FSA Pressures UK Banks on Software Glitches

UK regulator the Financial Services Authority (FSA) is reported to have written to the chairmen of the largest nine banks and building societies, requesting details of measures they have taken to prevent a software malfunction similar to that which affected Royal Bank of Scotland (RBS) customers in June.

The letter, issued by two senior FSA executives, also requests the names of senior managers who could be held personally responsible if IT systems fail.

The RBS software glitch affected payments processing for 17 million accounts, and disrupted customer access for up to three weeks. The FSA executives want chairmen and boards to identify any similar weaknesses in their own infrastructures and call on each bank submit a written account of what had been done to “to ensure the overall resilience of critical infrastructure and banking processes”, as well as the contingency plans they have in place to restore service “within an acceptable timeframe” should a failure occur.

“This is a serious matter and that is why we have written to board chairmen,” said an FSA spokesperson.

Commenting on the FAS’s move, Daniel Mayo, practice leader, financial services technology at Ovum, said: “Banks previously experienced a strong regulatory push around business and continuity planning in the early-mid 2000s, driven by concerns over terrorism, which was followed by an increasing focus on operational risk in the mid-2000s driven by the incorporation of this risk in Basel II.

“However, while IT was at the heart of both of these requirements, much of the focus has been on disaster scenarios – through risk and control self-assessment exercises – rather than ‘glitches’ that can have escalate into major incidents, as shown by the RBS processing failure. Banks need to ensure that they not only try to identify potential risks, and put necessary controls and procedures in place, but ensure that their general incident control, governance and procedures have the ability to escalate management attention quickly if minor incidents similarly escalate, or have potential to do so.

“However, the FSA move to identify executive responsibility and ownership around IT systems, should be a wake-up call to banks to seriously consider systems modernization. While legacy systems are in fact highly reliable, technology obsolescence represents an increasing operational risk, and regulators are unlikely to treat future such events so kindly.”


Related reading