IT breakdowns are a continuing problem for the banking world with data breaches becoming commonplace. Evie Rusman looks at the impact of these breakdowns and speaks to experts on the potential risks
Recent figures, published by the BBC, demonstrate that major banks generally suffer 10 digital banking shutdowns per month. This has put pressure on banks to get informed and become more transparent about security incidents.
Barclays topped the list for the highest number of outages in the 12 months to the end of June this year, reporting 33 incidents in total.
Other banks that placed high in the list include NatWest with 25 outages, Lloyds with 23 and RBS with 22.
These types of outages have come at a time when the worry surrounding data beaches from customers is at an all-time high. Continually, customers and consumers are becoming more aware of the potential risks surrounding these breakdowns, leading many of them to feel angry.
Why are these breakdowns happening?
Breakdowns tend to leave customers feeling frustrated and can lead to a lack of trust among banks. Additionally, when it comes to these outages, there is little information in regards to the reasons behind them.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataMark Gunning, Global Business Solutions Director at Temenos, tells RBI that these continuing breakdowns could be due to difficulties in old software.
He says: “These outages are often as a result of banks using older legacy, probably ‘one off’ software. Often, banks use software that is around 30 or 40 years old, and so outages are often to do with this complex, legacy environment.
“This type of software leads to operational risks because if one moving part goes wrong the whole system can be affected.”
Are banks doing enough?
As outages, continue to take place banks have faced criticism for not taking the necessary precautions to prevent these breakdowns.
Speaking to RBI, Allyson Stewart-Allen, international business advisor and CEO of International Marketing Partners, explains how banks could be doing more to tackle these breakdowns.
Stewart-Allen has also worked with number of banks including HSBC and NatWest to help them with various issues including things such as corporate accounts and US/UK referrals.
She says: “Banks are not doing enough to avoid IT breakdowns. I say that because the literacy around IT and data breaches of boards of directors is generally low.
“And because of that, that vulnerability means the board is not informed properly and therefore is not paying attention to the extent that a board with IT literacy and data literacy would. It is clear to see no bank or institution has got this right because the data breaches are continuing.”
On the other hand, Gunning suggests that less blame should be placed on the banks themselves and more on software.
He says: “I think banks invest very heavily in preventing breakdowns, and the fact that they still happen I don’t think is from lack of will to stop them.
“Ultimately, I think banks take them extremely seriously but they occur because with complex legacy software, it is very difficult to keep running, and so it is a challenge for them.”
What are the risks?
There are risks when it comes to IT breakdowns in terms of finance and data security. As IT shutdowns become commonplace, the threats are becoming increasingly worse.
So, what are the dangers? Stewart-Allen highlights how banks could suffer both reputational and financial issues as a result.
She says: “There is financial risk with these breakdowns because there will be recovery costs to rebuilding IT systems so there is a cost to correcting the problem. The biggest cost, besides financial and possibly bigger, is reputation because trust will be lost.”
Stewart-Allen refers to the 2017 Equifax data breach in America, when millions of customers’ personal data was stolen by hackers. She says that Equifax has still not recovered from this in terms of its reputation which has been very damaging.
Similarly, Gunning emphasises the importance of trust between banks and their customers and explains how a damaged reputation can lead to wider issues.
He says: “The thing about banking is that it is in the business of trust. The reasons why banks are so important to society and the reasons why they are so highly regulated is because there are few institutions that people trust to have their money.
“So, the outages for a bank are more serious because the reputational risk is much higher than it is for most other institutions.”
Gunning also says that the reason regulators are continually interested in outages is because the lack of trust in banks can have a systemic effect on the economy as well as society. He says this was the case during the financial crisis in 2008.
Banks need to be more transparent
With the rise of social media, banks have been forced to become more transparent about security issues as customers are able to more easily criticise them.
Stewart-Allen says: “I think the industry can’t help becoming more transparent but it’s not through choice. Banks are becoming transparent because the rest of us are tweeting and using social media such as Instagram and LinkedIn which has put them under the microscope more than ever before.
“That’s not going to go away. So defensiveness is not the answer, communication and openness is. Banks need to field the right executives to communicate on behalf of their businesses. They can’t use robots or corporate beasts who just say what the lawyers tell them to.”
The solutions
Stewart-Allen stresses the importance for banks to put the necessary measures in place to be able to deal with breakdowns. She believes banks should focus on being better educated to deal with these problems as well as be honest with their customers.
“Firstly, banks need to ensure their board of directors are trained in understanding the data risks ahead of the company and put in place mitigating plans to minimise those risks. I would say currently, people do not have a good handle on those risks generally,” she adds.
“I think financial institutions need to be even smarter, even more alert and even more conscientious by creating a culture that allows questioning and challenging while raising the literacy level.”
She also says financial groups must have a crisis plan already in place for any eventuality when there is a data breach.
“The third thing banks need to do is to have absolute clarity about what course of action they are going to take. This is because lack of clarity can be a trust destroyer for customers and consumers,” she says.
Alternatively, Gunning explains how newer software could be the answer banks have been looking for.
“We think a solution to these outages is for banks to invest in newer software,” he adds. “The world of modern, cloud-native, cloud-agnostic software is properly supplied as a package by companies like us. It has to be the future for banks in order for them to move forward.
“The way to reduce operational risks and outages is to move towards that modern, very advanced software. One of the constraints of banks is its legacy software. It’s expensive and it’s slow to change which means the customer is probably not getting the best digital experience.”
What do the regulators have to say?
In 2018, the Financial Conduct Authority (FCA) made it compulsory for banks to publish information about the number of major operational and security incidents they have experienced.
A spokesperson for FCA tells RBI: “Mandatory incident reporting allows the FCA to ensure harm in prevented or reduced through our engagement with the affected firm in the immediate term.
“In the long term, insights from incidents allow us to understand trends, threats, and vulnerabilities, and feed these back to industry.
“Incident data means we can see trends in where firms have common issues and where we may need to take action, or ask firms to take action.”
The spokesperson also says that the FCA expects firms to take responsibility for and address the harm caused by operational incidents, in particular where operational incidents affect vulnerable customers.
“Over time, we want to see outage times reduce, and clear and effective consumer communications following incidents, as well as resilience of firms’ business services,” adds the spokesperson.
How are banks being assessed?
At the moment, the FCA is currently using a combination of supervisory tools to assess how banks are maintaining their operational resilience.
The spokesperson tells RBI: “Our proactive supervisory work includes assessments of the highest impact firms’ technology and cyber resilience. This work, along with the insights we can take from reported incidents, helps us identify specific areas of weakness and strength, and to monitor sector specific trends.”
In 2018, the FCA took the unusual step, given TSC and public interest, in publicly confirming that it was investigating TSB Bank in relation to the migration incidents.