Incident: Title: Widespread IT Failures in UK Banks Cause Payment Disruptions

Published Date: 2019-03-03

Postmortem Analysis
Timeline 1. The software failure incidents reported in the article happened in the last nine months of 2018 [81983]. 2. Published on 2019-03-03. 3. The software failure incidents occurred between April 2018 and December 2018.
System 1. Online banking services at TSB due to the botched introduction of a new IT system [81983].
Responsible Organization 1. Banks in the UK, including HSBC, Barclays, Lloyds, Bank of Scotland/Halifax, Natwest, TSB, and Nationwide, were responsible for causing the software failure incidents [81983].
Impacted Organization 1. Customers of British banks [81983]
Software Causes 1. Software bugs and faults in the IT systems of British banks leading to operational and security incidents preventing customers from making payments [81983].
Non-software Causes 1. Lack of operational resilience in the modern financial system [81983] 2. Insufficient investment in ensuring robust and secure systems [81983] 3. Closure of bank branches and disappearance of ATMs leading to reduced access to cash [81983]
Impacts 1. The software failure incidents in British banks led to customers being prevented from making payments at an average rate of more than once a day, causing inconvenience and stress to those affected [81983]. 2. The botched introduction of a new IT system at TSB resulted in 1.9 million people losing access to online banking services [81983]. 3. The incidents highlighted the importance of having a regulator responsible for protecting cash as a backup when technology fails, especially as digital payments become more common [81983]. 4. The software failures raised concerns about the operational resilience of the UK's financial system, indicating that it may not be ready to support a cashless society [81983].
Preventions 1. Implementing thorough testing procedures before deploying new IT systems or updates could have potentially prevented the software failure incident [81983]. 2. Regularly conducting system audits and security assessments to identify and address vulnerabilities proactively could have helped prevent the IT failures [81983]. 3. Investing in robust operational resilience measures, including redundant systems and backup plans, could have mitigated the impact of the software failures [81983].
Fixes 1. Implementing stricter regulations and oversight by the Financial Conduct Authority (FCA) to ensure banks report major operational or security incidents promptly and accurately [81983]. 2. Investing in operational resilience by banks to ensure robust and secure systems, both human and digital, to minimize disruptions when failures occur [81983]. 3. Appointing a regulator with sole responsibility for the cash infrastructure to protect consumers and businesses by ensuring access to cash as a backup when technology fails [81983].
References 1. Which? Money 2. Financial Conduct Authority (FCA) 3. UK Finance 4. Jenny Ross, Which? Money’s editor 5. Spokesperson from UK Finance

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - TSB, which had a botched introduction of a new IT system causing 1.9 million people to lose access to online banking services, reported 16 incidents related to IT failures [81983]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that six of the UK's biggest banks had at least one failure every two weeks, with Barclays having the most IT failures at 41, Lloyds at 37, Bank of Scotland/Halifax at 31, Natwest at 26, and Nationwide reporting five incidents [81983].
Phase (Design/Operation) design, operation (a) The article mentions incidents related to system development and updates contributing to software failures. For example, TSB experienced a major IT failure due to the botched introduction of a new IT system, causing 1.9 million people to lose access to online banking services [81983]. Additionally, the article highlights that banks have been required to report major operational or security incidents that prevent customers from using payment services since April last year, indicating issues related to system development and updates [81983]. (b) The article also discusses failures related to the operation or misuse of the system. It mentions that British banks have been hit by IT or security failures that prevent customers from making payments, with incidents occurring at an average rate of more than once a day [81983]. This suggests that operational issues or misuse of systems have contributed to software failures in the banking sector.
Boundary (Internal/External) within_system (a) within_system: The software failure incidents reported in the article are primarily within the system. The failures are attributed to major operational or security incidents within the banks' IT systems that prevent customers from making payments. The incidents include glitches, system downtimes, and failures in new IT system introductions, such as the botched introduction at TSB that caused millions to lose access to online banking services [81983]. The article highlights that the Financial Conduct Authority requires banks to report such major operational or security incidents that impact customer payment services, indicating that the failures are originating from within the banking systems themselves.
Nature (Human/Non-human) non-human_actions (a) The software failure incident occurring due to non-human actions: The article mentions incidents of IT failures in British banks that prevented customers from making payments, with 302 incidents reported in the last nine months of 2018 [81983]. These failures were attributed to operational or security incidents that disrupted payment services. Additionally, the article highlights the botched introduction of a new IT system at TSB, which caused 1.9 million people to lose access to online banking services [81983]. (b) The software failure incident occurring due to human actions: The article does not specifically mention any software failure incidents caused by human actions.
Dimension (Hardware/Software) software (a) The software failure incidents reported in the articles are primarily related to software issues rather than hardware. The incidents mentioned include IT glitches, operational failures, and security incidents that prevented customers from making payments. These issues are attributed to failures in the banks' IT systems and software, leading to disruptions in payment services [81983].
Objective (Malicious/Non-malicious) non-malicious (a) The articles do not mention any software failure incidents caused by malicious intent. [81983] (b) The software failure incidents reported in the articles are non-malicious in nature, stemming from operational or security issues within the banking systems. These failures have caused disruptions to payment services for customers, leading to stress and inconvenience. The failures are attributed to glitches, IT system downtimes, and the botched introduction of new IT systems, rather than any intentional harm to the systems. The focus is on the need for operational resilience and the importance of having backup measures in place when technology fails. [81983]
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incidents reported in the articles seem to be related to poor decisions made by the banks and financial institutions. The incidents were attributed to major operational or security failures that prevented customers from making payments, with some banks experiencing failures as frequently as once every two weeks. The botched introduction of a new IT system by TSB also caused a significant number of customers to lose access to online banking services. These incidents highlight the importance of operational resilience and the need for regulators to ensure that technology failures do not leave customers behind [81983].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The article mentions the botched introduction of a new IT system at TSB last year, which caused 1.9 million people to lose access to online banking services [81983]. This incident could be attributed to development incompetence, as the failure was a result of issues introduced during the implementation of the new IT system. (b) The article does not provide specific information about software failure incidents occurring due to accidental factors.
Duration unknown The articles do not provide specific information about whether the software failure incidents mentioned were permanent or temporary.
Behaviour crash, omission (a) crash: The article mentions incidents where banks' systems went down, preventing customers from making payments. For example, HSBC systems went down on the same day that the Treasury select committee launched a formal inquiry into banking IT failures [81983]. (b) omission: The article highlights incidents where customers were prevented from making payments due to IT failures. For instance, TSB reported 16 incidents, and Barclays had the most IT failures over the nine months [81983]. (c) timing: The article does not specifically mention failures related to timing. (d) value: The article does not specifically mention failures related to the system performing its intended functions incorrectly. (e) byzantine: The article does not specifically mention failures related to inconsistent responses or interactions. (f) other: The article does not provide information on other specific behaviors of the software failure incident.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence unknown (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any direct consequences such as death, physical harm, impact on basic needs, or property loss due to the software failure incidents reported in the banking sector [81983]. The focus is more on the inconvenience, stress, and disruption caused to customers, as well as the need for regulatory oversight and operational resilience in the financial system.
Domain finance The software failure incident reported in the news article [81983] is related to the finance industry. The incident involved major IT glitches in several UK banks, including HSBC, Barclays, Lloyds, Bank of Scotland/Halifax, Natwest, TSB, and Nationwide, which prevented customers from making payments and accessing online banking services. The Financial Conduct Authority (FCA) required banks to report such incidents, and the consumer group Which? conducted a comprehensive analysis of these failures. The incident at TSB, where the introduction of a new IT system caused significant disruptions, is highlighted as a specific example of the failures in the finance sector. The article also mentions that UK Finance, representing the banks, emphasized the importance of operational resilience in the financial system and the ongoing investments made to ensure system robustness and security in the industry.

Sources

Back to List