The New Risk – ‘Bank IT’ risk
Having spent my career working in and close to the banking industry, I can only say like many others I have been stunned at the extent of the IT meltdown at RBS. Informed people I know share the view that a meltdown such as this could not have happened ten years ago or longer.
What has changed in the past ten years?
- Many core bank systems were built on mainframe computers in the seventies and eighties. Most of the people who built these systems are now retired or redundant as part of cost saving initiatives.
- Historically the retail branch network formed the main or core system of a clearing bank. This shut down at close of business each day and at weekends allowed maintenance and updates to be performed offline.
- Many bank products such as mortgages, credit cards, term deposits and corporate loans were historically housed on separate IT systems so any problems could be isolated without bringing down an entire network.
- The demand from customers for 24 hour instant access to bank systems via ATMs or more recently the web, places demands on bank systems to operate 24/7 with little margin for error.
- As a result of the automation of many bank functions many bank staff have never been exposed to the processing of routine bank transactions and fail to understand the fundamental principles of banking. When the computer system failed in RBS, this lack of experience added to the chaos that ensued.
- Dare I say it but was the cloud a contributing factor?
What can we learn from this? Are banks more vulnerable to a new type of risk – ‘IT risk’ – than we thought or was this just a flash in the pan? What steps should companies be taking to ensure that there is no repeat of the type of chaos that ensued following the recent RBS IT crash?
The question we need to ask is whether or not we are happy to depend on our main clearing bank provider to also provide sufficient contingency arrangements should its systems fail. This is the current position for most companies as many RBS Group customers found out to their cost.
If the answer is yes to the above, then we have some hard questions to put to our bank. Look at the existing bank contract and the relevant terms and conditions. Are you satisfied that the bank has appropriate contingency arrangements in place and are these properly explained? Are the banks’ IT operations outsourced? Who is responsible for the contingency arrangements?
We should demand that our bank provides an independent certification of its IT contingency arrangements. The banks should do this in any event.
If the answer is no and we wish to have ownership of our own contingency arrangements, then we have some work to do. I will cover this point of discussion over the next couple of weeks.