Barclays defence of its IT shutdowns highlights wider limitations surrounding how outages and incidents are reported
- Published: Monday, 11 March 2019 10:05
Peter Groucutt, managing director of Databarracks, comments on the BBC’s recent analysis of IT outages and incidents for major high-street banks.
Since August 2018, the UK FCA has required banks to supply information about current account services to help consumers and small businesses make comparisons. This month, for the first time the data included the number of IT-related shutdowns, over the previous nine months.
Analysis of the data undertaken by the BBC revealed that most major high-street banks suffered more than ten shutdowns between April and December 2018. Barclays was singled out as the worst performer with 41 incidents over the nine months. In response, the bank said: "We take IT resilience extremely seriously and we welcome transparency for our customers which is why we report every incident to the regulator, even minor glitches that have minimal impact on customers."
Barclays’ response might sound a little defensive, but it does highlight the limitation of how these incidents are reported. Are all outages equal? For example, does TSB’s prolonged outage from its systems upgrade count as just one incident? If so, that makes it difficult to compare performance between banks.
The FCA has to strike the balance between the demands on the banks to produce this data and the value it adds. In future reporting my recommendation would be to add:
- Length of outage - the duration of the incident;
- Severity of issue - from minor degraded performance of systems causing delays to complete outages with systems unavailable;
- Number of users/customers affected - to distinguish between incidents that only affect a small number of customers and major incidents that affect all (or a high proportion of) customers.
For the small amount of effort, it would take to produce this data, the benefit to consumers is high and it would be equally valuable for the FCA to keep track of IT outages for the industry. Lastly, I would also suggest reporting the cause of the issue, which could be taken from a small number of broad categories such as ‘cyber incident’, ‘systems upgrade’ or ‘human error’.
In the original discussion paper published by the FCA it stated, “customers considered that frequent unplanned interruptions may be a sign of poor investment in the resilience of systems and security.” By tracking the cause of the issues, we can find trends across the industry as well as highlight particular issues for each bank.