The Financial Conduct Authority (FCA) has today fined the Royal Bank of Scotland Plc, (“RBS”) National Westminster Bank Plc (“NatWest”) and Ulster Bank Ltd (“Ulster Bank”) (the “Banks”) £42 million for IT failures which occurred in June 2012 and meant that the Banks’ customers could not access banking services.
The FCA has taken this action against the Banks for failing to put in place resilient IT systems which could withstand, or minimise the risk of, IT failures.
The actual cause of the IT incident was a software compatibility problem with the underlying cause being the Banks’ failure to put in place adequate systems and controls to identify and manage their exposure to IT risks.
The IT failure affected over 6.5 million customers in the United Kingdom for several weeks. Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs; customers were unable to make timely mortgage payments; customers were left without cash in foreign countries; the Banks applied incorrect credit and debit interest to customers’ accounts and produced inaccurate bank statements; and some organisations were unable to meet their payroll commitments or finalise their audited accounts.
Tracey McDermott, director of enforcement and financial crime at the FCA said:
‘Modern banking depends on effective, reliable and resilient IT systems. The Banks’ failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people’s everyday lives moving.
‘The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks. We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies.’
On 17 June 2012 Technology Services (the Banks’ group centralised IT function) upgraded the software that processed updates to customers’ accounts overnight. When it noticed problems with the upgrade it decided to uninstall it without first testing the consequences of that action. Technology Services did not realise, however, that the upgraded software was not compatible with the previous version. This caused the IT incident that disrupted customers’ ability to use banking facilities on 20 June 2012.
The FCA found that Banks’ did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular:
- there were inadequate testing procedures for managing changes to software;
- the risks related to the design of the software system that ran the updates to customers’ accounts were not identified;
- the IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.
The incident was not the result of the Banks’ failure to make a sufficient investment in its IT infrastructure. The RBS Group spends over £1 billion annually to maintain IT infrastructure. The FCA acknowledges that since the IT Incident the Banks have taken significant steps to address the failings in their IT systems and controls.
Today’s fine is the first time the FCA and the Prudential Regulation Authority (PRA) have taken joint enforcement action. The PRA has fined the Banks £14 million.
The Banks agreed to settle at an early stage of the investigation and therefore qualified for a 30% Stage 1 discount.
Shortly after the IT incident, the FCA wrote to the chairmen of major retail banks in 2012 to ask them to identify the steps they had considered at board level to assess and mitigate their exposure to IT risks. The FCA and PRA recently initiated a second “Dear Chairman” exercise and, once again, it is seeking to assess how well banks are managing their exposure to IT risk and to what extent banks’ governing bodies have formally assessed the extent to which a bank is vulnerable to technology failure affecting services supporting retail economic functions.
Today’s decision reflects the FCA’s commitment to ensuring that banks make the cultural shift away from “business continuity” (recovering from disruptive events) to “resilience” (ensuring that the banking activities most critical to customers can withstand the effect of disruptive events like software and other IT failures).
The FCA would like to acknowledge the cross-jurisdictional co-operation it received from the Central Bank of Ireland in the Republic of Ireland, who have taken their own enforcement action in respect of the IT failure against Ulster Bank (ROI) a subsidiary of the RBS Group.