The Reserve Bank of Australia has quietly opened negotiations with the Australian Payments Clearing Association with a view to disclosing aggregated incident information within the industry.
Prompted by a string of major incidents in 2010 and 2011, the RBA went public with plans to tackle the issue of technology outages in March 2012.
The RBA released a paper [pdf] in November of that year, which contained a set of conclusions gathered from six months of industry consultation. It also introduced a compulsory incident reporting and monitoring regime [pdf] for members of the Reserve Bank Information and Transfer System (RITS).
Post-incident reports contain valuable information about where incidents have occurred and what caused them.
The RBA has taken particular interest in institutions that have suffered repeated outages and has gathered detailed information about the underlying payment infrastructure of all players in an attempt to unearth trends.
The consultation paper cited the ongoing replacement of ageing technology systems being carried out by all of the major banks as the most frequent source of customer pain, saying their “advanced age is contributing to operational risk”. It noted that efforts to address original issues had sometimes exacerbated the problem, “suggesting that some institutions’ incident management arrangements could be improved”.
Now, almost two years later, we have learned that the RBA finally has enough confidence in the quality of the data being collected through its reporting regime to do something with it. It has taken this long largely due to variation in the way different banks classify incidents and report them, but the RBA’s reporting requirements are now embedded into all of their systems.
The RBA hopes that making information available to members of the payments industry will facilitate peer benchmarking that makes systems more resilient. It has decided against introducing industry standards at this stage in the belief that competitive pressures will naturally push the industry towards best practice.
The door has nonetheless been left open for raw data to be made public. If this softly, softly approach fails to deliver a more resilient payments system that consumers can have complete confidence in, public disclosure remains an option. It is in the hands of the banks and their technology teams to avoid that fate.
The RBA’s patient approach to tackling high-profile outages in banking technology provides the industry with an opportunity to raise the collective bar.