Bank outage crackdown to publicly name and shame institutions

Australia’s retail banking sector and payment systems operators will no longer be able to fudge outage severity figures or manipulate up-time performance stats under a fresh crackdown by regulators aimed at arresting crippling software glitches.

The powerful Payment Systems Board – whose members include the chairs of the Reserve Bank of Australia and the Australian Prudential Regulatory Authority – has revealed it will make outage data it now collects public.

The move will end decades of banks, payment schemes and telecommunications carriers hiding behind an incoherent jumble of performance statistics generated by each institution that have prevented regulators gaining a cohesive picture and stymied compensation claims.

The move comes as millions of Australians spent Monday waiting for funds to finally clear four days after a massive outage at the Commonwealth Bank of Australia because of widespread dependence on legacy batch systems by the other Big Four banks and smaller institutions.

In a sublime irony, the revelation of new crackdown broke cover on the same day as the CBA’s outage that left millions unable to transfer funds between accounts using either the CBA’s mobile banking app or it NetBank online banking portal.

As reported by iTnews, financial regulators, particularly the RBA, have been quietly forcing banks to submit data on their outages – including downtime, services affected, severity and causation – to a standardised format to create a centralised picture of problems.

Banks and payment schemes had hoped the outage data collected by regulators would remain under wraps, grizzling that the disclosure of standardised statistics would undermine already damaged public confidence in institutions.

Instead, institutions copped a significant loss on their long-running campaign to retain control over how IT problems affecting availability are reported and disclosed.

“Following a sharp jump in outages recently, the [RBA] will be looking to take additional steps to encourage improved operational resilience,” the Payment System’s Board annual report said.

“To strengthen transparency and market discipline, the [RBA] will be working with Australian Prudential Regulatory Authority (APRA) and the industry to develop a standardised set of statistics on operational outages in retail payments to be publicly disclosed by individual institutions.”

Both the RBA and the PSB are clearly frustrated with the increase in outages and the impact they have on consumers, merchants and even institutions like Australian Securities Exchange, where companies like 5G Networks on Friday issued delayed dividend notices stemming from the CBA’s outage.

It’s not hard to see why either. If 2018 was a shocker in terms of broken boxes and software fails, 2019 is looking even worse, as the graph below shows – and that’s before the CBA’s outage is counted.

The walk of shame on outages is just the beginning.

In even worse news for banks and payments providers, the RBA and the PSB have issued a clear and live threat they are more than willing to issue up-time benchmarks to hit if things don’t improve.

“The [RBA] will also be engaging more closely with retail payments providers on operational risks in retail payments and how these issues are being managed,” the PSB wrote.

“If operational incidents continue to rise, the [RBA] could also consider imposing operational resilience standards on operators and participants in retail payment systems, as some other jurisdictions have done.”

Technology vendors hoping to cash-in on the crackdown should tread warily. Regulators are also giving defective drops the evil eye, pointing to the prevalence, noting that there are now plenty of examples of the negative effects of dud code.

“The most common reported cause of outages in 2018 was software failures. Both the number of software failures and the average time taken to resolve them rose sharply in the year,” the PSB said.

“The increasing complexity of IT environments, together with problems stemming from legacy systems, seem to be important factors contributing to rises in the number of operational incidents and the time taken to resolve them.

“Ultimately, it is in the interests of financial institutions to ensure their retail payment services are reliable.”

Well you’d think so, wouldn’t you.