ICAEW.com works better with JavaScript enabled.
Exclusive

Resilience of banking technology: the bad, the good and the future

Author:

Published: 28 May 2025

Exclusive content
Access to our exclusive resources is for specific groups of students, users and subscribers.
Barclays’ customers recently suffered the inconvenience that comes with digital banking, when the technology fails. And for which the bank will pay out £12.5m in compensation.

Failing technology is not unique to Barclays. Recent Treasury Committee data highlights a further 33 days of system outages, in the last two years, at major UK banks.

The bad – outages and failure 

Following the Barclays’ incident, the Treasury Select Committee (TSC) wrote to nine major banks, seeking details of their recent outages. The banks’ responses are now on its website . There were 158 IT failures over two years. That’s 803 hours or more than 33 days of unplanned technology and systems outages, with millions of customers affected. Issues with third party providers and planned upgrades or changes to systems, were the two most common causes given for outages. Other reasons include: hardware and software faults (e.g. design faults, coding errors), human error, insufficient system capacity and Distributed Denial of Service  (DDoS) attacks. Back in 2018, the FCA identified similar causes: change management failings; third-party failure; software issues; cyber-attacks; hardware issues; human error; process and control failures; and capacity management. 

Technology outages are not a recent phenomenon, nor are they unique to the UK, or to financial services. Recent examples include:

The circumstances that give rise to these levels of outages include: 

The good – efficiencies and enhanced resilience

The Treasury Select Committee highlighted 33 days of downtime, for nine major banks, that operate 24 hours a day, for 365 days a year. Conversely, it does mean that their systems were providing a good service, for over 99% of the time. In reality, the service levels are even higher, given the number of different systems within each bank. The banks’ own figures, in their responses to the TSC, indicated over 99.97% service availability.

Banks’ systems might be said to be generally reliable. Although obviously it is stressful for customers affected, when banks’ systems do fail and can lead to losses for those concerned. It is of no comfort to those impacted, if the bank operated satisfactorily for 364 days, but failed on the particular day that such customers were due, for example, to make a house purchases.
It should also be noted that technology has brought considerable benefits to the banking system. These include operational efficiency, such as the ability to manage ever larger volumes of transactions and more quickly. And greater consumer choice, such as the means to access services at home and 24/7. This can also mean a more resilient financial system. The use of specialist third-party providers has also brought more innovation and reliability. Banks on an individual basis might not have been able to achieve this. 

The future – enhanced regulatory frameworks 

The risk of outages cannot be eliminated. It is neither possible, nor cost effective, to try and remove this risk completely. The world is a vast and complex place and technology is no exception. It is inevitable that there will be incidences leading to technology failures and outages. The aim is to reduce the likelihood and effect to tolerable levels. And to be able to recover and restore normal services, within an appropriate timeframe, when there is disruption.  
The UK regulators have responded to operational issues with technology in several ways, as set out on their websites. These include requiring operational resilience and critical third-party frameworks.

Under the operational resilience framework, banks must identify their important business services and set impact tolerances for them. The services and tolerances for banks are determined, by reference to their potential impact on financial stability. And by safety and soundness (PRA rules) and customer impact (FCA rules). The tolerances are the maximum amount of time for which any disruption should last, and any other metric a bank considers relevant. While banks commenced implementation of their operational resilience requirements in 2022, they had until March 2025 to fully implement this. 

The regulators set out their final approaches to critical-third parties in November 2024 . While the rules came into effect on 1 January 2025, entities do not need to comply unless they have been designated as a critical third party, by HM Treasury. The supervisory approach broadly entails oversight of the services provided to the financial sector. It is too early to determine the effect of this new policy. But hopefully it will not stifle technological innovation in banking, while ensuring that third party services are reliable.

Conclusions

Technology is ubiquitous. While there are many benefits to technology, outages are an unfortunate price we have pay. But it is a problem that is being tackled. And one that the banking system will hopefully minimise, in order to ensure that the financial system can adequately support real world transactions – quickly, efficiently and effectively.

Ongoing, the banks and regulators will need to monitor the application of the operational resilience and critical third-party frameworks, as they are embedded. Monitoring and root cause analysis of any outages should continue to be undertaken, with lessons learned and further action taken if necessary. And the nature of risk is that there should be no room for complacency. There will always remain a small residual risk of a significant failing, at some point in the future.

One important lesson to take away, is that there may always be a need for physical cash, as a money of last resort. While many people have multiple bank accounts, which provide some resilience to failure, there remain some potentially significant single points of failure, in the financial system. These include financial market infrastructure entities or central bank settlement systems and the Visa and Mastercard contactless card systems. And the technology companies that might be few in number but underpin services to many.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250