Another day, Another IT failure

St George Bank ruined a lot of bank holiday plans this weekend when their online banking systems stopped working.

The bank’s Internet systems appear to have stopped working on Sunday evening and were still unavailable almost 24 hours later on Monday afternoon. ATMs were working but, as it was a bank holiday, branches were closed meaning that people who rely on the Internet for account transfers and overseas credit card transactions were out of luck.

Apart from a short message acknowledging the outage on their website, St George has not yet given details of the causes of the problem.

But this was not the only recent Internet banking outage at a major bank.

On the 11th and 12th September, the Commonwealth Bank (CBA) suffered a prolonged disruption to its IT services in particular its ‘industry leading’ banking platform – NetBank. And this was not the only prolonged outage at CBA this year. There were IT service disruptions earlier this year, with failures to transfer money into and out of accounts, thus racking up late and overdraft fees for customers. And also last year, and before that …….

For those who would like to see the impact of such outages on CBA customers, the excellent website Aussieoutages has a whole section devoted to CBA and a blog on which customers can register their frustration, with many of the comments NSFW - as social media terms bad language.

So what has the Commonwealth Bank to say for itself about the latest outages? Nothing!

The media page on the CBA site does not even carry a recognition of the outage let alone an apology. There was however a cock-a-hoop press release on the recent decision to bin the Deposit Levy, to add to CBA’s already record profits, and more bonuses for the CEO Ian Narev. And this is from a company that is claiming to be building a culture of customer service!

Where are the banking regulators when banking customers are inconvenienced by the banks that they are paying records fees to?

Unfortunately, APRA and ASIC continue to play pass the parcel on banking regulation.

OK, but which regulator should be wielding the big stick?

In 2011, DBS Bank, the largest bank in Singapore, suffered a computer outage that deprived its customers of access to banking services for about seven hours (half of that experienced by St George customers).

After an investigation, the local banking regulator, the Monetary Authority of Singapore (MAS) hit DBS with a stern rebuke and a set of new regulatory requirements. The bank was also ordered to “redesign its online and branch banking systems platform to reduce concentration risk and allow greater flexibility and resiliency in operation and recovery capability”. In other words - fix your IT systems, or else.

Importantly, the regulator ordered DBS to increase the capital held in reserve for ‘operational risks’ by 20 per cent, or around $180 million. Under the Basel II banking regulations, banks are required to maintain a capital buffer against operational losses, in particular ‘systems risks’.

Because the failure of Internet systems is clearly an operational risk problem, APRA should be considering at least a 20% addition to the operational risk capital charge on Commbank and Westpac (which owns St George and the other banks like BankSA which went offline at the same time). According to Commbank’s latest Risk (so-called Pillar 3) report, which incidentally has pictures of happy Internet users on the front page, a 20% increase would have CBA having to raise just over an additional $500 million of capital. On the same basis, Westpac would require just under $500 million extra capital. Good luck with that, when banks are scrambling to raise capital to cover upcoming regulatory changes.

But has APRA moved to get the IT systems of the country’s biggest banks under control? No sign so far.

So what of ASIC?

ASIC has recently released its regulatory stance on so-called Conduct Risk, or “the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees”. Conduct Risk is the very latest in regulatory fashion and is an attempt to get banks to treat their customers more fairly.

One would have thought that, in return for account fees, providing access to customers’ own money might be a start for banks?

But a quick look at the ASIC web-site shows the usual list of fines and suspensions on financial institutions so tiny that small fry seem huge. But not a whale or even a barramundi in their nets. ASIC does not go after the big fish.

So which regulator should be going into bat for the costumers of the big banks?

Both!

APRA to ensure that IT systems in banks are robust, by using capital tools. And ASIC to ensure that banks treat customers fairly. Demanding return of fees for non-performance might be start?

Correction: article updated to correct capital amounts, was total capital now additional capital only

Disclosure

Pat McConnell is a customer of the institutions mentioned in the article but is generally satisfied with their online services.