The Financial Conduct Authority (FCA) fined the Royal Bank of Scotland (RBS) ₤42m for an IT outage that left customers unable to access their bank accounts, but said underinvestment was not the cause.
At the same time, the Prudential Regulation Authority (PRA) fined RBS £14m, bringing the bank's total forfeit to £56m.
In the summer of 2012 customers of RBS, NatWest and Ulster Bank were locked out of their accounts for days as a result of a glitch in the CA-7 batch process scheduler, freezing 12 million accounts. Customers could not access funds for a week or more as RBS, NatWest and the Ulster Bank manually updated account balances.
But the FCA did not scold RBS for a lack of investment in IT. RBS spends £1bn annually to maintain its IT infrastructure. The FCA acknowledged that RBS, NatWest and Ulster Bank had taken significant steps to address the failings in their IT systems and controls since 2012.
“The incident was not the result of the banks’ failure to make a sufficient investment in its IT infrastructure,” said the FCA. But is the fine just pocket money – or will the fact that it is a loss directly related to IT problems set a precedent?
One senior IT source at a large bank in the UK said the size of the fine might be small in comparison to RBS’s overall IT budget, "but it is big enough to make senior management listen to IT”.
“For a fine directly related to IT, it is quite significant.”
Read more about RBS's IT failure:
- IT stress testing can fix banks' legacy problems, say experts
- How endemic is IT underinvestment in UK retail banking?
- RBS to be fined tens of millions for IT failure
- RBS pays customers extra £50m for IT failure
The FCA and bank IT
Paul Hinton, commercial technology partner at law firm Kemp Little, said the fine is usually the tip of the iceberg. “The real spend and effort will be in making changes to improve the systems to meet the satisfaction of the PRA and/or FCA, who are taking a much keener interest in all things IT.”
Tracey McDermott, director of enforcement and financial crime at the FCA, said modern banking depends on effective, reliable and resilient IT systems. “The banks' failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people's everyday lives moving,” said McDermott.
"The problems arose due to failures at many levels in the RBS Group to identify and manage the risks which can flow from disruptive IT incidents, and the result was that RBS customers were left exposed to these risks. We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies."
The FCA revealed the cause of the problems and pointed to the bank’s failings.
“On 17 June 2012, RBS’s IT department upgraded the software that processed updates to customers’ accounts overnight. When it noticed problems with the upgrade it decided to uninstall it without first testing the consequences of that action,” said the FCA. “The IT department did not realise, however, that the upgraded software was not compatible with the previous version.”
The FCA said there were inadequate testing procedures for managing changes to software; risks related to the design of the software system that ran the updates to customers’ accounts were not identified; and IT risk appetite and policy was too limited, because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.
'Wake-up call to business leaders'
Lev Lesokhin, business technology executive at software testing company Cast, said the underlying issue was the legacy infrastructure the largest and oldest UK banks use. "This is under increasing pressure to deliver ‘Google-like’ customer services demanded by customers today.”
“Western banking systems are particularly exposed because they were the first to install computer systems, and investment in those systems has since been neglected as tightening budgets have meant less is spent on modernisation and quality assurance. Until these underlying issues are addressed and industry standards put in place, we will continue to see glitches like this,” said Lesokhin.
“Banks are increasingly being defined by software which is becoming increasingly complex, composed of subsystems written in different programming languages, on different machines by different teams – and complexity creates risk.
"The frequency of technical issues affecting banking is a wake-up call to business leaders. They need to carefully scrutinise the structural integrity of their software systems.”