Two United Kingdom regulators last week hit three banks with a combined £56 million in fines for deficiencies in their IT systems during 2012, which affected more than 6.5 million customers.
The fines levied against Royal Bank of Scotland Plc (RBS), National Westminster Bank Plc (NatWest), and Ulster Bank Ltd. marked the first joint enforcement action by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) since the two regulators were created in 2012. The FCA fined the banks £42 million, while the PRA fined the banks £14 million.
The banks, members of the Edinburgh-based RBS Group, agreed to the settlement early into the investigation, which qualified the banks for a 30 percent reduction in fines, the FCA said. The Central Bank of Ireland took its own enforcement action against Ulster Bank.
The fines stemmed from the banks’ IT failures in June and July 2012, which led to millions of U.K. customers being unable to access banking services, the FCA said. The FCA said the banks failed to implement resilient IT systems able to withstand or at least reduce the risk of IT failures. The bulk of those affected were retail customers, the PRA said.
A software compatibility issue was pinpointed as the actual cause of the IT failures, but an underlying cause of the problem was said to be the banks’ failure to implement adequate systems and controls and identify IT risks and manage their exposure, the FCA said in a statement.
Specifically, the banks’ centralized IT function, Technology Services, upgraded software that processed overnight updates to customer accounts on 17 June, 2012. When Technology Services noticed problems with the upgrade, it uninstalled the software without first testing the consequences, the FCA said. Technology Services also failed to realize the upgraded software was not compatible with the previous version, the regulator said.
The IT problems affected customers for several weeks, preventing customers from using online banking services to access accounts or obtain accurate balances from ATMs, the FCA said. The regulator stated the problem prevented customers from making timely mortgage payments, stranded customers without cash in foreign countries, caused incorrect credit or debit interest to be applied to customer accounts, produced inaccurate bank statements, and prevented some customers from meeting payroll obligations or finalizing audited accounts.
“Modern banking depends on effective, reliable, and resilient IT systems,” Tracey McDermott, the FCA’s director of enforcement and financial crime, said in a statement. “The banks’ failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people’s everyday lives moving.”
“The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents, and the result was that RBS customers were left exposed to these risks,” McDermott said. “We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies.”
The regulators found fault not with RBS Group’s IT investment, which totals around £1 billion annually, but its systems and controls to identify and manage IT risks and exposure. The FCA pointed to inadequate testing procedures for managing software changes, failure to identify risks related to the design of the software system running the updates, and an IT risk appetite and policy which it deemed to be “too limited.”
The FCA acknowledged the banks have taken significant steps to correct the shortcomings.
RBS Group said in a statement that it has already made provisions to cover the fines. RBS Chairman Philip Hampton repeated his apology to customers in the U.K. affected by the IT problems of 2012, saying the failure revealed “unacceptable weaknesses” in its systems.
“I am confident that the progress we have made – in increasing the resilience of our IT systems through the additional investment of hundreds of millions of pounds and the enhancement of our control structures – has made RBS better able to provide the service our customers expect and deserve,” Hampton said in the statement. “I am also pleased that the regulator acknowledged the steps we took at the time to provide redress to anyone who had lost out as a result of our mistakes.”
RBS paid £70.3 million in redress to U.K. customers and another £460,000 to individuals and firms who were not customers, the bank said. The bank’s chief administrative officer also said the bank will have invested an additional £750 million in enhancing the security and resiliency of its IT systems over the last two years.
Earlier this month the Central Bank of Ireland announced it fined Ulster Bank €3.5 million – the highest fine the Irish regulator has ever imposed, which it said reflected the seriousness of the prolonged disruption to customers.
“The summer of 2012 saw an unprecedented disruption to banking services as a result of a failure that occurred on the IT systems that Ulster Bank Ireland Limited used to process daily banking transactions,” Derville Rowland, Central Bank’s director of enforcement, said in the announcement. “The IT failure caused significant and unacceptable inconvenience to affected customers trying to carry out their everyday financial transactions.”
Rowland said it is essential that firms have robust IT governance arrangements to ensure continuity of service, adding that firms and senior management have the same responsibility when an activity is outsourced on an intra-group basis or to a third party.
“While the Central Bank recognizes that IT outsourcing is a feature of modern banking business, outsourcing is no defense for regulatory failings,” Rowland said. “Ultimate accountability for compliance remains with firms and they must ensure that they maintain oversight of outsourced activities.”