UK bank IT failures more than doubled in a year - FCA

UK bank IT failures more than doubled in a year - FCA

UK bank IT failures have more than doubled over the past year, according to new data compiled by the Financial Conduct Authority.

Presenting the results, Megan Butler, executive director of supervision, FCA, said: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are effecting UK financial services.”

She says the regulator does not expect ‘zero-failure’: “The true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed.”



The figures cited by Ms Butler were collated by the FCA as part of its technology and cyber-resilience survey, which polled 300 firms and presented by her during a speech delivered at Bloomberg in London.

Megan Butler

She explained that the watchdog has discovered a 138 per cent increase in technology outages, alongside an 18 per cent increase in cyber incidents.

With debit card transactions outstripping cash payments for the first time, the FCA said it is “deeply concerned” that the number of technology incidents reported has increased, with many outages linked to re-platforming and outsourcing failures.

“Everyone knows that firms need to make regular changes - of varying size and complexity - to technology estates, and that from time to time things will go wrong,” Ms Butler said. “But we are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.”

She pointed out that a lot of the time it isn’t technology at fault when things go wrong, but classic systems and control failures.

One-third of firms were found to not perform regular cyber assessments, while nearly half do not upgrade or retire old IT systems in time, according to Ms Butler’s speech, which did not give absolute numbers.

In October, the FCA slapped the banking arm of UK supermarket chain Tesco with a £16.4 million fine for its failure to prevent a cyber attack that affected thousands of customers in 2016, and both the FCA and the Bank of England are currently investigating TSB and its senior managers over a series of failures earlier this year.

Ms Butler said that in the case of Tesco, the bank had specific warning of the threat and failed to put in place an effective defence, “which left its customers in a vulnerable position for a significant period of time. It then had to fix the problem in an urgent situation as attacks to its customers were being made which, in the end was effective, but only after attacks had succeeded. It should never have exposed its customers to a known cyber risk.”

Ms Butler said there is a clear problem at the moment in recruiting the right skills at the top level; to steer, set strategy and oversee the armies of semi-permanent contractors, and unregulated third parties running bank IT platforms.

“Historically, and for most of my career in this industry, the rock stars of finance were always the alpha traders.,” she said. “Today, it’s the CIOs and IT consultants who are in high demand and short supply. Meaning the best are difficult to employ and hard to retain. A challenge reflected by the fact that all the wholesale banks and asset managers we met after this survey said they were concerned about a shortage of cyber expertise.”

As well as operational resilience in the watchdog’s list of concerns was the ongoing issue of cyber-resilience.

Describing the current threat level as “remarkable”, Ms Butler warned: “We are seeing some serious vulnerabilities across areas like identification of key assets, information and detection. A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56 per cent say they can measure the effectiveness of their information asset controls.”

Ms Butler’s concerns are shared by the UK Government’s Treasury Committee, which last week an inquiry into bank IT failures after a string of high profile incidents at major banks.

The Committee will examine the ability of financial services institutions to guard against service disruptions and to put things right in the event that disruptions do occur, and whether regulators have the relevant skills to adequately hold people to account.

Share icon
Share this article: