FCA and BoE fine RBS for IT failures

The Financial Conduct Authority (FCA) and the Bank of England (BoE) have fined Royal Bank of Scotland £56m for the computer failures that hit more than over 6.5m UK customers for several weeks in 2012.

As expected, the financial regulator said it had fined RBS, and its NatWest and Ulster Bank subsidiaries £42m, "for failing to put in place resilient IT systems which could withstand, or minimise the risk of, IT failures".

The central bank's Prudential Regulation Authority (PRA) added a £14m fine, its first ever financial penalty since coming into being in April 2013, for "for inadequate systems and controls", which would have been £20m but for RBS's early payment receiving a 30% discount.

This came after the Central Bank of Ireland announced earlier in the month it had fined Ulster Bank Ireland €3.5m.

RBS has also paid £70.3m in redress to UK customers and £460,000 to individuals and firms who were not customers.

The actual cause of the IT incident was a software compatibility problem with the underlying cause being the banks’ failure to put in place adequate systems and controls to identify and manage their exposure to IT risks.

Tracey McDermott, director of enforcement and financial crime at the FCA said: “Modern banking depends on effective, reliable and resilient IT systems. The banks' failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people's everyday lives moving.

"The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks."

The PRA said the IT incident "could have threatened the safety and soundness of the banks" and in the worst possible scenario also had adverse effects on the stability of the whole UK financial system "in that it interfered with the provision of the banks’ core banking functions, impacted third parties and risked disrupting the clearing system".

BoE Deputy Governor Andrew Bailey, chief executive of the PRA said the incident revealed "a very poor legacy of IT resilience and inadequate management of IT risks" and said it was "crucial" the banks remedied this.

RBS, which has since announced it is investing an extra £750m in IT over a three year period, was in full conciliatory mood.

Chairman Philip Hampton said: "Our IT failure in the summer of 2012 revealed unacceptable weaknesses in our systems and caused significant stress for many of our customers. As I did back then, I again want to apologise to all customers in the UK and Ireland that we let down two and a half years ago.

"I am confident that the progress we have made - in increasing the resilience of our IT systems through the additional investment of hundreds of millions of pounds and the enhancement of our control structures - has made RBS better able to provide the service our customers expect and deserve."

The group's new chief administrative officer, Simon McNamara, who arrived at RBS in 2013, said his chief priority has been to ensure investment in IT was targeted in the right areas.

"A lot has changed and much has been achieved already. Our systems are currently available to customers over 99.9% of the time. By any measure, this is some achievement. But, given the impact that any incident has on our customers, I want to do better."

Shares in RBS were down 0.6% to 381.35p at 08:30 on Thursday.