Ulster Bank slapped with €3.5m fine over 2012 IT collapse

12 Nov 2014

The Central Bank has fined Ulster Bank €3.5m over the 2012 IT failure that left 600,000 people without banking services over 28 days. It is the largest fine imposed on a financial services provider in Ireland.

The Central Bank also reprimanded the bank in relation to IT and governance failings over the 28-day period between June and July 2012.

The fine and reprimand are in addition to a redress scheme overseen by the Central Bank under which Ulster Bank has paid around €59m to affected customers.

The overall cost to the bank prior to the fine being imposed ran to €103m.

During the debacle, customers were unable to access cash through ATMs or pay for goods and services with cards. In addition, many customers were frustrated by the inability to process payments for bills and mortgages. The processing of payments in and out of accounts were also delayed.

The Central Bank’s director of enforcement Derville Rowland said the fine is the highest ever imposed by the Central Bank, exceeding a €3.25m fine imposed against Quinn Insurance in 2008 over loans that breached insurance regulations.

€3.5m fine is highest ever imposed by Central Bank

“The summer of 2012 saw an unprecedented disruption to banking services as a result of a failure that occurred on the IT systems that Ulster Bank Ireland Limited used to process daily banking transactions,” Rowland said.

“The IT failure caused significant and unacceptable inconvenience to affected customers trying to carry out their everyday financial transactions.

“As the provision of financial services to customers represents the core business function of the firm, the major breakdown in the firm’s provision of these services as a result of IT failings is completely unacceptable.

“This enforcement action taken under our Administrative Sanctions Procedure is one of a number of measures that have been taken by the Central Bank in respect of the IT governance failings of the firm.

Rowland also said the fine reflects the seriousness with which the Central Bank views the failings of Ulster Bank and the Central Bank’s determination to ensure customers have access to core banking services without disruption.

“In addition, the Central Bank required the firm to put in place a comprehensive redress plan in response to the major inconvenience and disruption which has paid approximately €59m to affected customers,” Rowland said.

IT outsourcing is no defence

Ulster Bank relied upon its parent company Royal Bank of Scotland Group (RBSG) for the provision of IT services, including IT risk oversight and management.

How IT failure in a bank affects ordinary people

The impacts of the IT incident on Ulster Bank’s customers included:

  • Late processing of payments in and payments out of accounts
  • Inability to access ATMs/cash; late transfers of payments against customers’ credit card balances
  • Incorrect credit and debit interest on accounts/cards
  • Duplicative payments
  • Customers’ inability to honour financial commitments (with impact on credit history)
  • Inability to pay for goods and services
  • Inability to use online banking
  • Inability of commercial customers to use the banking system and inability to view account balances
  • In addition, other financial service providers were affected, as they could not receive money from customers to honour their own commitments.

It entered into an outsourcing services agreement with RBSG for the provision of IT services in 2005.

During June 2012, software that RBSG used to process banking transactions across all of its businesses, including Ulster Bank, failed.

The immediate cause of the failure arose from a software upgrade provided by a third party that was installed by RBSG just a few days before the failure occurred.

During the course of the incident, the bank took steps to support customers, including extending branch and call centre opening times, extending credit limits and offering free cash advances to customers.

However, the bank’s own lack of understanding of the IT incident meant it was unable to give customers accurate timelines as to when the issues would be resolved, exacerbating the issue over 28 days.

Rowland said that while she recognises IT outsourcing is a feature of modern banking, it is no defence for regulatory failings.

“Ultimate accountability for compliance remains with firms and they must ensure that they maintain oversight of outsourced activities.

“Senior management must ensure that risks associated with outsourced activities are appropriately managed and must be aware that outsourcing arrangements can never result in the delegation of their responsibility to manage the risks associated with such activities.

“The obligations imposed upon firms and management applies equally to situations where activity is outsourced on an intra-group basis or to a third party.

“Where firms and their management fail to ensure that robust governance arrangements are in place for in-house and outsourced IT systems, they should expect vigorous investigation and follow up by the Central Bank, and for the Central Bank to exercise its powers, including sanctioning powers where appropriate,” Rowland said.

She thanked both the Financial Conduct Authority and the Prudential Regulation Authority in the UK for the cross-jurisdictional co-operation the Central Bank received during and after the crisis.

Ulster Bank Dublin HQ image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years