show image

Oscar Williams

News editor

The FCA is now forcing banks to tell customers how many outages they’ve suffered

Banks are being forced to disclose details of major operational and security incidents online for the first time, just months after TSB suffered a catastrophic IT meltdown.

The initiative has been led by the FCA and CMA and brings UK-based financial organisations into line with the EU’s new payment services directive (PSD2).

Every bank offering current accounts in the UK now lists the total number of incidents they reported to the FCA over the last quarter, as well as the number affecting telephone, mobile and internet banking respectively. The largest banks also have to provide the information through an API.

Of the UK’s ‘big four’ banks, HSBC performed best, reporting seven incidents in the last three months, RBS came second with nine, Barclays suffered 18 and Lloyds 19. The FCA has published a full list linking to all of the latest disclosures on its site.

As a part of the new mandated disclosures, banks also have to reveal the level of complaints they have received, when their services and helplines are open and how they can be contacted.

“For the first time, people will now be able to easily compare banks on the quality of the service they provide, and so judge if they’re getting the most for their money or could do better elsewhere,” said the CMA’s senior director Adam Land.

“This is one of the many measures – including Open Banking and overdraft text alerts – that we put in place to make banks work harder for their customers and help people shop around to find the best deals for them.”

The move comes as banks’ IT teams face fresh scrutiny over their operational resilience following TSB’s outage earlier this year. In July, the FCA called on financial organisations to disclose how they are preparing their systems for cyber attacks and IT incidents.

In April, TSB customers were left locked out of their online accounts for days at a time after the lending giant migrated its digital services to a new platform. Fraudsters exploited the incident to steal money from more around 1,300 of the company’s customers. The lender has promised to compensate all of those affected.

Financial services firms are not covered by the NIS Directive, a new set of European regulations designed to bolster the security of critical infrastructure. But that doesn’t mean banks are any less likely to be hit by fines for IT outages. The directive grants regulators the power to fine companies up to £17m of annual turnover, but there is no cap on the fines the FCA can issue.