Crippling outages in retail payments systems at Australian banks have more than doubled in terms of the number of hours institutions spent offline in the past year.
In fact they are so bad they now pose a real risk to "day-to-day economic activity".
That’s the blunt take from the Reserve Bank of Australia, which overnight exposed hard evidence of the degree to which bank systems are underperforming, based on the downtime data it’s been collecting from institutions.
And it’s a bleak picture too.
The total duration of retail payments outages in hours as reported to the RBA hit its worst annual level in five years, with incidents clocking up at least 1838 hours in 2018 compared to 824 hours in 2017, and 811 hours in 2016.
The average duration of an outage is also up steeply, jumping to 6.2 hours in 2018, compared to 3.9 hours in 2017 and 3.2 hours in 2016.
The total number of incidents for 2018 came in at a disturbing 295, up from 210 in 2017 but down compared to 251 in 2016.
“Outages that affect the ability of households and businesses to make and receive payments, or access account information, can cause significant inconvenience and disruption,” said Michelle Bullock, the RBA’s respected Assistant Governor in charge of the Financial System.
“And with the increasing use of electronic payment instruments and the reduction in people carrying and transacting in cash, the resilience of these systems is becoming critical to day-to-day economic activity.”
Made overnight at the Central Banks Payments Conference in Berlin, Bullock’s observations reflect the RBA’s frustration with the pace of bank technology modernisation which has resulted in the interventions like the creation of the New Payments Platform to speed-up payments.
The RBA’s data and position are of pivotal importance to banks and their technology strategy because they provide an essential empirical window into the number and severity of outages, evidence that would otherwise be buried by the industry not willing to divulge figures.
Outage and fraud remain two of the biggest systemic concerns for the RBA around payments because of their potential to sap vital public confidence in the overall system.
The central bank has over the past five years gradually ratcheted-up pressure on Australia’s banking oligopoly to bite the bullet regarding investment in technology, not just in terms of spend but execution and timeliness.
“While modernising centralised infrastructure and payment systems is clearly very important for the future of payments, it is only as good as the systems of the participants themselves,” Bullock said.
“Ageing and complex systems within financial institutions pose a significant risk to the efficiency and resilience of payment systems.”
As the graph below illustrates, cash is disappearing quick.
Bank performance exposed
Bullock said that while the RBA had been collecting outage data since late 2013 through a requirement for institutions to notify it of incidents “above a certain threshold”.
While the outage notifications are mandatory, the statistics as far as we know have not previously been made public, with Bullock saying the RBA had “mainly used these data for monitoring”.
But when bank system performance and resilience goes backward, a little candour and reflection can go a long way, even if its not down to naming and shaming individual institutions (though it’s really not a long list).
“Over the past year or so … there have been a number of high-profile incidents that have resulted in substantial customer disruption,” Bullock said.
“A number of banks have experienced lengthy outages in their internet banking services, and there have been occasions when card acquiring services have been unavailable at the point of sale.
As a result, the RBA and the powerful Payments System Board “have been looking more closely at these issues and asking whether more needs to be done to improve the resilience of these systems,” Bullock said, saying there had been a “reversal” of improvements in 2018.
“The rise in total duration was due to both a rise in the number of incidents and in the average duration of incidents. In other words, incidents were more frequent and services took longer to be restored,” the RBA’s head of system added, noting that “while I can't show information for individual institutions, I can say that the higher level of retail outages was pretty much across the board.”
Software issues stack-up
Bullock said around half of the number of service disruptions in 2018 hit mobile and online banking channels, with card services chalking up around 10 percent of incidents.
“The most common reported cause of outages was software failures,” Bullock said.
“Both the number of software failures and the average time taken to resolve the issues rose sharply in 2018. More generally, the increasing complexity of the IT environment seems to be an important reason why incidents are taking longer to become resolved.”
Just letting consumers and businesses suck up the outage fallout is clearly no longer a viable policy option for the RBA, with the regulatory stick again at the ready.
The really big concern is that systemic confidence from the public is getting dented with performance improvements dissipating.
That problem is turbocharged by the fact that banks, consumers and business have now developed a far more critical dependency on digital channels and software than before.
“If some institutions are not keeping pace, they can have adverse effects, not only on their own customers, but also the customers of other financial institutions,” Bullock said.
“Confidence in payment services might even be reduced. As noted above, these types of effects are becoming more important as the use of electronic payment methods grows.”
Then came the stick.
“We will also be engaging more with institutions to better understand the challenges of their IT systems and how they are managing operational risks to payment systems,” Bullock said.
The RBA will work with industry the Australian Prudential Regulation Authority ”to produce a standard set of operational performance statistics for retail payments to be disclosed by individual institutions.”
That means disclosure in the form of frequent, regular and fulsome confessions.
For banks looking for an example of the quality of introspection required, the RBA has led by example and set the bar at a decent height when conducting its own outage autopsy, attributed to a fire systems tech.