Ulster Bank fined €3.5m for IT failure
12 November 2014 | 0
Ulster Bank has been handed a €3.5 million fine following a major IT outage in 2012, with regulators blaming a failure to manage a technology outsourcing agreement with the Royal Bank of Scotland.
The Central Bank has ruled that the lender lacked adequate IT governance safeguards prior to the systems outage, which resulted from an upgrade to CA7 batch processing software controlled by parent company RBS. The incident left millions of customers across RBS unable to access funds, with Ulster Bank’s 600,000 customers the worst affected, taking four weeks to return all systems to normal.
The bank had previously entered into an outsourcing agreement with RBS in 2005, passing on responsibility for provision of IT services, including IT risk oversight and management.
However, the regulator said that senior management should have retained a full understanding of the IT infrastructure the bank continued to operated on, stating that it had failed to put in place a contingency plans in the event of a major outage at RBS.
“Firms are required to ensure that they maintain robust governance arrangements including, amongst other things, appropriate internal control mechanisms covering all aspects of their operations and infrastructure,” said the Central Bank’s director of enforcement, Derville Rowland.
“While the Central Bank recognises that IT outsourcing is a feature of modern banking business, outsourcing is no defence for regulatory failings.
“Ultimate accountability for compliance remains with firms and they must ensure that they maintain oversight of outsourced activities.”
Following the outage the bank has paid out €59 million in compensation to customers, and recently concluded the separation of batch processing systems for RBS, Natwest, Ulster Bank Northern Ireland and Ulster Bank Republic of Ireland, in order to avoid a repeat of the problems.
However, regulators including the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have widely criticised UK banks for ‘antiquated’ legacy systems, and demanded investment to improve resilience of core systems.
It is expected that a separate FCA investigation into the 2012 RBS outage will result in a fine of tens of millions of pounds.
RBS, which suffered another major outage on the busiest shopping day of 2013, has promised substantial investment in its IT systems to prevent further recurrences.
”For decades, RBS failed to invest properly in its systems,” CEO Ross McEwan said at the time. “We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on.”
The bank has since undergone a programme of simplification and modernisation of its applications and infrastructure, and announced more recently that it would spend €1.27 billion on improving resiliency and developing digital technologies.
Matthew Finnegan, IDG News Service