Nov 20, 2014
Ulster Bank will pay a record €3.5 million fine following a catastrophic IT failure that left 600,000 customers unable to access crucial services for nearly a month.
The bank, which has branches across the Republic of Ireland and Northern Ireland, was penalized for severe IT and governance issues that caused widespread inconvenience and lowe red confidence in retail banking.
Handed down by the Central Bank of Ireland (CBI), the fine was in addition to a €59 million redress scheme that provided compensation for affected customers. The central bank said it was the largest penalty the organization has ever imposed on an institution, highlighting the "significant and unacceptable" issues associated with the outage.
IT failure halts crucial processes
During the incident, which occurred in 2012, customers were unable to take out cash from ATMs and could not pay money for goods and services on cards. There were also delays in processing payments to and from accounts. Other issues included not being able to access online banking, duplicate payments, missed payments and the resulting impact on credit ratings.
The failure highlights the importance of comprehensive disaster recovery functions when unexpected events prevent the normal operation of crucial IT systems, in this case platforms used to process daily transactions. Minimizing downtime is particularly vital in highly regulated industries where governance and compliance are strictly monitored, such as financial services.
Derville Rowland, the CBI's director of enforcement, said the shortcomings of Ulster Bank resulted in "unprecedented disruption to banking services".
"As the provision of financial services to customers represents the core business function of the firm, the major breakdown in the firm's provision of these services as a result of IT failings is completely unacceptable," she said.
What caused the failure?
Royal Bank of Scotland (RBS) owns Ulster Bank, and the smaller institution outsourced its IT services provision to the parent company, including risk assessment and oversight.
RBS installed a software upgrade provided by a third party, which caused the banking transaction processing system across all of its organizations, including Ulster Bank, to crash.
Due to outsourcing its IT processes, Ulster Bank showed a poor understanding of the crucial systems that important operations were reliant on. Therefore, the CBI decided the institution contravened Regulation 16 of the European Communities (Licensing and Supervision of Credit Institutions) Regulations 1992, which requires all financial institutions to have robust governance protocols.
According to the central bank, the size of the penalty was based on exceptionally poor governance, the length of time crucial services were down and the lack of an effective business continuity plan.
"Where firms and their management fail to ensure that robust governance arrangements are in place for in-house and outsourced IT systems, they should expect vigorous investigation and follow up by the central bank, and for the Central Bank to exercise its powers, including sanctioning powers where appropriate," Rowland stated.
Ulster invests in new disaster recovery
Following the fine, Ulster Bank Chief Executive Jim Brown accepted the punishment, adding that the institution agreed its preparedness for an IT systems failure was below par.
He said the company has now "significantly improved" its resilience in this area, including setting up a separate batch scheduler so that a problem with another area of the RBS brand shouldn't affect Ulster.
"We have also established a mirror bank so that in the event of a service outage we can still process transactions while we recover our systems," Brown stated.
The bank has also enhanced its operational risk framework, as well as boosting working relationships with RBS to ensure similar problems don't occur in the future.
"Our customers need to be able to rely on our systems and in this instance we let them down," Brown stated.