Banks publish data on operational and security incidents

Out-Law News | 01 Mar 2019 | 11:02 am | 3 min. read

UK banks had to handle hundreds of major operational and security incidents in the final nine months of 2018, according to newly published data.

According to analysis by as many as 219 individual major operational and security incidents affected payment services at banks and building societies between 1 April and 31 December last year. looked at the latest set of data disclosed by the banks earlier this month which concern major operational and security incidents the firms are obliged to report to the Financial Conduct Authority (FCA) under the revised Payment Services Directive (PSD2). The data disclosed concerns incidents affecting either personal or business current accounts.

Where institutions provide both personal and business current account services the number of incidents they have notified to the FCA are in almost every case the same figure, indicating that incidents that affect one of the services also disrupt the other. Where there are differences, and for the purposes of analysis, has considered the largest of figures recorded for each bank.

In addition, to avoid potential double counting of incidents, has considered only the highest figures reported for each banking group where more than one brand falls under the group.

According to the figures, disruption to payment services is generally more common at the incumbent institutions than at so-called 'challenger' banks. Both Virgin Money and Starling Bank reported no incidents at all during the period.

It is unclear from the figures whether the 219 incidents we identified were independent of one another or whether some of those incidents affected payment services across different banking groups.

A spokesperson for trade body UK Finance said: "The banking industry is committed to providing the best possible service, ensuring customers are able to access and manage their money. When incidents do occur, firms work around the clock to minimise disruption and get services back up and running as quickly as possible."

"Operational resilience is crucial in a modern financial system and is a key priority for the industry. UK Finance members continue to invest billions to ensure systems, human and digital, are robust and secure. The industry has made significant advances in recent years, with digital innovation transforming the way money is managed, providing 24/7 access to payment systems, enhanced network capabilities and extended access through its partnership with the Post Office, increasing the range of options through which customers can conduct their day to day banking. This greater choice and reach of service channels helps provide better back-up for customers if an incident temporarily disrupts service somewhere in the network," they said.

"We will continue to work closely with regulators, government and industry to protect the UK’s financial system, institutions and customers," the spokesperson said.

A prominent committee of MPs at the UK parliament opened an inquiry to look at the common causes of bank IT problems and their impact on consumers back in November last year. The Treasury Committee said at the time that it would look at a wide range of issues, including the reliance on legacy IT systems, the impact of outsourcing, and IT risks which stem from mergers and acquisitions, as part of its inquiry.

"Banks continue to make substantial investment in system upgrades to mitigate against the risk of outages and the risks associated with legacy systems," said financial services and technology law expert Yvonne Dunn of Pinsent Masons, the law firm behind "This kind of investment is also essential to ensure they remain competitive in today’s fast-paced environment. Banks are also addressing the challenges of legacy systems by moving to the cloud, which can often represent a more flexible, scalable solution. Our experience is that momentum is building towards cloud-based solutions and regulators have reaffirmed that they do not intend there to be barriers for banks who wish to move to the cloud."

According to FCA data, also published in November last year, there were a total of 646 technology or cyber related incidents reported to the regulator between October 2017 and September 2018. Of that number, more than half – 336 incidents – were reported by businesses subject to PSD2 since the incident reporting requirements under the new framework took effect in January 2018.

The FCA said that the root cause of 91 of the incidents reported was "change management", with third party failure, a software or application failure, or cyber attack the next most common causes of incidents.

The FCA said at the time that "evidence suggests" that firms that are not subject to the incident reporting requirement under PSD2 "are under reporting" the major technology outages and cyber attacks they experience. It reminded firms "of their obligations to report".

"We expect firms to report major technology outages and cyber attacks to the FCA," it said.