📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

IT and security glitches reported by banks Q2 to Q4 2018

Options
Now that there is a reporting regime in place under which banks must notify the FCA of any major operational or security incidents which affect payment processing, these figures have been collated into a league table by Which, covering the period from 1 April 2018 to the end of the year, at https://www.which.co.uk/news/2019/03/revealed-uk-banks-hit-by-major-it-glitches-every-day/.

Sobering reading, the 302 incidents break down as follows, although there is no indication of relative severity or duration, etc:
Barclays 41
Lloyds Bank 37
Bank of Scotland/Halifax 31
Natwest 26
RBS 21
Ulster 18
Santander 16
TSB 16
Cahoot 15
HSBC UK/First Direct 13
Tesco 12
Co-op 7
Chelsea 6
Smile 6
YBS 6
Coventry 5
Metro 5
Nationwide 5
First Trust Bank 4
M&S 4
Danske Bank 2
BOI (UK) 2
B 1
Clysedale 1
Monzo 1
Yorkshire Bank 1
Starling 0
Virgin 0
Perhaps unsurprising that newer fintech players fare well, given more modern systems, but CYBG are at the right end of the table too....
«1

Comments

  • HappyHarry
    HappyHarry Posts: 1,813 Forumite
    Tenth Anniversary 1,000 Posts Name Dropper
    Might be useful to provide customer numbers too. Barclays have many more customers than Monzo, so we should expect more issues with Barclays.
    I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.
  • eskbanker
    eskbanker Posts: 37,227 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    HappyHarry wrote: »
    Might be useful to provide customer numbers too. Barclays have many more customers than Monzo, so we should expect more issues with Barclays.
    Not sure I'd agree with that - I wouldn't expect the occurrence of issues like this to be proportional to size of customer/user base, although the impact would typically vary on that basis.

    Would you anticipate a platform supporting a million users to have ten times as many outages as one used by 100,000, or even twice as many for that matter?
  • HappyHarry
    HappyHarry Posts: 1,813 Forumite
    Tenth Anniversary 1,000 Posts Name Dropper
    It depends what the incident is, and how many customers are affected.

    If this was, for example, a nationwide failure in all processing, then Barclays are clearly the least reliable service, and cutomer numbers don't matter.

    If the incidents are single transactions where a single customer's account was stopped in error, then customer numbers do matter

    Unfortunately, the article doesn't give any idea to the scale of these incidents, other than refer to them as "major operational or security incidents which affect payment processing".
    I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.
  • EachPenny
    EachPenny Posts: 12,239 Forumite
    10,000 Posts Combo Breaker
    eskbanker wrote: »
    Now that there is a reporting regime in place under which banks must notify the FCA of any major operational or security incidents which affect payment processing, these figures have been collated into a league table by Which, covering the period from 1 April 2018 to the end of the year, at https://www.which.co.uk/news/2019/03/revealed-uk-banks-hit-by-major-it-glitches-every-day/.

    Sobering reading, the 302 incidents break down as follows, although there is no indication of relative severity or duration, etc:Perhaps unsurprising that newer fintech players fare well, given more modern systems, but CYBG are at the right end of the table too....
    Thanks for this, really interesting information, and useful to point people to when they advocate for a cashless society. :)

    Also interesting to see Virgin had zero IT 'glitches'. I'm not sure some forum members would agree. ;) (admittedly it depends on your definition of 'major')
    "In the future, everyone will be rich for 15 minutes"
  • eskbanker
    eskbanker Posts: 37,227 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    HappyHarry wrote: »
    Unfortunately, the article doesn't give any idea to the scale of these incidents, other than refer to them as "major operational or security incidents which affect payment processing".
    EachPenny wrote: »
    (admittedly it depends on your definition of 'major')
    My understanding is that the major incidents referred to are those specified as notifiable by the FCA via their handbook at https://www.handbook.fca.org.uk/handbook/SUP/15/14.html.

    This in turn refers to EBA-issued guidelines at https://eba.europa.eu/documents/10180/1914076/Guidelines+on+incident+reporting+under+PSD2+%28EBA-GL-2017-10%29.pdf, where the structured reporting criteria on pages 20 to 23 make it very clear that single transactions for single customers wouldn't be regarded as major incidents!
  • HappyHarry
    HappyHarry Posts: 1,813 Forumite
    Tenth Anniversary 1,000 Posts Name Dropper
    In that case, I'll withdraw my objection your honour. ;)
    I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.
  • Terry_Towelling
    Terry_Towelling Posts: 2,279 Forumite
    1,000 Posts Second Anniversary Name Dropper
    Presumably the figures include IT glitches and security incidents but (without reading any reports) is any distinction made between the two types of incident? For example, TSB only reported 16 incidents but their major IT meltdown was quite something but presumably only counted as one incident despite its huge effects and despite the fact that it reportedly led to many attempted 'attacks' against it.

    I imagine fraud incidents will depend on the 'attractiveness' of the target, how 'hated' that target is and how much there is to be gained from a sustained attack. Getting into an operation with a global presence might offer a much greater prize than some tin-pot operation. It might also be that attacks from overseas are more likely to be aimed at organisations known there.

    Could there also be the possibility that some of those who reported fewer incidents simply didn't know they'd happened (and perhaps still don't) and treated the fall-out as 1st party fraud or some such. The reporting requirements don't seem to see a single attack on one account as an incident but who is to say that multiple 'single' attacks (unreported) weren't the result of a coordinated approach by organised criminals?

    Maybe context is important and maybe the stats really aren't that relevant without it.
  • eskbanker
    eskbanker Posts: 37,227 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Presumably the figures include IT glitches and security incidents but (without reading any reports) is any distinction made between the two types of incident?
    I don't believe so, the EBA guidance defines operational or security incident as "A singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability,
    confidentiality, authenticity and/or continuity of payment related services
    " so is more interested in impact than root cause. "IT glitches" is likely to be dumbed-down journalistic spin applied by the authors of the Which article (albeit echoed in the thread title by the author of this thread :o)!
    Could there also be the possibility that some of those who reported fewer incidents simply didn't know they'd happened (and perhaps still don't) and treated the fall-out as 1st party fraud or some such. The reporting requirements don't seem to see a single attack on one account as an incident but who is to say that multiple 'single' attacks (unreported) weren't the result of a coordinated approach by organised criminals?
    My understanding of such incidents is that by definition they're simply the ones that are noticed and judged to have a visible impact under the above definition, so I'm struggling to visualise the scenario you paint, in the context of major incidents requiring 10-25% (or more) of a bank's customers to be affected.
    Maybe context is important and maybe the stats really aren't that relevant without it.
    I'd agree that some sort of idea of magnitude would paint a more complete picture than simply the number of occurrences, but wouldn't see its absence as rendering the whole thing irrelevant.
  • Terry_Towelling
    Terry_Towelling Posts: 2,279 Forumite
    1,000 Posts Second Anniversary Name Dropper
    Perhaps what might make the headline figures look a bit ridiculous are those of the TSB - 16 incidents. They did quite well by the looks of it - hmmm. Just 1 of those 16 was probably as bad as the rest of the incidents experienced by the entire industry put together.

    The scenario I was trying to paint around the 'visibility/invisibility' of incidents was more along the lines of a hacker gaining access to a bank's systems and then taking funds from multiple accounts in a random way, so as to not be so easily noticed. When individual account holders reported fraud, there would be nothing to link each 'minor' incident to any other and it would be very easy for the bank to say, 'well, either you made the payment or you were careless with your security details.' Either way, nothing would get reported.
  • flo22
    flo22 Posts: 366 Forumite
    Part of the Furniture 100 Posts Name Dropper Combo Breaker
    It looks like those 'glitches' also include planned Operational Outages. The large banks had many Operational Outages to meet the Structural Reform changes therefore I would take those figures with a large pinch of salt as without knowing the context they are misleading.
    30+ years working in banking
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.1K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.