Release Date: 20th November 2014
To access the original FCA document, click here.
Summary
The Financial Conduct Authority (FCA) has fined Royal Bank of Scotland Plc (RBS), National Westminster Bank Plc (NatWest), and Ulster Bank Ltd a total of £42 million due to significant IT failures in June 2012, which severely disrupted banking services for millions of customers. This penalty reflects shortcomings in their IT systems’ resilience and risk management capabilities, leaving customers unable to access online banking, make mortgage payments on time, or use accurate ATM services for several weeks.
The core issue stemmed from a software update implemented by the banks’ centralised IT function, Technology Services, which was not compatible with their existing systems. The decision to uninstall the problematic software without prior testing led to widespread service disruptions, impacting over 6.5 million customers in the UK. The incident highlighted deficiencies in the banks’ approach to IT risk management, particularly in their testing procedures, understanding of system design risks, and the scope of their IT risk policies.
Key Takeaways for Other Firms:
- Robust IT Systems and Controls: Institutions must ensure that their IT systems and controls are capable of managing and withstanding risks associated with technological changes and upgrades.
- Comprehensive Risk Management: Effective risk management procedures should be in place to identify and mitigate potential IT risks. This includes extensive testing before the implementation of significant system changes.
- Clear IT Risk Policies: Firms should have broad and detailed IT risk policies that focus on minimising the impact of disruptive incidents, rather than merely recovering from them.
- Investment in IT Infrastructure: While significant investment in IT is crucial, it must be coupled with strategic planning and execution to enhance system reliability and resilience.
- Governance and Oversight: Senior management must actively oversee IT strategies and policies to ensure they align with the firm’s risk appetite and regulatory requirements.
The FCA’s action, supported by the Prudential Regulation Authority (PRA) which imposed an additional £14 million fine, marks the first joint enforcement by these regulators, underscoring the importance of IT resilience in the banking sector. This enforcement also aligns with the FCA’s shift in focus from business continuity to resilience, emphasising the need for systems that can withstand disruptive events without failing.
Banks and other regulated firms are urged to learn from this incident and enhance their IT systems and risk management practices to prevent similar occurrences and protect consumer interests effectively.