There are fewer than before, they are easier to spot and rectify – but they still happen.”
He agrees that a form of IT stress test is a possible option, but cautioned: "Defining standards or thresholds could be tricky.”
For banks, there is a temptation to invest in strategic initiatives such as mobile and digital, but the business case for transformation for keeping the engine running smoothly is often harder to make
Fines could drive investment
Daniel Mayo, financial services analyst at Ovum, said the fine is a good idea because it sends a clear signal that such events are unacceptable and need to be prevented in future. “It creates a precedent for future fines on other institutions and should help to stop complacency. It will also very clearly indicate that compliance and operational risk functions need to have this covered.”
He expects the fine to drive some investment, but whether this is net new investment or a reallocation remains uncertain. “For banks, there is a temptation to invest in strategic initiatives such as mobile and digital, but the business case for transformation for keeping the engine running smoothly is often harder to make.” But he said a fine might “swing the balance to a degree”.
“The issue is that transformation is not risk-free itself; in fact it is quite a complex process, so regulators need to be careful they don’t effectively stop transformation by clamping down on issues.”
Regulators must test banks' IT
He also said systems should be regularly tested. “Regulators should ensure that IT is a part of risk-control self-assessments and scenario-planning, and that this is reported back to them.”
Jean-Louis Bravard, outsourcing consultant and former CIO at JP Morgan, thinks the fine is just a PR stunt. “Having one arm of government tax a predominantly government-owned entity is mostly PR."
He does not think the fine will drive other banks to invest in IT. “The gap between what is fundamentally needed and the existing – mostly legacy – IT widens daily. IT needs far more stress testing than capital accounts, for example.”
Bravard said regulators should conduct a systematic review of bank IT, with the power to impose fixes. “Let's not kid ourselves, a fundamental retooling of UK bank IT will take years and will affect profitability.”
He said legacy replacement will not happen anytime soon if the banks can go “another day without the pain of new projects which may not yield benefit before four or more quarters.”
Bravard said he thought continued failures, combined with a reluctance to invest in technology, will see banks share back-end systems. “We see an increase drift toward BPO utilities where the IT risk and investment is borne by the services provider, giving the bank an elegant exit.”