UK banks may have two days to recover from IT failures

British banks and other financial services firms have three months to explain how they can avoid damaging IT breakdowns and respond to the growing threat of cyber attacks.

Credit: REUTERS/Hannah McKay/File Photo

The Bank of England and the UK's Financial Conduct Authority told financial services firms to report back by October 5 on their exposure to risks and how they would respond to outages.

The vulnerability of the banking system to technology failures has been highlighted recently by the inability of customers of bank TSB to access their online accounts and problems at payments firm Visa.

“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system,” FCA chief executive Andrew Bailey and BoE Deputy Governor Jon Cunliffe said in a joint statement.

Financial firms such as banks and insurers will have to demonstrate to regulators that they have a plan for when crucial systems such as online banking or payment services are disrupted, either by systems failure or deliberate attack.

The regulators suggested two days as an acceptable limit for disruption to a business service in one scenario spelt out in a consultation paper.

Some customers of TSB bank were still unable to access online banking services over a month after its first outage in April, which followed a botched systems upgrade.

Regulators say the growing risk of disruption reflects in large part moves by financial firms to upgrade their computer systems to cope with the rise of tech-savvy competitors and growing consumer demand for instant services.

A BoE official said in June that banks and other financial firms will be set targets for recovering from cyber attacks and other disruptions to key services.

Regulators could, if firms fail to demonstrate adequate back-up plans, require them to take actions such as bolstering capital levels or investing in making their systems more resilient.

The FCA and the BoE emphasised that responsibility for ensuring the resilience of financial firms sat with senior management, who will be held accountable in the event of prolonged disruption.

The consultation will seek views of customers of financial services firms as well as from banks, insurers and other firms.