The Royal Bank of Scotland and its subsidiary Ulster Bank have been hit with a £56 million fine by regulatory authorities over a computer malfunction in 2012 that locked customers out of accounts and knocked out payments processing systems.
The IT failure affected over 6.5 million UK customers for several weeks. Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs; customers were unable to make timely mortgage payments; customers were left without cash in foreign countries; the banks applied incorrect credit and debit interest to customers’ accounts and produced inaccurate bank statements; and some organisations were unable to meet their payroll commitments or finalise their audited accounts.
Tracey McDermott, director of enforcement and financial crime at the FCA says the watchdog, in concert with the Prudential Regulatory Authority, levied the penalties for the banks' failures to put in place resilient technology systems which could withstand, or minimise the risk of, IT problems.
In December, RBS chief Ross McEwan admitted that the bank had failed to invest properly in its IT system for decades.
'Modern banking depends on effective, reliable and resilient IT systems," says McDermott. "The banks' failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people's everyday lives moving."
McDermott says the problems in 2012 arose due to failures "at many levels" within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents.
The breakdown happened on 17 June 2012 when the bank's IT department upgraded the software that processed updates to customers’ accounts overnight. When it noticed problems with the upgrade it decided to uninstall it without first testing the consequences of that action. The Technology Services team did not realise, however, that the upgraded software was not compatible with the previous version, resulting in the subsequent crash.
Today’s fine is the first time the FCA and the Prudential Regulation Authority (PRA) have taken joint enforcement action. The FCA hit the banks with a £42 million fine, while the PRA put a £14 million price tag on the incident.
The Banks agreed to settle at an early stage of the investigation and therefore qualified for a 30% discount.
Shortly after the IT incident, the FCA wrote to the chairmen of major retail banks in 2012 to ask them to identify the steps they had considered at board level to assess and mitigate their exposure to IT risks. The FCA and PRA recently initiated a second "Dear Chairman" exercise and, once again, it is seeking to assess how well banks are managing their exposure to IT risk and to what extent banks’ governing bodies have formally assessed the extent to which a bank is vulnerable to technology failure affecting services supporting retail economic functions.
"We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies," says McDermott.
Last week, the Central Bank of Ireland fined Ulster Bank EUR3.5 million over the meltdown.