contactless payment banking

Banking glitches trigger UK lawmakers’ call for cloud regulation

British regulators should impose higher levies on banks if they need more resources to prevent major IT glitches and should also consider regulating cloud service providers such as Google and Amazon, UK lawmakers have recommended.

The legal review was launched after a major IT meltdown at TSB, part of Spain's Sabadell, left thousands of customers locked out of their online accounts in April 2018. The botched IT upgrade farrago ultimately led to the resignation of TSB's CEO Paul Pester.

Many of the market-infrastructure and technology services that UK banks use are outsourced to external suppliers. The review said that banks cannot use third-party failures as an excuse when incidents occur, drawing attention to the suppliers of cloud computing.

"The consequences of a major operational incident at a large cloud-service provider, such as Microsoft, Google or Amazon, could be significant," the review said. This, it says, means there is a considerable case to regulate cloud service providers.

With bank branches and cash machines disappearing from UK high streets, more than 70 per cent of adults increasingly rely on digital services, leaving them vulnerable to IT glitches such as those also seen at Barclays and Visa last year, parliament's Treasury Select Committee (TSC) said in its review.

Lawmakers said that while they accept that completely uninterrupted access to banking services is not realistic or achievable, prolonged or regular IT failures are unacceptable.

Steve Baker, who led the review, said that the Financial Conduct Authority and the Bank of England must take action.

"They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly," Baker said.

IT glitches are often due to changes to Britain's patchwork of ageing legacy payment systems, but firms must not use the cost of upgrades to "cut corners" or as excuses to not make vital upgrades, the review said.

The Bank of England (BoE) has previously proposed setting 'tolerances' for banks to allow them to recover from cyber-attacks and IT disruptions, with targets for maximum allowable outages linked to a combination of appropriate benchmarks such as volume of business and market share.

Britain has already introduced the Senior Managers Regime (SMR) to make named senior officials at financial firms directly accountable for the operations for which they are responsible, so that regulators can take appropriate enforcement action whenever necessary.

Senior officials at market infrastructure firms - for example, payments systems such as Visa, which suffered an outage in 2018 - should also be brought under SMR, the review said, echoing comments last year from the BoE's Financial Policy Committee.

The lawmakers also said that regulators were taking too long to report back on what happened at TSB in April 2018.

Stephen Jones, chief executive of UK Finance, which represents banks and financial firms, said the industry works with regulators to ensure it can respond to any major disruptions or events.

"UK Finance continues to engage with government over how coordination between regulatory authorities could be improved, seeking to avoid overlapped or rushed mandatory change programmes that impact firms' ability to protect their customers," Jones said.

Underscoring the changing face of UK banking, a report issued in July this year from data specialists Caci suggested that mobile banking is expected to overtake high street branches and other forms of internet banking in the UK by 2021.

The pace of change in technology constantly throws up new challenges to established banks. As if the surge in popularity of app-only banks – such as Starling and Monzo – wasn’t enough to contend with, the personal devices used by bank customers can also cause headaches. Last week, some UK banks announced that they were temporarily blocking Samsung Galaxy S10 users from downloading their banking apps in response to security vulnerabilities associated with that device’s fingerprint unlocking system.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles