Banking sector IT systems in the United Kingdom are in a very sorry state. A review of various media reports shows that in 2018, there were at least 44 bank and building-society-related IT operational or cybersecurity incidents that prevented customers from accessing their payment services.
That tally represents almost one incident per week—a staggering rate of failure. However, it pales in comparison to what was revealed by a more detailed accounting. The Financial Conduct Authority (FCA), which regulates the U.K.’s financial services sector, is now enforcing its rules requiring banks to publicly provide more incident data. The newly gathered information indicates that from April through December 2018 alone, there were 302 such incidents, or one a day on average. According to an analysis of the incident data by the consumer reporting and advocacy group Which?, these IT and cybersecurity failures affected the customers of some 30 banks and building societies.
These banks and building societies make up about 10 percent of the firms the FCA regulates. An internal November 2018 FCA analysis [PDF] of the financial services sector as a whole indicates that there were nearly 600 IT operational and security incidents reported to the FCA between October 2017 and September 2018, an increase of 187 percent from the 12-month period preceding it.
The spiraling number of incidents moved the FCA late last year to warn U.K. banking customers that it saw “no immediate end in sight to the escalation in tech and cyber incidents.”
The banks, naturally, have tried to play down the latest reporting on the number of incidents. For instance, the spokesperson for Barclays Bank, which reportedly experienced 41 operational events (the most frequent among the 30 banks) sought to minimize the problem. The Barclays spokesperson toldBBC News that “We take IT resilience extremely seriously and we welcome transparency for our customers, which is why we report every incident to the regulator, even minor glitches that have minimal impact on customers.”
That may be true, but heretofore, the public wasn’t privy to information regarding the full impact of each such incident. That is, until an increasingly worried FCA decided [PDF] in 2017 that it needed to “incentivize [banks] to improve service and performance,” especially in regard to improving their IT systems’ resilience to glitches and security threats.
By making the incident data public, the FCA believes that customers will “make informed comparisons and choose the provider that best suits their needs.” In other words, shy away from banks that have lackluster IT and cybersecurity operations.
The FCA was moved to undertake this action because it believed that the banks were both underreporting cybersecurity incidents and their impacts and, critically, weren’t adequately improving their IT systems’ operational resilience. The banks had repeatedly promised to do so after a number of high profile outages stretching back to the infamous Royal Bank of Scotland Banking Group IT meltdown in 2012.
For example, RBS Group, which includes RBS Bank, NatWest, and Ulster Bank, promised in 2013 to spend over £700 million to modernize its IT systems in wake of the 2012 incident. Whatever its efforts, they didn’t prevent another half dozen reported operational outages in 2013, and several more in 2014.
While RBS increased [PDF] its modernization investment by another £2.5 billion in 2015, it has continued to experience a “litany of failures” according to the head of the Parliament Treasury Committee. The FCA data, for example, show that RBS Group experienced 65 such incidents between April and December 2018.
Similarly, Lloyds Banking Group, comprising Lloyds Bank, the Bank of Scotland, and Halifax Bank, also pledged in 2015 that it would modernize its systems. It announced plans to spend £1 billion on IT upgrades by the end of 2017 and, in 2018, promised that another £3 billion would be invested in modernization efforts by 2021. Yet it experienced 68 incidents over the same April to December 2018 time frame.
In reviewing the number of media-reported IT operational and security incidents at the U.K.’s largest banks since 2012, I limited my search for news reports covering incidents involving HSBC, Barclays, RBS Group, Lloyds Banking Group, and TSB Bank, which was part of the Lloyds Banking Group until 2013. The FCA data indicate that two-thirds of all the April to December 2018 bank-related IT operational and cybersecurity incidents can be attributed to the nine banks controlled by these five groups.
As can clearly be seen, there is a clear upward trend in bank IT failures and security breaches at these five large banking groups since 2016. While most of the incidents reportedly lasted for only several hours, there were still a number—like the June 2015 RBS payment failure—that lasted for days, and the May 2018 TSB outage that lasted for weeks. It is important to remember that, whether short or long in duration, most of the individual incidents affected tens of thousands if not millions of bank customers.
An interesting revelation that comes from reviewing these incidents is how media reports of bank-related IT operational and cybersecurity incidents tend to show only the tip of the IT failure iceberg. This can be seen in the graph below, which compares media reports about failures at the same nine large U.K. banks with their actual records as reported to the FCA over the same time period. Again, the numbers came from an analysis of incidents by the consumer group Which?.
TSB’s media coverage was probably the most thorough because of the spectacular and persistent nature of its IT operational failures, the resignation of the bank’s CEO Paul Pester in the wake of one such failure, and the £330 million hit to its pockets and loss of 80,000 customers the bank has so far incurred as a result of the failure.
Later this year, the U.K.’s Parliamentary Treasury Committee inquiry will be reporting its findings into the common causes of IT failures in the financial service sector and their impact on customers. I think it is a safe bet that the common denominator will be the difficulty of supporting and updating banks’ legacy IT systems.
The Treasury Committee will also likely advise bank customers to always have access to at least two days of funds, given that is the maximum time the FCA believes is acceptable for a major bank IT outage to last. I also expect the committee to fully support the FCA’s warning that bank executives’ bonuses start being tied to their companies’ IT operational and cybersecurity resilience.
How long it will be before the FCA is satisfied with the banks’ overall IT resilience is anyone’s guess. However, Australia’s large banks, like the National Australia Bank and the Commonwealth Bank of Australia, went through a previous period of turmoil between 2010 and 2012. At the time, bank analysts estimated that it would take 15 years for the banks to sort their IT systems out, which given the continuing bank IT outages, is looking prescient.
If the same is true for the U.K., bank customers can expect problems to dog electronic banking systems through the early 2030s. And that doesn’t include what might happen as a result of Brexit.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
