Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

RBS, NatWest and Ulster Bank fined for IT resilience failures

The UK Financial Conduct Authority (FCA) has fined the Royal Bank of Scotland Plc, National Westminster Bank Plc and Ulster Bank Ltd £42 million for IT-related resilience failures which occurred in June 2012 and meant that the banks’ customers could not access banking services for an extended period of time.

The FCA states that it “has taken this action against the banks for failing to put in place resilient IT systems which could withstand, or minimise the risk of, IT failures.”

The IT failure affected over 6.5 million customers in the United Kingdom for several weeks.

The FCA found that the banks did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular:

  • There were inadequate testing procedures for managing changes to software;
  • The risks related to the design of the software system that ran the updates to customers’ accounts were not identified;
  • The IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.

The incident was not the result of the Banks’ failure to make a sufficient investment in its IT infrastructure. The RBS Group spends over £1 billion annually to maintain IT infrastructure.

The FCA acknowledges that since the IT Incident the banks have taken significant steps to address the failings in their IT systems and controls.

Today’s fine is the first time the FCA and the Prudential Regulation Authority (PRA) have taken joint enforcement action. The PRA has fined the Banks £14 million.

The FCA also states that the decision to fine the banks “reflects the FCA’s commitment to ensuring that banks make the cultural shift away from business continuity (recovering from disruptive events) to resilience (ensuring that the banking activities most critical to customers can withstand the effect of disruptive events like software and other IT failures).”

Reader comments

Business across the UK should look at today's FCA sanction against RBS and feel a chill up their spines. The most striking comment made by the FCA is its commitment to ensuring banks shift away from recovering from disruptive events to resilience where systems can withstand risks. This requires a totally different mind-set not just from the banks but from the boards of most British businesses. Our experience suggests that most businesses would be unable to recover in anywhere near the time that would be expected of them by regulators or their customers. The sheer complexity of modern IT with the addition of mobile and interdependent applications, all accessing huge volumes of data, requires a commitment from firms to continual risk assessment and annual-testing of IT and business recovery plans that goes far beyond what most organizations currently undertake.

Mike Osborne, Managing Director, Business Continuity, Phoenix IT

Make a comment

•Date: 20th November 2014 • UK •Type: Article • Topic: Financial sector BC

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here