FCA deeply concerned as no end in sight for IT failures in banking

IT failures at UK financial services firms increased by a massive 138% in the past year with failed IT changes being the leading cause, according to research from the Financial Conduct Authority (FCA).

A report from the regulator revealed that there were about 600 technology outages reported to the FCA between October 2017 and September 2018.

Megan Butler, executive director of supervision – investment, wholesale and specialists at the FCA, said: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.”

The most common root cause of these incidents was IT change, with 20% reporting this to be the case.

Banks are used to IT change, but the sheer volume of changes is causing problems. The FCA said many of the financial services firms questioned reported to have mature IT change management functions because they deal with a large amount of IT projects, some of which are on a huge scale.

Butler said part of the huge increase in reported problems could be down to the fact that financial services firms are simple better at reporting – although she admitted that the FCA still suspects that under-reporting is a problem.

She added that the FCA does not expect “zero failure”, but stressed the its “deep concern” with the number of IT failures in the sector.

“To put it bluntly, if your Amazon Alexa falls silent, you look out of the window to see what the weather is like,” said Butler.

“However, if your bank stops working, your life and business can be severely constrained. This is a point that is especially true in the UK today, with the decline in use of physical currency. We should remember that this is the first year where the total number of debit card transactions has outstripped cash transactions.

“So you won’t be surprised to hear me say that the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures,” she said.

The IT problems at TSB this year is an example of the difficulty traditional banks and financial services firms have with upgrading IT to keep up with customer demand. In April this year, TSB moved millions of customer accounts from the systems of Lloyds Bank, which has hosted them since TSB was separated from Lloyds, to a new core banking platform from its current owner, Spanish bank Sabadell.

As a result of problems, customers were locked out of their accounts and experienced money disappearing from accounts. Some were even able to see other customers’ accounts.

The second most common root cause for IT failures was issues related to third-party suppliers, with 15% reporting so. There were also a large number of incidents where companies do not know the root cause. In 186 cases of IT failures over the 12 month period (29% of total incidents), firms have not yet informed the FCA of the root cause.

While TSB is the most overt example of IT failure in the sector there have recently been a large number of smaller outages at the UK’s big high street banks. These are often related to digital banking services.

For example, in September, Barclays, Royal Bank of Scotland (RBS) and NatWest customers experienced problems accessing mobile and internet banking over a two-day period.

Barclays customers were unable to use the bank’s mobile banking app, and customers of RBS and NatWest – which are both part of the RBS Group – were unable to use mobile and internet banking services.

Meanwhile, the FCA report found that cyber attacks are increasing at a fast rate, with 18% of total operational incidents at banks caused by these.

The report comes as the parliamentary Treasury Committee launched an inquiry to find out why banking IT failures continue. It will also look at how consumers suffer as a result of IT outages and investigate whether financial services regulators have the skills needed to challenge companies over their IT.

The regulators in the UK have more of a challenge than counterparts in other jurisdictions because of the way software is developed.

Lev Lesokhin, senior vice-president strategy and analytics at Cast, which tests software quality, recently told Computer Weekly that research from the company has consistently shown the UK scores the lowest on all factors used to measure code and software health.

“The UK is behind the rest of Europe, the US and India in particular when it comes to the robustness, the transferability and the performance of the code. We have observed that the UK’s score is low compared with other countries when it comes to the changeability of the code. This means it is more difficult to change prevalent legacy software and modernise it to meet current standards,” he said.

He described some UK practices as “code-slinging cowboy DevOps”, which he believes disregards global industry standards. “This sheds some light as to why UK banks have such frequent IT glitches. However, it is only part of the explanation,” he added.

“The banking sector is particularly affected by glitches because of the amount of legacy systems. Banks have software piling on top of software, and the UK lacks the software intelligence to control their structural quality and the IT talent to fix them.”