RBS Mainframe Meltdown: A year on, the fallout is still coming

When the totally brand new kit comes on ... what do you think will happen?

3 Big data security analytics techniques

Regulator pass the parcel

The former Financial Services Authority (FSA) chairman Lord Adair Turner told Tyrie of the Treasury Select Committee that he wanted a full independent review to establish what had gone wrong at RBS and to “provide an assessment of the consequences and the subsequent management of the IT failure.

“On receipt of the independent review, we will consider whether further regulator action is required,” Turner wrote to Tyrie.

The FSA no longer exists, and its responsibilities have passed to the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) with the job of digging to the bottom of what really happened at RBS falling to the FCA. In April the FCA said it had started to conduct an enforcement investigation into the crisis.

“The FCA will reach its conclusions in due course and decide whether or not enforcement action should follow that investigation,” the body said in a statement.

Should the FSC’s investigation throw up anything more than a one-off systems failure, then there’s every chance the fallout from RBS could settle on other banks, too.

There are three possible outcomes from the FCA’s investigation: it might takes no further action, it could fine RBS, or it may propose regulation that would be enforced by the PRA. The latter would happen if the RBS crash was caused by failures in the technology, risk management, disaster recovery outsourcing present inside other banks and lenders.

Since RBS went titsup there have been at least two more outages attributed to IT problems: up to 22 million customers of Lloyds Banking Group - which includes Halifax and the Bank of Scotland - were unable to use cash machines, debit cards or connect to their accounts via the web in October 2012. Up to 2.4 million customers of Co-op Bank were also blocked from accounts. And it doesn’t just happen in the UK: technical issues in December 2011 took out ATMs, retail points of sale and telephone banking systems for Commonwealth Bank Australia.

Chris Skinner, chairman of banking and financial services networking group the FSClub, tells The Reg:

“The problem is that most financial institutions are hamstrung by their heritage – the mainframe,” Skinner says. “We are seeing more outages because technology’s part in banking and finance is becoming more common.”

Skinner has spoken out on banks running IT systems that he says are no longer fit for purpose. Most problems are relatively small – resulting in outages of just a few hours as in the case of Lloyds and Co-op – and are often down to upgrades to the old systems that aren’t applied properly.

But there’s a growing awareness of a need to overhaul IT to avoid becoming the next RBS and – also – to dodge regulation. “Banks are under pressure to keep up with the speed of technology change,” Skinner said. “Every bank I know has been through a core system replacement or is undergoing one.”

If regulation is mandated then don’t expect a quick fix. Unlike, say, the nuclear or airline industries, where accidents have led to investigations that have produced operation and safety standards, similar standards in financial systems will be difficult because of a fundamental refusal to share information.

Financial services is a competitive sector while IT systems are varied and valued, so it’s unlikely companies will volunteer the kinds performance data, risk assessment or outage information that will be considered needed to help regulators impose standards or force change. They will fear ceding competitive advantage should they reveal what they’re running and where they are exposed.

Dave Cliff, a contributor to last year’s Government Office for Science report on the Future of Computer Trading in Financial Markets, told us policy makers are already several steps behind the markets because there’s not enough raw data to inform their decisions.

Cliff was talking about financial markets’ increasing reliance on High-Frequency Trading (HFT) - a system of trading dependent on algorithms that execute at millisecond speeds. It is suspected that HFT has been responsible for exaggerating wild market swings, and it certainly led to the downfall of Knight Capital Group in August 2012. Knight lost more than $450m after a trading algorithm it had used bought and sold shares at the wrong prices before it was noticed or could be stopped. Knight was sold to Getco as a result of the crippling loss. But when it comes to HFT, the hedge funds and traders who write and employ them don’t like to disclose their algorithms or the special systems running them.

That might just be HFT, but retail banks are equally coy.

“Something that’s a major systemic issue when we talked about what happened at Knight Capital and RBS is we are just recycling stories we heard over coffee or in a bar,” Cliff told The Reg. “That’s the difference between companies in banking and other advanced areas where computer technology creates risks and where you have advanced legislation.

“If an accident occurs - like a plane crash - there is a very detailed inquiry where all the participants are required by law to disclose all the information the investigators want.”

A year on, RBS has committed millions of pounds on a new mainframe and disaster recovery to avoid a repeat of last year’s disaster but new hardware alone will be insufficient if the bank has not changed the people, software or the processes that saw millions of customers locked out of their accounts.

And, with regulators only just warming up and unlikely to get the information they need to force a meaningful or deep change, we should expect more account outages thanks to our banks' faulty computers. ®

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story


SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.