RBS gets penalties from the FCA and PRA for not having resilient IT systems and testing procedures in place
RBS has been fined £56 million for an epic IT failure in June 2012 that left millions of customers without access to basic banking services for several days.
The Financial Conduct Authority (FCA) dished out a £42 million fine and the the Bank of England’s Prudential Regulation Authority (PRA) issued a £14 penalty, marking the first time the two authorities have taken joint enforcement action.
The FCA ruled that RBS, NatWest and Ulster Bank had failed to implement “resilient” IT systems that could withstand such a failure – a fault which was compounded by the absence of adequate testing procedures. The incident in question was caused by a software upgrade, a CA7 batch process scheduler, which had not been properly tested and was incompatible with the previous version.
Epic IT fail
This left 6.5 million customers unable to access online banking, receive accurate balances and statements, make payments and get the right amount of interest. Additionally, some organisations were unable to meet their payroll commitments or finalise their audited accounts.
“Modern banking depends on effective, reliable and resilient IT systems. The Banks’ failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people’s everyday lives moving,” says Tracey McDermott, director of enforcement and financial crime at the FCA.
“The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks. We expect all firms to focus on how they ensure that they can meet the requirements.”
RBS blamed the incident on human error, while others suggested that outsourcing or the complexity of legacy systems were to blame. An investigation was subsequently launched in April 2013, with the bank agreeing to settle early, thus becoming eligible for a 30 percent discount from the FCA.
Philip Hampton, chairman of RBS, has apologised for the incident and pledged to make the organisation’s IT infrastructure less susceptible to future failures.
“Our IT failure in the summer of 2012 revealed unacceptable weaknesses in our systems and caused significant stress for many of our customers,” he says. “As I did back then, I again want to apologise to all customers in the UK and Ireland that we let down two and a half years ago.
“I am confident that the progress we have made – in increasing the resilience of our I.T. systems through the additional investment of hundreds of millions of pounds and the enhancement of our control structures – has made RBS better able to provide the service our customers expect and deserve. I am also pleased that the regulator acknowledged the steps we took at the time to provide redress to anyone who had lost out as a result of our mistakes.”
A separate investigation in Ireland concerning Ulster Banks activities in the Republic of Ireland also generated a fine of €3.4 million by the Central Bank of Ireland, which also cited concerns about the IT systems in place and the lack of a contingency plan
The various fines add to the £71 million bill incurred by RBS as a result of compensation payments, while the bank has pledged to spend £750 million on IT upgrades by the end of 2015.