UK regulated financial services companies had better ensure that their IT systems work properly. Using the excuse ‘it was a computer glitch’ doesn’t fly any more.
UK financial regulator the Financial Conduct Authority (FCA) has today fined the Royal Bank of Scotland (NYSE:RBS), National Westminster Bank (NatWest) and Ulster Bank a total of £42 million (about $66 million) for IT failures which occurred in 2012. The failures involved the banks’ customers being unable to access online banking services.
The FCA has taken this action against the banks for failing to put in place resilient IT systems which could withstand, or minimize the risk of, IT failures.
The actual cause of the IT incident was a software compatibility problem, with the underlying cause being the banks’ failure to put in place adequate systems and controls to identify and manage their exposure to IT risks.
The IT failure affected over 6.5 million customers in the UK for a period of several weeks in mid 2012. Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs; customers were unable to make timely mortgage payments; customers were left without cash in foreign countries; the banks applied incorrect credit and debit interest to customers’ accounts and produced inaccurate bank statements; and some organizations were unable to meet their payroll commitments or finalize their audited accounts.
Tracey McDermott, director of enforcement and financial crime at the FCA said:
Modern banking depends on effective, reliable and resilient IT systems. The Banks’ failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people’s everyday lives moving.
The FCA found that banks did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular:
- There were inadequate testing procedures for managing changes to software;
- the risks related to the design of the software system that ran the updates to customers’ accounts were not identified;
- the IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.
Today’s fine is the first time the FCA and the Prudential Regulation Authority (PRA) have taken joint enforcement action. The PRA has fined the Banks £14 million.
To see the complete press release on the FCA fine click here.