HSBC and RBS face trial by Twitter as online banking technology fails them

Your support helps us to tell the story

Support Now

Find out moreClose

As your White House correspondent, I ask the tough questions and seek the answers that matter.

Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.

Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election

Andrew Feinberg

White House Correspondent

At lunchtime on 28 August, people started to share the news on Twitter that they were missing their monthly pay. It was the Friday before a bank holiday and there were parties and pub dates to attend.

But it was also the end of the month, and many of the bank’s customers had rent payments to meet and direct debits that would be withdrawn. HSBC’s Twitter feed started to fill up with angry customers. “I need to pay my deposit for my university accommodation and the deadline is today – please can you get this sorted?” one begged. “Have you been hacked?” asked another.

HSBC hadn’t been hacked – far from it. The problem was so small that at first the bank had failed to notice it. HSBC had sent payments to Bacs, the system that is used to make electronic payments in the UK. But one was too large and bounced back.

A junior staff member received the bounceback but didn’t understand the implications. The notice was put in a queue to be dealt with. Meanwhile, no one got paid.

“The cause of the delay was human error, not an IT systems failure,” an HSBC spokesperson said.

“A tranche of payments submitted to the bank’s clearing system was too large. When this file was rejected, teams did not escalate the matter with due speed.”

Human error is a very different problem to the kind of systemic failings at Royal Bank of Scotland and NatWest, both part of the RBS group, in 2012 that led to significant problems for more than 6.5 million customers over a period of several weeks. A software upgrade left them unable to get into their online accounts, or to call up accurate balances, make mortgage payments or gain access to their money while overseas. RBS was fined £56m in the aftermath.

“Modern banking depends on effective, reliable and resilient IT systems,” said Tracey McDermott, director of enforcement and financial crime at the Financial Conduct Authority, when the penalties were announced.

The IT systems of the largest banks have evolved into a complex web of processes that makes them vulnerable to all sorts of different failings. After a summer of recurring IT glitches, the question now is whether the big four banks can put a stop to these incidents or whether consumers will need to find alternative solutions to make sure their money is safe.

RBS has invested £750m in technology since 2012, but that hasn’t prevented a series of IT problems this year. On 17 June, customers of the bank suffered payment issues because one of the security certificates in the software that verifies the link between RBS and the Bacs system had expired. Such a transaction requires around 30,000 certificates, but because one had expired, payments that were meant to go through on the Wednesday or Thursday were delayed until the Friday.

The delays could have been worse, affecting many more customers, had RBS not made the earlier investment.

A month later, on 31 July, the bank suffered a “DDoS” attack, where hackers flooded the bank’s servers with requests, crashing the system. These kinds of attacks are common across the banking industry and can be used to cause embarrassment or for blackmail attempts on websites.

Nine times out of 10, the systems withstand the threat. This time, the online banking service went down for six minutes and it took another 45 minutes for the IT team to get the system running as normal.

On 31 August, online banking went down again, this time because of continuing problems with mobile payments. Then, on 8 September, RBS customers found themselves unable to use ATMs.

Each time RBS experienced problems, a different part of its IT matrix was at fault.

So now the plan is to simplify things, cutting the range of payment platforms from 144 to 20 by 2020. The bank has already reduced the number of processes by 35,000 since 2012.

David Webber, managing director at the software company Intelligent Environments, said that streamlining systems is essential for banks looking to minimise IT outages. Often a complete overhaul of the IT architecture is too costly, so the solution is to develop back-up systems in case anything fails.

“Banks should streamline and automate core processes to achieve better control,” he said. “For example, by automating manual checks, banks can eliminate human error and rely instead on up-to-date and accurate data, acting faster to fix problems.”

Regulators have started to put the onus on banks to move away from seeking continuity – where they recover quickly from an incident – to resilience, where banking activities can withstand the effect of disruptive events.

The increasing number of IT problems is also a result of the way in which the industry is changing. Research by the British Bankers’ Association shows that the use of mobile banking apps has now overtaken that of internet banking and branch services. Many of the existing IT systems in banks were built with only branch services in mind.

“The processes and systems in place are unable to cope with the demands placed on them by modern banking,” said Pollyanna Russell-Stower, an associate in the dispute-resolution team at the law firm Ashfords.

It is also a question of visibility. One bank spokesman said that, before Twitter, customers were less aware of issues affecting the whole bank. Payment systems used to go down more often and for longer, but people didn’t notice to the same extent. The spokesman said that sometimes it can seem as if things are getting worse, even if they’re getting better.

One thing banks can do to combat the instant negative publicity is to develop a strong social media strategy. While HSBC was working to resolve its Bacs problem in August, it was also responding to each complaint on Twitter – from ruined children’s parties to cancelled holidays – reassuring people that the service would resume soon.

If issues with the biggest banks persist customers will vote with their feet and transfer accounts to new "challenger" banks - such as Tesco and Virgin - whose modern IT systems offer a more reliable service.