We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IT and security glitches reported by banks Q2 to Q4 2018
Options
eskbanker
Posts: 37,227 Forumite
Now that there is a reporting regime in place under which banks must notify the FCA of any major operational or security incidents which affect payment processing, these figures have been collated into a league table by Which, covering the period from 1 April 2018 to the end of the year, at https://www.which.co.uk/news/2019/03/revealed-uk-banks-hit-by-major-it-glitches-every-day/.
Sobering reading, the 302 incidents break down as follows, although there is no indication of relative severity or duration, etc:
Sobering reading, the 302 incidents break down as follows, although there is no indication of relative severity or duration, etc:
Perhaps unsurprising that newer fintech players fare well, given more modern systems, but CYBG are at the right end of the table too....Barclays 41
Lloyds Bank 37
Bank of Scotland/Halifax 31
Natwest 26
RBS 21
Ulster 18
Santander 16
TSB 16
Cahoot 15
HSBC UK/First Direct 13
Tesco 12
Co-op 7
Chelsea 6
Smile 6
YBS 6
Coventry 5
Metro 5
Nationwide 5
First Trust Bank 4
M&S 4
Danske Bank 2
BOI (UK) 2
B 1
Clysedale 1
Monzo 1
Yorkshire Bank 1
Starling 0
Virgin 0
0
Comments
-
Might be useful to provide customer numbers too. Barclays have many more customers than Monzo, so we should expect more issues with Barclays.I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.0
-
Not sure I'd agree with that - I wouldn't expect the occurrence of issues like this to be proportional to size of customer/user base, although the impact would typically vary on that basis.HappyHarry wrote: »Might be useful to provide customer numbers too. Barclays have many more customers than Monzo, so we should expect more issues with Barclays.
Would you anticipate a platform supporting a million users to have ten times as many outages as one used by 100,000, or even twice as many for that matter?0 -
It depends what the incident is, and how many customers are affected.
If this was, for example, a nationwide failure in all processing, then Barclays are clearly the least reliable service, and cutomer numbers don't matter.
If the incidents are single transactions where a single customer's account was stopped in error, then customer numbers do matter
Unfortunately, the article doesn't give any idea to the scale of these incidents, other than refer to them as "major operational or security incidents which affect payment processing".I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.0 -
Thanks for this, really interesting information, and useful to point people to when they advocate for a cashless society.Now that there is a reporting regime in place under which banks must notify the FCA of any major operational or security incidents which affect payment processing, these figures have been collated into a league table by Which, covering the period from 1 April 2018 to the end of the year, at https://www.which.co.uk/news/2019/03/revealed-uk-banks-hit-by-major-it-glitches-every-day/.
Sobering reading, the 302 incidents break down as follows, although there is no indication of relative severity or duration, etc:Perhaps unsurprising that newer fintech players fare well, given more modern systems, but CYBG are at the right end of the table too....
Also interesting to see Virgin had zero IT 'glitches'. I'm not sure some forum members would agree.
(admittedly it depends on your definition of 'major') "In the future, everyone will be rich for 15 minutes"0 -
HappyHarry wrote: »Unfortunately, the article doesn't give any idea to the scale of these incidents, other than refer to them as "major operational or security incidents which affect payment processing".
My understanding is that the major incidents referred to are those specified as notifiable by the FCA via their handbook at https://www.handbook.fca.org.uk/handbook/SUP/15/14.html.(admittedly it depends on your definition of 'major')
This in turn refers to EBA-issued guidelines at https://eba.europa.eu/documents/10180/1914076/Guidelines+on+incident+reporting+under+PSD2+%28EBA-GL-2017-10%29.pdf, where the structured reporting criteria on pages 20 to 23 make it very clear that single transactions for single customers wouldn't be regarded as major incidents!0 -
In that case, I'll withdraw my objection your honour. I am an Independent Financial Adviser. Any comments I make here are intended for information / discussion only. Nothing I post here should be construed as advice. If you are looking for individual financial advice, please contact a local Independent Financial Adviser.0
-
Presumably the figures include IT glitches and security incidents but (without reading any reports) is any distinction made between the two types of incident? For example, TSB only reported 16 incidents but their major IT meltdown was quite something but presumably only counted as one incident despite its huge effects and despite the fact that it reportedly led to many attempted 'attacks' against it.
I imagine fraud incidents will depend on the 'attractiveness' of the target, how 'hated' that target is and how much there is to be gained from a sustained attack. Getting into an operation with a global presence might offer a much greater prize than some tin-pot operation. It might also be that attacks from overseas are more likely to be aimed at organisations known there.
Could there also be the possibility that some of those who reported fewer incidents simply didn't know they'd happened (and perhaps still don't) and treated the fall-out as 1st party fraud or some such. The reporting requirements don't seem to see a single attack on one account as an incident but who is to say that multiple 'single' attacks (unreported) weren't the result of a coordinated approach by organised criminals?
Maybe context is important and maybe the stats really aren't that relevant without it.0 -
I don't believe so, the EBA guidance defines operational or security incident as "A singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability,Terry_Towelling wrote: »Presumably the figures include IT glitches and security incidents but (without reading any reports) is any distinction made between the two types of incident?
confidentiality, authenticity and/or continuity of payment related services" so is more interested in impact than root cause. "IT glitches" is likely to be dumbed-down journalistic spin applied by the authors of the Which article (albeit echoed in the thread title by the author of this thread
)!
My understanding of such incidents is that by definition they're simply the ones that are noticed and judged to have a visible impact under the above definition, so I'm struggling to visualise the scenario you paint, in the context of major incidents requiring 10-25% (or more) of a bank's customers to be affected.Terry_Towelling wrote: »Could there also be the possibility that some of those who reported fewer incidents simply didn't know they'd happened (and perhaps still don't) and treated the fall-out as 1st party fraud or some such. The reporting requirements don't seem to see a single attack on one account as an incident but who is to say that multiple 'single' attacks (unreported) weren't the result of a coordinated approach by organised criminals?
I'd agree that some sort of idea of magnitude would paint a more complete picture than simply the number of occurrences, but wouldn't see its absence as rendering the whole thing irrelevant.Terry_Towelling wrote: »Maybe context is important and maybe the stats really aren't that relevant without it.0 -
Perhaps what might make the headline figures look a bit ridiculous are those of the TSB - 16 incidents. They did quite well by the looks of it - hmmm. Just 1 of those 16 was probably as bad as the rest of the incidents experienced by the entire industry put together.
The scenario I was trying to paint around the 'visibility/invisibility' of incidents was more along the lines of a hacker gaining access to a bank's systems and then taking funds from multiple accounts in a random way, so as to not be so easily noticed. When individual account holders reported fraud, there would be nothing to link each 'minor' incident to any other and it would be very easy for the bank to say, 'well, either you made the payment or you were careless with your security details.' Either way, nothing would get reported.0 -
It looks like those 'glitches' also include planned Operational Outages. The large banks had many Operational Outages to meet the Structural Reform changes therefore I would take those figures with a large pinch of salt as without knowing the context they are misleading.30+ years working in banking0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards