Banks’ “disregard” for software standards causing rise in IT outages

A “widespread disregard” for software best practice has seen Lloyds Banking Group join TSB and Visa on the list of prominent financial services firms to experience IT outages in recent times.

System issues left Lloyds Banking Group unable to process around 400,000 payments last week, across its Halifax, Lloyds Bank, and Bank of Scotland brands. The group placed the blame on UK processor Faster Payments, according to an internal memo seen by the Financial Times, and cautioned that customers should not attempt to re-send payments in case duplicates occurred.

Lev Lesokhin, SVP of strategy and analytics at software intelligence firm CAST, says that “a lack of focus on maintaining application robustness” while attempting systems modernization, as well as a “widespread disregard” for software best practice, has led to multiple banks experiencing IT outages in the past 12 months.

“The reputational damage incurred and potential hit to revenues do not seem to be motivation enough for UK banks to take action. But without taking action soon, these banks will find their systems completely laden with technical debt and architectural complexity that just becomes impossible to change,” adds Lesokhin.

PaymentEye contacted Lloyds for comment but did not receive a reply at the time of publication.

The UK’s Financial Conduct Authority (FCA) reported a 187% increase in technology outage reports from the financial services sector in 2018. Firms indicated problems with protecting key assets, information sharing and IT change management. The latter was involved in 91 systems outages in 2018, according to the FCA, while 67 were as a result of software or application failure. 60 incidents were caused by direct cyberattack.

Related: What’s driving payments systems decisions?

“It’s not surprising to see the FCA’s stats,” says Lesokhin. “Banks have massive amounts of legacy technology that must be modernized if they are to become digital institutions that support consumers’ demands to bank anywhere, anytime.”

In a November 2018 speech, the FCA’s executive director for supervision, Megan Butler, said there was “no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.

“You won’t be surprised to hear me say that the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures,” said Butler. “The most prominent of these is perhaps TSB’s information technology (IT) migration earlier this year. But we’ve also seen a lot of recent outages caused by relatively small changes, usually made on a week day evening.”

The UK’s Treasury Committee launched an inquiry into “the common causes of operational incidents” in the financial services sector in late 2018. Nicky Morgan, chair of the committee, called the number of IT failures at banks and other financial institutions “astonishing”. “Millions of customers have been affected by the uncertainty and disruption caused by failures of banking IT systems,” she commented at the launch of the inquiry. “Measly apologies and hollow words from financial services institutions will not suffice when consumers aren’t able to access their own money and face delays in paying bills.”

Cybersecurity firm Veracode revealed in a recent report that financial services firms take an average of 29 days to address a quarter of their vulnerabilities, and 373 days to address all vulnerabilities.

“We would presume financial services would address flaws and potential doorways promptly as it’s a highly regulated industry,” said Paul Farrington, director of EMEA at Veracode, in a statement accompanying the research. “However, we have observed several downfalls over the last year that suggest banks may not as be as technically robust as they like to make out.”

Related reading