The Prudential Regulation Authority (PRA) is today fining Royal Bank of Scotland Plc (RBS), National Westminster Bank Plc (Natwest) and Ulster Bank Ltd (Ulster Bank) £14 million for inadequate systems and controls which led to a serious IT incident in 2012. This is the first financial penalty the PRA has imposed since it came into being in April 2013. The Financial Conduct Authority (FCA) has separately fined the banks for the same incident.
In April 2013, the PRA and FCA announced that they would investigate the RBS, Natwest and Ulster Bank IT incident which led to widespread disruption to customers and the financial system. A joint investigation was considered necessary because the incident impacted upon the objectives of both the PRA and the FCA.
The IT incident, which began on 18 June 2012, directly affected at least 6.5 million customers in the United Kingdom, 92% of whom were retail customers. The IT incident had the potential to have an adverse effect on the safety and soundness of RBS, Natwest and Ulster Bank as it impacted upon:
- the ability of the banks’ retail customers to access their accounts;
- the ability of the banks’ commercial customers to access their internet banking service, preventing them from accessing their accounts or making payments;
- customers of other institutions who were unable to receive payments from the banks’ affected customers; and
- the ability of the banks to fully participate in clearing. An efficient clearing system is fundamental to the efficient operation of the financial markets.
Disruption to the majority of RBS and Natwest systems lasted until 26 June 2012, and Ulster Bank systems until 10 July 2012. Disruptions to other systems continued into July 2012. The cause of the IT incident was the failure of the banks to have the proper controls in place to identify and manage exposure to the IT risks within their business.
Properly functioning IT risk management systems and controls are an integral part of a firm’s safety and soundness. The PRA considers that the IT incident could have threatened the safety and soundness of the banks and could have, in extremis, had adverse effects on the stability of the financial system in that it interfered with the provision of the banks’ core banking functions, impacted third parties and risked disrupting the clearing system.
Andrew Bailey, Deputy Governor, Prudential Regulation, Bank of England and CEO of the PRA said:
“The severe disruption experienced by RBS, Natwest and Ulster Bank in June and July 2012 revealed a very poor legacy of IT resilience and inadequate management of IT risks. It is crucial that RBS, Natwest and Ulster Bank fix the underlying problems that have been identified to avoid threatening the safety and soundness of the banks.”
The banks agreed to settle at an early stage and were therefore entitled to a 30% discount, without which they would have been fined £20 million.