Failing technology is not unique to Barclays. Recent Treasury Committee data highlights a further 33 days of system outages, in the last two years, at major UK banks.
The bad – outages and failure
Following the Barclays’ incident, the Treasury Select Committee (TSC) wrote to nine major banks, seeking details of their recent outages. The banks’ responses are now on its website . There were 158 IT failures over two years. That’s 803 hours or more than 33 days of unplanned technology and systems outages, with millions of customers affected. Issues with third party providers and planned upgrades or changes to systems, were the two most common causes given for outages. Other reasons include: hardware and software faults (e.g. design faults, coding errors), human error, insufficient system capacity and Distributed Denial of Service (DDoS) attacks. Back in 2018, the FCA identified similar causes: change management failings; third-party failure; software issues; cyber-attacks; hardware issues; human error; process and control failures; and capacity management.
Technology outages are not a recent phenomenon, nor are they unique to the UK, or to financial services. Recent examples include:
- In 2019, the Treasury Committee published a report on IT failings, notably at TSB in 2018, as it sought to move off its Lloyd’s legacy systems. And in its 2018 report, the FCA noted: “Technology outages in the financial services sector are becoming more frequent and publicised”.
- In 2014, the Bank of England’s ‘Real Time Gross Settlement System’ (RTGS) suffered a significant failure and was down for approximately 9 hours, This followed a system reconfiguration, that exposed a previously undetected design defect. More recently, in February this year, the ECB experienced an outage lasting several hours, on its pan-European settlement system.
- In 2020, a software update from SolarWinds included malicious code, following a cyber hack. And in 2024, a faulty Crowdstrike update caused the Microsoft’s Windows system to crash. As both were third-party software updates, millions of customers and businesses that used the software were affected. This caused widespread disruption. These incidents highlight a growing risk. Many financial institutions rely on a single or limited number of third-party providers, to underpin significant and critical services.
The circumstances that give rise to these levels of outages include:
- The widespread and increasing use of technology. Both the front and back offices use technology to deliver banking services. And given the complexity of those systems, it is likely that issues will arise.
- Old and new systems are having to co-exist. Systems are not seamlessly integrated, creating conflicts or requiring manual work arounds. Old technology might be incapable of supporting new types of transactions or increased volumes. And it might also be less reliable, though some old systems can be very stable.
- The pace of ongoing development and change. This can rapidly render technology obsolete or leave banks one step behind cyber criminals.
- The increased use of and reliance on third-party technology providers. Third-party software might not integrate well with all other systems. There is also a potential risk that, culturally, technology providers are more focused on innovation and the next ‘big idea’, rather than reliability. This risk is exacerbated for the financial system, as there are a few large providers for some services.
- Technology (both hardware and software) often needs regular updates. These provide new functionality and capacity, to respond to cybercrime. And to deal with identified bugs and similar issues. As updates can be complex, resource intensive and time consuming, there is an increased risk of error and delays.
- Systems are widely inter-linked. Both internal and external links increase the risk of contagion and threats from malicious third-party activity.
- The increased speed of processes and information flows. This can mean that problems are rapidly cascaded, affecting more systems, before remedial measures can be taken.
The good – efficiencies and enhanced resilience
The Treasury Select Committee highlighted 33 days of downtime, for nine major banks, that operate 24 hours a day, for 365 days a year. Conversely, it does mean that their systems were providing a good service, for over 99% of the time. In reality, the service levels are even higher, given the number of different systems within each bank. The banks’ own figures, in their responses to the TSC, indicated over 99.97% service availability.
Banks’ systems might be said to be generally reliable. Although obviously it is stressful for customers affected, when banks’ systems do fail and can lead to losses for those concerned. It is of no comfort to those impacted, if the bank operated satisfactorily for 364 days, but failed on the particular day that such customers were due, for example, to make a house purchases.
It should also be noted that technology has brought considerable benefits to the banking system. These include operational efficiency, such as the ability to manage ever larger volumes of transactions and more quickly. And greater consumer choice, such as the means to access services at home and 24/7. This can also mean a more resilient financial system. The use of specialist third-party providers has also brought more innovation and reliability. Banks on an individual basis might not have been able to achieve this.
The future – enhanced regulatory frameworks
The risk of outages cannot be eliminated. It is neither possible, nor cost effective, to try and remove this risk completely. The world is a vast and complex place and technology is no exception. It is inevitable that there will be incidences leading to technology failures and outages. The aim is to reduce the likelihood and effect to tolerable levels. And to be able to recover and restore normal services, within an appropriate timeframe, when there is disruption.
The UK regulators have responded to operational issues with technology in several ways, as set out on their websites. These include requiring operational resilience and critical third-party frameworks.
Under the operational resilience framework, banks must identify their important business services and set impact tolerances for them. The services and tolerances for banks are determined, by reference to their potential impact on financial stability. And by safety and soundness (PRA rules) and customer impact (FCA rules). The tolerances are the maximum amount of time for which any disruption should last, and any other metric a bank considers relevant. While banks commenced implementation of their operational resilience requirements in 2022, they had until March 2025 to fully implement this.
The regulators set out their final approaches to critical-third parties in November 2024 . While the rules came into effect on 1 January 2025, entities do not need to comply unless they have been designated as a critical third party, by HM Treasury. The supervisory approach broadly entails oversight of the services provided to the financial sector. It is too early to determine the effect of this new policy. But hopefully it will not stifle technological innovation in banking, while ensuring that third party services are reliable.
Conclusions
Technology is ubiquitous. While there are many benefits to technology, outages are an unfortunate price we have pay. But it is a problem that is being tackled. And one that the banking system will hopefully minimise, in order to ensure that the financial system can adequately support real world transactions – quickly, efficiently and effectively.
Ongoing, the banks and regulators will need to monitor the application of the operational resilience and critical third-party frameworks, as they are embedded. Monitoring and root cause analysis of any outages should continue to be undertaken, with lessons learned and further action taken if necessary. And the nature of risk is that there should be no room for complacency. There will always remain a small residual risk of a significant failing, at some point in the future.
One important lesson to take away, is that there may always be a need for physical cash, as a money of last resort. While many people have multiple bank accounts, which provide some resilience to failure, there remain some potentially significant single points of failure, in the financial system. These include financial market infrastructure entities or central bank settlement systems and the Visa and Mastercard contactless card systems. And the technology companies that might be few in number but underpin services to many.