Royal Bank of Scotland has been told by regulators to pay £56m in fines for an IT meltdown that affected 1 in 10 of the population, and locked a small number of people out of their accounts for weeks.
The bank has already shelled out just over £70m in compensation to customers of RBS, NatWest and Ulster bank – all part of the same group – working out at under £11 per person.
Although not all the 6.5 million affected customers suffered financial loss as a result of the computer failure in 2012, so did not require compensation, millions did suffer as a result of being unable to carry out banking transactions. Some were unable to make mortgage payments on time, some were left without cash in foreign countries. Incorrect credit and debit interest was applied to accounts, producing inaccurate bank statements. Some organisations were unable to meet payroll commitments or even to finalise their audited accounts.
The fine would have been £80m had the 80 per cent taxpayer-owned bank not accepted the Financial Conduct Authority’s charges and agreed to settle early. A fine of £42m was levied by the FCA, with a further £14m from the Prudential Regulation Authority (PRA). It is their first joint action.
RBS has since said it is ploughing £750m into upgrading its IT, but Tracey McDermott, head of enforcement at the FCA, said: “The banks’ failures meant millions of customers were unable to carry out the transactions which keep businesses and people’s everyday lives moving. The problems arose due to failures at many levels within the RBS group to identify and manage the risks which can flow from disruptive IT incidents.”
Up to 635 systems at RBS were hit by the meltdown, caused by a software upgrade that was uninstalled when problems occurred – without thought being given to the consequences.
Sir Philip Hampton, chairman of RBS, issued yet another apology to customers, saying: “Our IT failure in the summer of 2012 revealed unacceptable weaknesses in our systems and caused significant stress for many of our customers.”
Andrew Bailey, Deputy Governor of the Bank of England and head of the PRA, talked of “a very poor legacy of IT resilience and inadequate management of IT risks”.
He said: “It is crucial that RBS, NatWest and Ulster bank fix the underlying problems that have been identified to avoid threatening the safety and soundness of the banks.”
The FCA and the PRA have since written to the chairmen of all the big UK banks asking them to ensure that their IT systems’ risk management is solid and that boards have formally assessed this.
The FCA has told banks to make sure such events do not affect customers in the future. It said the IT failure was down to weaknesses in RBS’s controls of IT risk.
RBS was fined £2.7m by the central Irish bank last week for the failures at Ulster bank. It has set aside £125m to cover compensation and fines.
Dan Hooper, director of Piccadilly Group, which specialises in testing banking systems, said: “Poor controls and inadequate software testing of systems play a major factor in the rise of failures. Trying to engineer out such an error is incredibly complicated, which is why prevention, rather than cure, should be the focus among the banks.”