The FCA has taken this action against the Banks for failing to put in place resilient IT systems which could withstand, or minimise the risk of, IT failures
The IT failure affected over 6.5 million customers in the United Kingdom for several weeks. Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs; customers were unable to make timely mortgage payments; customers were left without cash in foreign countries; the Banks applied incorrect credit and debit interest to customers’ accounts and produced inaccurate bank statements; and some organisations were unable to meet their payroll commitments or finalise their audited accounts.
The IT technical problem was down to Technology Services (the Banks’ group centralised IT function) upgrading the software that processed updates to customers’ accounts overnight on the 17th June 2012. When it noticed problems with the upgrade it decided to uninstall it without first testing the consequences of that action.
However, Technology Services did not realise that the upgraded software was not compatible with the previous version. This caused the IT incident that disrupted customers’ ability to use banking facilities on 20 June 2012.
RBS said the IT meltdown was not the result of the Banks’ failure to make a sufficient investment in its IT infrastructure. The RBS Group spends over £1 billion annually to maintain IT infrastructure.
But even though the bank puts significant investment into its IT systems the actual cause of the problem was a basic software compatibility problem with the underlying cause being the Banks’ failure to put in place adequate systems and controls to identify and manage their exposure to IT risks.
The FCA has taken action today against the Banks for these failings for not putting in place resilient IT systems which could withstand, or minimise the risk of, IT failures.
The total fines announced today total £56million. The FCA has fined The RBS, Natwest and Ulster Bank £42million, with the Prudential Regulation Authority (PRA) fining the banks £14million for inadequate systems and controls which led to the ‘serious’ IT incident.
Today’s fines are the first time the FCA and the Prudential Regulation Authority (PRA) have taken joint enforcement action. The total cost for the tax-payer owned bank is more than £125million, including compensation to customers.
Along with the fines the bank has now paid £70.3million in redress to UK customers and £460,000 to individuals and firms who were not customers. Because of the error RBS has also been forced to claw back bonuses from four senior individuals and thousands of staff responsible for the cliché.
Tracey McDermott, director of enforcement and financial crime at the FCA said: “Modern banking depends on effective, reliable and resilient IT systems. The Banks’ failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people’s everyday lives moving.
“The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks. We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies.”
Andrew Bailey, Deputy Governor, Prudential Regulation, Bank of England and CEQ of the PRA said: “The severe disruption experienced by RBS, Natwest and Ulster Bank in June and July 2012 revealed a very poor legacy of IT resilience and inadequate management of IT risk.
“It is crucial that RBS, Natwest and Ulster Bank fix the underlying problems that have been identified to avoid threatening the safety and soundness of the banks.”[gap height=”20″]
The FCA found that Banks’ did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular: there were inadequate testing procedures for managing changes to software; the risks related to the design of the software system that ran the updates to customers’ accounts were not identified; the IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.
The Banks agreed to settle at an early stage of the investigation and therefore qualified for a 30% Stage 1 discount.
Shortly after the IT incident, the FCA wrote to the chairmen of major retail banks in 2012 to ask them to identify the steps they had considered at board level to assess and mitigate their exposure to IT risks. The FCA and PRA recently initiated a second “Dear Chairman” exercise and, once again, it is seeking to assess how well banks are managing their exposure to IT risk and to what extent banks’ governing bodies have formally assessed the extent to which a bank is vulnerable to technology failure affecting services supporting retail economic functions.
Today’s decision reflects the FCA’s commitment to ensuring that banks make the cultural shift away from “business continuity” (recovering from disruptive events) to “resilience” (ensuring that the banking activities most critical to customers can withstand the effect of disruptive events like software and other IT failures).
Philip Hampton, Chairman of RBS, said: “Our IT failure in the summer of 2012 revealed unacceptable weaknesses in our systems and caused significant stress for many of our customers. As I did back then, I again want to apologise to all customers in the UK and Ireland that we let down two and a half years ago.
“I am confident that the progress we have made – in increasing the resilience of our I.T. systems through the additional investment of hundreds of millions of pounds and the enhancement of our control structures – has made RBS better able to provide the service our customers expect and deserve. I am also pleased that the regulator acknowledged the steps we took at the time to provide redress to anyone who had lost out as a result of our mistakes.”
Simon McNamara, RBS Chief Administrative Officer, said: “When I first arrived at RBS in 2013, my number one priority was to ensure that any investment in I.T. was targeted in the right areas. As a result, by the end of 2015 we will have invested an additional £750m in enhancing the security and resilience of our IT systems.
“A lot has changed and much has been achieved already. Our systems are currently available to customers over 99.9% of the time. By any measure, this is some achievement. But, given the impact that any incident has on our customers, I want to do better.”
The FCA and PRA note that RBS has paid £70.3m in redress to UK customers and £460,000 to individuals and firms who were not customers.
RBS has also today fulfilled its commitment to publish its own key findings in relation to the incident. These can be accessed