The Treasury Select Committee today said it is turning its guns on the retail banking sector after an “astonishing” string of IT failures, with a new inquiry on operational resilience to launch following the high-profile system outages.
It has called for evidence on “the common causes of operational incidents” along with “the incidence of multiple old legacy systems and the nature of their connectivity, and the impact of retrofitting web based/mobile systems to legacy systems.
Letters appended to the notice of the inquiry’s launch detailed the cause of issues suffered by Barclays and RBS, among others.
Barclays, for example, blamed [pdf] a “rare interaction between two software systems, causing a corruption in the messaging being sent between our cheque imaging technology platform and our other key financial servicing systems” for an outage on September 20.
“This was introduced during a change that was implemented the previous day and had run successfully in production and our test environments,” the bank said plaintively. “The corrupt messages adversely affected our critical central messaging infrastructure, which communicates to a large number of our applications and services.”
Do We Need Another Inquiry?
Industry veterans would be forgiven for seeing the inquiry as needless politicking: Committee members will know the Bank of England this summer already published a Financial Stability Report that set out clear baseline expectations for firms’ resilience.
This included demands for regular testing of resilience by firms and supervisors; identification of firms that are “outside the financial regulatory perimeter, but which may be important for regulated firms”; and “clear and tested arrangements to respond to cyber attacks when they occur”.
“Measly Apologies and Hollow Words”
Launching the report, Nicky Morgan MP, Chair of the Treasury Committee, said: “Since becoming Chair of the Committee 16 months ago, there have been problems at Equifax, TSB, Visa, Barclays, Cashplus and RBS, to name a few.”
She added: “Millions of customers have been affected by the uncertainty and disruption caused by failures of banking IT systems. Measly apologies and hollow words from financial services institutions will not suffice when consumers aren’t able to access their own money and face delays in paying bills.”
The inquiry also follows a substantial joint discussion paper [pdf] published by the Bank of England (BoE) alongside the Prudential Regulation Authority and Financial Conduct Authority on approaches to improve the operational resilience of firms and financial market infrastructures (FMIs).
That noted that regulators were tightening up: “The supervisory authorities are considering the extent to which they might supplement existing policies to improve the resilience of the system as a whole.”
It added: “They are reviewing existing policies, including those on risk management, outsourcing, controls and communication and business continuity plans, to ensure that these continue to be effective, in light of market and technological developments.
Mike Walton, CEO of IT monitoring software company Opsview said in an emailed statement: “With the sector entrusted to manage millions of UK customers’ personal finances, the devastating consequences of customers being unable to access money and make important payments could prove to be highly destructive to banks. Business visibility across the entire IT estate is essential in order to avoid further dreaded IT outages.”