Technological failure at a systemically important retail bank
| Impact | 5 |
|
|
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4 |
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||
| 3 |
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||
| 2 |
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||
| 1 |
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||
| 1 |
2 |
3 |
4 |
5 |
|||||||||||||||||||||||||||||||||||||||||||||||
| Likelihood | |||||||||||||||||||||||||||||||||||||||||||||||||||
| ID | 31a |
|---|---|
| Risk theme | Accidents and system failures |
Impact & Likelihood
| 5 | Catastrophic |
|---|---|
| 4 | Significant |
| 3 | Moderate |
| 2 | Limited |
| 1 | Minor |
| 5 | >25% |
|---|---|
| 4 | 5-25% |
| 3 | 1-5% |
| 2 | 0.2-1% |
| 1 | <0.2% |
Background
The increasing digitisation of financial services means that a technological failure of IT systems could result in customers being unable to access key account functions and important information, including online banking. The financial regulators’ operational resilience policy requires finance sector organisations to ensure their critical business services are resilient to severe but plausible scenarios, including technological failures.
This supervisory framework covers financial market infrastructures (FMIs) and Other Systemically Important Institutions (O-SIIs), critical to the UK’s financial stability, who must also consider their risks in relation to harm their institution may cause to the real economy and financial services sector as a whole.
Scenario
The reasonable worst-case scenario is based on a technological systems failure that renders a systemically important retail bank’s critical technology inoperable, with a partial outage for 2 days thereafter. Potential immediate impacts would include customers being unable to view account balances, process payments, use online banking or withdraw cash from ATMs. Account data may also be compromised. Online and mobile customers would be locked out of their accounts, with some experiencing disruption in the weeks that follow.
Long-term disruption to consumer-facing banking would impact consumer confidence. The outage would disrupt critical government services for several hours, with longer-term impacts felt for weeks. This would impact people’s ability to buy necessary goods, travel to and from work and pay for basic utilities. The most significant impact would be felt by vulnerable customers with only a single bank account. The bank would also likely face heightened fraud and operational losses.
Key assumptions
This scenario assumes that the technical fault directly impacts the IT operations of a UK critical national infrastructure bank, and that the firm’s impact tolerances (the maximum tolerable level of disruption) are surpassed. This scenario assumes that the technical fault directly the IT operations of a UK critical national infrastructure bank, and that the firm’s impact tolerances (the maximum tolerable level of disruption) are surpassed.
Variations
Technological failure of a UK critical financial market infrastructure.
Response capability requirements
Local and national plans to deal with a surge in demand for consumer-facing financial services where online and mobile banking services are offline. Collective incident response capability is managed under the UK's Authorities’ Response Framework (ARF).
Recovery
Depending on the severity of the technological failure, a full systems recovery could be protracted. Recovery would involve interim actions to provide customer payments and fixing the affected technological systems. Some customers could experience disruption once the technical issue has been fixed as backlogs are cleared.