UK banks under pressure to improve downtime reporting under new FCA rules

Improvements in how UK banks share information on system outages and security incidents with customers will come into effect tomorrow (15 August), endorsed by the Financial Conduct Authority (FCA).

The work is part of a wider push by the financial regulator to make it easier for customers to compare the different personal and business current accounts available on the market, so they can make more informed decisions on which bank to go with.

A consultation document, published in July 2017, said that when making these decisions, customers benefit from having access to information on the quality of service provided by banks, but there is little consistency in how providers make this information accessible.

This makes it harder for consumers to make meaningful comparisons when weighing up one bank’s offerings against another, particularly when it comes to establishing how many major operational or security incidents the providers have reported to the FCA over a set period of time.

“They [customers] were particularly interested in the frequency of major unplanned service outages,” the document states.

“They considered that frequent, unplanned interruptions may be a sign of poor investment in the resilience of systems and security. Not being able to access services for a period of one hour or more would cause them significant inconvenience.”

In the light of this, the FCA put forward the notion of introducing a requirement that banks must publish the total number of major incidents suffered by their online, telephone and mobile banking services over a year.

“For ease of access by customers, we consider that this information is best published by firms along with other service information we prescribe, rather than the FCA publishing the data separately elsewhere,” the document adds.

After publishing the consultation document, the FCA confirmed in December 2017 that it would move ahead with the changes, with the new rules to come into effect on 15 August 2018.

Pressure is growing on the financial services industry to improve its response to security incidents and unplanned downtime, following a series of high-profile incidents involving credit card company Visa and the multi-day outage suffered by high-street bank TSB in May 2018.

The FCA published the joint discussion paper with the Bank of England in July, giving banks and financial services companies until 5 October 2018 to provide details about their outage response procedures, and how at risk they are of encountering an incident. The paper also asked providers to state a maximum, acceptable amount of time for their systems to be down for.  

Nick Hammond, lead adviser for financial services at IT services provider World Wide Technology, said some banks may experience difficulties in trying to meet the new reporting requirements because of how their legacy infrastructure is set up to work.

“While older rules required yearly tick-box compliance exercises, new regulations necessitate continued assurance of critical applications,” he said. “But the complex nature of existing systems throws a spanner in the works.

“Legacy infrastructures were often built with different and sometimes conflicting metrics over the years, meaning that an intricate patchwork of applications communicate with each other in complicated ways.”