If Not the Bank's Fault, Then Whose?

In another software burp reported last week, some Scotiabank customers in Vancouver, Canada were surprised to find that their pre-authorized payments had been withdrawn twice from their bank accounts.

I personally know the fun that can cause. Many years back, I tried to withdraw $50 at my local bank's ATM. I was informed that this wasn't possible, since my account was overdrawn by roughly $1.4 million. That was news to me. Since I discovered this on a Friday night, I had to stew on it until Monday morning.

A "small software problem" (the bank's terminology) caused my overdraft which in turn meant my pre-authorized payments (like my mortgage) weren't paid on time. It took a good long while to get this mess straightened out, especially with the credit scoring companies who saw that I had missed a whole bunch of payments. Try telling them that it was just a computer error. I stopped using pre-authorized payments after that little episode, as well as changed banks.

Anyway, what caught my eye in the article were some quotes allegedly made from a person at a local university who said that he "wasn't surprised to hear of a technical error with banking systems." Me either - been there.

He went on to say, "I'd say that you have to expect some things like this.You can't expect things to be perfect even if they're run by technology." Yup - I agree.

"Personally, I don't blame the bank. I'd blame them if they didn't get right on it."

Huh? He didn't blame the bank - it was just a technology error? The bigger problem was if the bank's response wasn't effective?

I vehemently disagree - I do blame the bank, and it better make its customers' whole again and quickly.

When are we going to quit giving companies (and government organizations) free passes on software foul-ups?

The only way that I would not blame the bank is if it could reasonably explain to me why the error checking routine in its application software to ensure that double payments could not be made failed - and could not be traced to any decisions they made or actions they took. It is not like the possibility of an erroneousness double payment is some novel event that had never occurred in any previous banking systems.

I would also like the bank to explain to me why it thought its current business, systems and software engineering practices used to create its banking application should be seen as posing "acceptable" risk, especially in relation to this event occurring.

This stuff happens all the time - as the person quoted above mentions - but until the bank proves why it should be held blameless, this is an unacceptable failure that I, at least, do totally blame as being the bank's fault. I think its customers should too.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City