RBS fined £56m for massive IT failures

IT meltdown in summer 2012 left customers exposed, says Financial Conduct Authority

The Royal Bank of Scotland (RBS), a banking group that includes NatWest Bank and Ulster Bank, has been fined £56m for a 2012 IT failure that meant customers couldn't access online banking services.

The fine comes on top of the £125m bill to fix the RBS's systems after the disaster, which affected millions of customers.

The Financial Conduct Authority (FCA) said it issued the fine because the bank had failed to put in place "resilient IT systems which could withstand, or minimise the risk of, IT failures".

It's the second fine to hit the group this month, with Ulster Bank recently on the receiving end of a £2.75m penalty from the Central Bank of Ireland for issues relating to the same IT outage.

The 2012 IT crash affected more than 6.5 million customers of RBS, NatWest and Ulster Bank, many of whom were left unable to use even basic services for a period of several weeks.

The meltdown meant many customers were unable to pay their mortgages while some firms were prevented from paying their staff.

"Modern banking depends on effective, reliable and resilient IT systems. The banks' failures meant millions of customers were unable to carry out the banking transactions which keep businesses and people's everyday lives moving," said Tracey McDermott, director of enforcement and financial crime at the FCA.

"The problems arose due to failures at many levels within the RBS Group to identify and manage the risks which can flow from disruptive IT incidents and the result was that RBS customers were left exposed to these risks," she continued.

"We expect all firms to focus on how they ensure that they can meet the requirements of their customers when looking at their IT strategies and policies," McDermott added.

Following an investigation, the FCA found that RBS didn't have adequate systems and controls to identify and manage its exposure to IT risks.

According to the regulator, particular causes for concern included "inadequate systems and controls to identify and manage their exposure to IT risks" and that "risks related to the design of the software system that ran the updates to customers' accounts were not identified".

The FCA also stated that RBS's "IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident".

The incident of June 2012 isn't only IT glitch to have befallen the bank in recent years. December 2 2013 was "Cyber Monday", the biggest online shopping day in the run-up to Christmas

However, an IT problem meant that thousands of RBS customers were unable to access their accounts as they attempted to buy presents, with many missing out on deals due to the glitch.

The fine comprises a £42m penalty from the FCA, and a further £14m from the Prudential Regulation Authority (PRA). This is the first time the two bodies have taken joint enforcement action.