Brit banks told to publish details of major incidents that stop punters' payments

Bad news for regular TITSUP* offenders, good news for consumer choice

Banks will have to publish details of incidents that stop people using their payment services under new rules proposed by the UK's Financial Conduct Authority.

The move is part of attempts to give Brits more information on the resilience of the services touted by banks, and help them better choose where to put their cash.

As of August 2018, banks have to clearly set out how many incidents prevented customers from using payment services, over both a three- and 12-month period.

They will also have to break this down by telephone, mobile and internet banking, but security incidents will not be identified separately from operational ones.

Sloppy coding + huge PSD2 changes = Lots of late nights for banking devs next year


“We believe that major operational and security incidents taken together are a reasonable proxy for the resilience of firms’ systems and controls, and in practice they are often closely related,” the FCA said.

The metric will be based on major incidents reported to the regulator, as required under the European Union's Second Payment Services Directive (PSD2).

Most respondents to a consultation [PDF] on the proposals – including some firms, consumer groups and trade bodies – said they supported the publication of a metric based on PSD2 major incident reports.

A “small number of firms”, though, did not agree, saying that such a metric might encourage hackers to target weaker firms.

Others questioned whether it would “add significantly” to the information customers see reported in the media (certainly Reg readers are kept up to date on the oh-so-regular banking TITSUPs).

But the FCA pointed out that – although it recognised the power of large-scale media coverage – it wasn’t the most consistent or reliable way to provide people with crucial service information.

“We consider that the number of major incidents reported to the regulator provides a more consistent and systematic basis for comparison between firms,” the FCA said.

Others suggested providing stats on customer access to current accounts, such as percentage availability, but the FCA said this was unlikely to be consistent enough across providers.

The change comes as the FCA revealed it suspects that banks are being coy about the level of cyber attacks levelled against them.

“Our suspicion is that there’s currently a material under-reporting of successful cyber attacks in the financial sector,” the FCA’s Megan Butler said at a conference earlier this month.

“Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”

She emphasised that the FCA expected banks to deal with the authority “in an open, transparent manner” and that it is “essential we know about breaches in real time”.

Butler also urged banks to ensure they know what data they hold, can manage the risks related to it and ensure they have proper responses planned for cyber attacks. ®

* TITSUP: Total Inability To Support User Payments

Biting the hand that feeds IT © 1998–2019