The details of the financial settlement between the Royal Bank of Scotland (RBS) and CA Technologies in relation to a massive IT failure will remain secret because financial services regulators cannot answer a Freedom of Information (FOI) request on the matter.
In November 2014 the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) fined RBS – £42m and £14m respectively – in relation to IT failures. At the time, the FCA said: “The actual cause of the IT incident was a software compatibility problem with the underlying cause being the banks’ failure to put in place adequate systems and controls to identify and manage their exposure to IT risks.”
But the statements did not mention the role an offshore service had in the problem. It also ignored the fact RBS and CA Technologies – the supplier of the software that went wrong – settled out of court in relation to the incident and signed a non-disclosure agreement to keep this secret.
The RBS IT outage in 2012 left customers of RBS, NatWest and Ulster Bank unable to access their accounts for days. A glitch in the CA-7 batch process scheduler froze 12 million accounts, meaning customers were left unable to access funds as the banks manually updated account balances.
Freedom of Information request
Given RBS’s significant public ownership and the fact the FCA and PRA are public sector organisations, Computer Weekly filed an FOI request asking for more details about the deal between RBS and CA Technologies.
The FOI Act applies to public sector organisations and RBS has been significantly state-owned since the financial bailout it received following the credit crunch of 2008.
More on the RBS IT failure
The request asked: “Why did CA Technologies make a payment to the Royal Bank of Scotland in relation to the 2012 IT failure that was subject of an FCA investigation?" It also requested details of how much CA Technologies paid in settlement.
Both the PRA and FCA did not answer the questions, citing section 44 of the Financial Services and Markets Act 2000 (FSMA) as the reason it cannot comment.
The FCA said: “Whilst we can confirm we hold information in relation to RBS IT failures, we can neither confirm nor deny whether we hold the information you have requested.
"As such information, if received by the FCA, would have been information which the FCA received for the purpose of carrying out its regulatory function under the FSMA, the prohibitions on disclosure exemption in section 44 of the act applies.”
The PRA cited the same reason for not commenting.
Section 44(1)(a) of the act states: “Information is absolutely exempt from disclosure if its disclosure (otherwise than under the act) is prohibited by or under any enactment."
Section 348 of the FSMA restricts the FCA from disclosing confidential information it has received except in certain limited circumstances (none of which apply here).
Disclosure beneficial to finance sector
IT industry sources have told Computer Weekly the details of the agreement between CA Technologies and RBS would be beneficial to the finance sector. Settlements out of court are cheaper and keep problems out of the public eye, but in doing so prevent other organisations from avoiding similar problems.
In November 2014, separate to the FOI requests, Computer Weekly asked the FCA and PRA for more details on the IT failure. This included questions about the expertise the regulators drew upon to carry out the investigation, why the role of an offshore service in the IT problems was not mentioned and why there was no mention of a link between cost cutting and the IT problem.
The FCA did partly answer one question. It said it used a third party to investigate the IT failure, but would not name the organisation.
The financial services industry is critical to the UK, however one source labelled the sector opaque. Despite IT problems at banks affecting the lives of millions of people, they are not investigated and reported publicly in detail, as they would be for a government IT issue for example.