Finance regulators overlook offshoring in RBS IT failure statements
UK financial services regulators made no mention of the role of offshored IT in the problems that led to the ₤56m fine for RBS
The Financial services regulators in the UK made no mention of the role of offshoring IT problems at the Royal Bank of Scotland (RBS) in 2012 which ended in a fine of ₤56m on the bank last week.
A worker made a mistake in India when a CA-7 batch processing system was upgraded, according to a number of sources.
Banking industry sources believe offshoring is a risk to IT if companies fail to transfer the proper knowledge to service providers.
The Royal Bank of Scotland was last week fined ₤42m by the Financial Conduct Authority (FCA) and ₤14m by the Prudential Regulation Authority (PRA) for its failings that led to an IT meltdown that left customers unable to bank.
Many customers were locked out of their accounts for days as a result of a glitch in the CA-7 batch process scheduler, which caused 12 million accounts to be frozen. Customers were left unable to access funds for a week or more as RBS, NatWest and the Ulster Bank manually updated the account balances.
In their separate press releases, the FCA and PRA made no mention of the role of offshored IT in the fiasco.
The PRA said: “The cause of the IT incident was the failure of the banks to have the proper controls in place to identify and manage exposure to the IT risks within their business.”
The FCA said: "The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks. We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies."
While these statements are accurate, nowhere in the separate press releases was offshored IT and knowledge transfer mentioned.
Read more about banking IT:
- RBS still recruiting CA-7 staff in India despite offshoring being blamed for IT meltdown
- UBS to increase capacity through second Hyderabad centre
- Why IT outsourcing is increasingly blamed for IT failures at banks
- UK financial regulator FCA probes RBS IT failure
Data breach concerns
This is a concern to IT professionals in the banking sector as outsourcing and offshoring of critical systems continues apace and it is not just about service unavailability. "The large scale of offshore outsourcing of banking IT worries me a lot. I think outages will be the least of our worries. Security breaches will be the next big issue. The bad guys are smarter and better funded than the good guys and they only need to win once to cause chaos," said one senior IT professional in the banking sector.
"Most of the issues I've seen have been due to human error, equipment failure or in recent years errors made by outsourced firms who are more distant than they were historically.
"More work has gone abroad as a result of cost pressure and that has led to a drop in standards across the industry. Outsourcing and offshoring development didn't hurt production but now that more production support is both offshore and outsourced, the scope of live problems is much higher than a few years ago. All too often human error by a junior person at a third party somewhere half way round the world who did not understand or follow a process properly."
RBS offshored jobs from Edinburgh that worked on CA-7. These workers were paid ₤250 a day, but RBS wanted a cheaper option.
Litany of banking IT failures
RBS’s problems are not the first in banking, where offshored IT delivery has been described as a significant contributor. Also in 2012, when a rogue trader ay UBS caused losses of over ₤2bn through unauthorised trading, an offshore delivery centre in Hyderabad, India was revealed as playing a role.
When fining the Swiss bank ₤29.7m the UK finance regulator, then the FSA, said: “The computerised system operated by UBS to assist in risk management was not effective in controlling the risk of unauthorised t6rading.” This system was run from a USB captive in Hyderabad.
A source in India told Computer weekly at the time the reason the rogue trading was missed was because data had been deleted as part of a system upgrade. He said when data was being migrated to a new system it started to slow things down. The person doing the migration deleted data to speed things up, which meant the trading went unnoticed.
In 2009 an IT contractor, who worked for the RBS as a mainframe technician for a number of years, told Computer Weekly business-critical work had been moved to India to cut costs: "RBS started moving the work we were doing to its datacentre in Mumbai, known internally as Indian Datacentre. I had to train Indian workers to do my job."
"This was to cut costs and not about filling a skills shortage. They move the jobs to India because it is cheaper."
Some commentators have called on regulators to investigate the offshoring of banks' IT. RBS is still seeking staff in India to work on its CA-7 batch process scheduler.