Should banks face heavy fines for IT failures?

Despite the large adoption of digital banking services in the UK, many providers do not have safeguards in place for if their services go down. In the event of a system failure, it can mean millions of customers are left in the dark about their finances, unable to check accounts or even complete transactions.

A survey from UK Finance stated around 48% of British adults were using mobile banking services in 2018, increasing from 41% in 2017. Seeing the problems a system failure in banks can cause people, last year, the UK’s treasury committee called for regulators to implement tougher penalties for banks which suffer IT failures.

In recent years, it seems more emphasis is being put on regulators to act as the parent and direct all operations. If there is a problem with a bank, calls are made that the regulators should be doing more to curb this action, rather than the bank thinking for itself and acting independently. CSS director of cyber IT services EJ Yerzak believes that while more regulatory requirements would help, financial institutions should be doing more anyway. Change management is a simple process which would help banks minimise IT failure occurrences.

Change management can help ease transitions of technology, ensuring that when something new is implemented, there is a backup plan if things go wrong. There are also rollback options which can revert a system back to its former functioning self in case there are unexpected consequences when the change has gone live. Reverting updates could reduce at least some of the IT failures seen in the market.

He said, “While I would not necessarily advocate for fines or penalties for outages, I do believe that financial institutions should be required to have change management procedures in place for software and hardware changes, and that the financial institutions should waive overdraft fees and compensate customers for outages lasting longer than a reasonable time, because the inability to pay one’s bills can lead to significant consequential damages including terminated services and impacts to one’s credit.”

IT failures seem to be becoming a common occurrence. In the Treasury Committee’s report, it claimed the number of these incidents were rising. In 2018, the number of reported cases had increased by 187%, of which, 65% were from the retail banking sector. One of the biggest system failures was the TSB scandal back in 2018. When the bank attempted to update their IT systems, thousands of customers couldn’t access their accounts while others could see personal information of other customers. This lasted for weeks. According to an article from the Independent, the fault cost the bank £330m and it lost 80,000 customers.

A more recent instance involved NatWest and RBS during Black Friday, which also happened to be payday for many people. Customers were unable to get on to their accounts to make payments in the sales, send funds or pay their bills. Some people even reported funds simply disappeared when transferring between their savings and current accounts. Revolut also experienced a system outage around the same time which left customers unable to log into their accounts and manage their finances.

These scenarios can cause huge disruptions for people’s daily lives. As a result, the Treasury Committee called for banks, both old and new, to be held to account for failures and potentially implementing sanctions.

However, the idea of increasing penalties to ensure a bank has strong backup measure is not shared by all. muinmos founder and CEO Remonda Kirketerp-Møller said, “Increasing penalties won’t make financial institutions perform better – you don’t want to cripple the financial services sector. The firms would pass on the fines indirectly to consumers who would end up with worse rates and inferior service. Increased penalties are definitely not the solution, especially not to those firms that genuinely want to comply with the regulation.”

Bombarding the sector with fines might not be the answer with CSS’ Yerzak agreeing they would not accomplish the goal. Instead he believes requirements on providing compensation to affected customers would ensure banks take more caution. He said, “If I can’t access cash to pay my mobile phone bill or worse, my mortgage or credit card bills, there is the potential for services to be terminated or interest to accrue. Perhaps banks should not be on the hook for all consequential damages, but certain damages are certainly foreseeable.”

Compensation may get banks thinking about how they can stop failures, but they alone won’t be enough. Yerzak went on to state preventative measures should be implemented, this includes periodic audits for policies and procedures, testing and other similar methods. These can find the root problems rather than trying to cover the cracks and paying out fines.

Customers using digital-only banks are at the biggest risk for a system downfall. Research from Finder claims 9% of UK residents have an account with a digital-only bank, which means, if their system goes down, they will have no access to funds and leaving them in a precarious position.

Should individuals be held to account?

The UK financial market has taken huge strides to increasing transparency in companies and the accountability of employees. The Senior Managers and Certification Regime (SM&CR) was implemented earlier this month, furthering this mindset. There are two core principles of the regulation, the first is encouraging a culture of staff taking personal responsibility for their actions and the second is for a company being able to pinpoint where responsibilities lie in its operations.

As the industry relies more on artificial intelligence making more decisions, talks have even moved towards if the technology should be held to account. The exact way this would work is unclear, whether the company is at fault, or the manager of the division or if the person that coded is held responsible. It is a tough thing to decide how a technology’s mistake relates to an individual’s role. But if this mentality of holding someone to account for technology errors takes off, could we see the same for IT failures?

If a system goes down, should the IT team face severe consequences, or would that be too harsh to implement? Technology is always bound to make mistakes, and these cannot be predicted by an IT employee. CSS director of cyber IT services EJ Yerzak said, “This is a tough call. In practice, those in IT positions are already held accountable because when a company suffers a data breach, for example, the Chief Information Security Officer is often the first to fall on his or her sword for the company, even if the breach was not the fault of the individual.”

Technology faults are tricky to pin down on someone’s error. While senior management staff can lose their jobs following significant issues, should this be the case if the incident was out of their control. Another issue with putting accountability on IT failures is people would be less likely to take on the role as of greater job insecurity. muinmos’ founder and CEO Remonda Kirketerp-Møller believes that taking this action would just increase salaries to account for the risk.

Kirketerp-Møller said, “The UK FCA made approved individuals including compliance officers accountable for lack of fitness/ propriety failures in the financial sector; Compliance Officers for example can get struck off and/ or fined for errors, which I don’t agree with at all.  It has pushed salaries up but hasn’t resulted in firms attracting better candidates or being better at compliance.

“Making individuals accountable for failures is not the solution. The key thing is for organisations to ensure that their employees are properly trained, haver the right fitness and right skills to do their job effectively.”

Copyright © 2020 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.