Business

Policy

Brit banks must disclose outages via API, decrees finance watchdog

Perhaps TSB's total s*itshow wasn't in vain

By Gareth Corfield

26 SHARE

The Financial Conduct Authority (FCA) is enforcing new rules that obligate banks to publicly reveal the number and frequency of online outages – including whether these were caused by malicious actors.

Billed as part of consumer-friendly changes to the small print for online banking services, new rules from the FCA and the Competition and Markets Authority will make financial institutions proactively reveal how often they have had to report “major operational and security incidents”.

The move was telegraphed by the FCA over the past few months, having begun with the TSB fiasco in April.

Banks will have to “publish the information on their websites in a consistent format” according to the FCA, while big banks will be expected to dish it up via an API compliant with the Open Banking Standards specs.

A quick squint at the Bank of Scotland’s OBS API (other flavours of moneymen are available) reveals four public incident reporting metrics are currently in use: “total number of incidents reported”; “incidents affecting telephone banking”; “incidents affecting mobile banking”; and “incidents affecting internet banking”.

The latter is likely to be of most interest to infosec-minded folk, as well as uncharitable techies wanting to exercise a little schadenfreude. (yes, you, Reg readers)

The FCA’s master list of banks’ APIs can be found on its website.

“More than any other industry, banks still contain a mix of archaic legacy systems, new cloud platforms, and yet are under pressure to accelerate their software development to combat the threat of their ‘digital-first’ competitors,” opined Dave Anderson, a marketing bod from API-making biz Dynatrace, in a canned quote.

Another marketer, Andrew Stevens of customer service biz Quadient, gravely intoned: “Banks should see this as an opportunity to improve their relationship with customers. By opening up a conversation and being clear about any disruptions to service, internal changes, or even changes to accounts will go a long way in positioning the bank as a trusted provider which cares about its customers..”

Small comfort for folk who were locked out of their TSB accounts earlier this year. Still, better to bolt the stable door before the rest of the herd make a dash for it. ®

Sign up to our NewsletterGet IT in your inbox daily

26 Comments

Keep Reading

2015-member database floats off through breach in Royal Yachting Association's hull

Change your passwords, ye scurvy-free non-landlubbers

Man arrested over UK's Lancaster University data breach hack allegations

Updated 25-year-old Bradfordian cuffed by NCA over '20k' records breach

At the Supreme Court, Morrisons pops data breach liability win into its trolley – but it's not a get-out-of-compo free card for businesses

Vicarious liability now applies to intentional leaks, top court says

Lancaster Uni data breach hits at least 12,500 wannabe students

Must have been the cyber security course's day off

ICO, forgive me – it has been three weeks since I discovered my breach

Businesses slow to detect, report data leaks pre-GDPR

UK public sector IT chiefs shrug off breach threats: The data we hold isn't that important

Are you for real? splutters surveyor Sophos

UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

Supermarket says it's innocent and we don't need more than that, ICO told judges

Wide of the net: Football Association of Ireland says player, manager data safe after breach

It was a game of two halves

MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl

Adidas US breach may have exposed millions of customers' personal info

Three stripes and you're out

Tech Resources

A Step-by-Step Guide to Building a Scalable Vendor Onboarding Process

Vendors are at the heart of many companies’ processes and activities, and their numbers are increasing. In fact, according to a recent study by the Ponemon Institute, the average number of third parties employed by companies rose from 378 in 2016 to 588 in 2018.

Endpoint Protection Buyers Guide

According to the 2018 SANS Endpoint Security Survey, more than 80 percent of known breaches involve an endpoint.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

The Data-Driven Case for CI

What does a high performing technology delivery team look like? How do you know if your team is doing well?