Release Date: 20th November 2014

To access the original FCA document, click here.

Summary

The Financial Conduct Authority (FCA) has fined Royal Bank of Scotland Plc (RBS), National Westminster Bank Plc (NatWest), and Ulster Bank Ltd a total of £42 million due to significant IT failures in June 2012, which severely disrupted banking services for millions of customers. This penalty reflects shortcomings in their IT systems’ resilience and risk management capabilities, leaving customers unable to access online banking, make mortgage payments on time, or use accurate ATM services for several weeks.

The core issue stemmed from a software update implemented by the banks’ centralised IT function, Technology Services, which was not compatible with their existing systems. The decision to uninstall the problematic software without prior testing led to widespread service disruptions, impacting over 6.5 million customers in the UK. The incident highlighted deficiencies in the banks’ approach to IT risk management, particularly in their testing procedures, understanding of system design risks, and the scope of their IT risk policies.

Key Takeaways for Other Firms:

The FCA’s action, supported by the Prudential Regulation Authority (PRA) which imposed an additional £14 million fine, marks the first joint enforcement by these regulators, underscoring the importance of IT resilience in the banking sector. This enforcement also aligns with the FCA’s shift in focus from business continuity to resilience, emphasising the need for systems that can withstand disruptive events without failing.

Banks and other regulated firms are urged to learn from this incident and enhance their IT systems and risk management practices to prevent similar occurrences and protect consumer interests effectively.

Back to the Dear CEO letter archives.