Regulators in first dual enforcement over RBS tech crash

Royal Bank of Scotland and its banking subsidiaries Natwest and Ulster Bank have been hit with fines of £42m from the Financial Conduct Authority and £14m from the Bank of England’s Prudential Regulation Authority, over a major IT collapse two years ago.

The fine is the first time the conduct and prudential ‘twin peaks’ regulators created following the bifurcation of the Financial Services Authority have taken joint enforcement action. It also marks the first ever fine issued by the PRA.

In a statement the FCA states it took the action against the banks relating to the detriment suffered by 6.5m bank customers, 92 per cent of which were retail customers, who were left without access to their accounts for several weeks in June 2012.

Article continues after advert

In a separate statement the PRA said it had taken action because “properly functioning IT risk management systems and controls are an integral part of a firm’s safety and soundness”.

The actual cause of the IT incident was a software compatibility problem, according to the FCA, which said this reflected the banks’ failure to put in place adequate systems and controls to “identify and manage their exposure to such risks”.

On 17 June 2012 the banks’ group centralised Technology Services IT unit upgraded the software that processes updates to customers’ accounts. When it noticed problems with the upgrade it decided to uninstall, without realising the the upgraded software was not compatible with the previous version.

Problems lasted for RBS until 26 June, for Ulster Bank until 12 July, and for some customers even longer.

Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs; were unable to make mortgage payments; were left without cash in foreign countries; had incorrect credit and debit interest applied accounts.

In addition, some business customers were unable to meet their payroll commitments or finalise audited accounts.

RBS was earlier fined £14.5m by the FCA in the summer after a regulatory review found only 2 of 164 mortgage sales examined met required standards, including through failure to assess whether customers could actually afford the mortgages recommended.

The bank also last month escaped major fines from the European Commission over interest rate ‘cartels’ after it was granted ‘immunity’ for providing information on other banks involved in manipulating prices.

Banks including Swiss group UBS, US giant JP Morgan and French group Crédit Suisse were fined a combined €94m (£74m) after it was found they had operated illegal “cartels” influencing the prices of Swiss franc denominated interest rate derivatives and benchmarks in two separate cases.

Commenting on the IT fines, Tracey McDermott, director of enforcement and financial crime at the FCA, said that the problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive incidents.

“We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies.”