By several measures, the recent systems problems, outages and IT crashes are the latest episodes in a new normal, one that challenges regulators' traditional priorities and measures of impact.
This new reality goes back to the major RBS outage almost six years ago. At the time, both the Bank and the FSA (which wouldn’t split for another nine months) were taken aback by the scale and duration of its impact. Perhaps most strikingly, the outage played out on social media with huge intensity, perhaps the first financial services conduct event to do so, and RBS’ contingency planning and communications strategy struggled to cope.
Recent travails, TSB’s in particular, demonstrate banks have not yet caught up with the level of customer expectations, or their ability to vent when these aren’t met.
In this, technology is becoming a great leveller, spreading standards and expectations across what were once very differently perceived industries and sectors. This isn’t a one-way street, and if the FANGS have arguably led the way on user experience, they are now struggling to meet customer expectations on privacy.
For regulators, the problem is slower burn and less acute, but no less profound. And in some ways harder to solve. It also affects both prudential and conduct regulation in ways that the current twin peaks model wasn’t designed for and didn’t envisage.
In 2012, neither regulator fully appreciated at the outset the scale of the problem, and their longer term response was a letter to the Chairs of the major banks. It’s hard to see a similar response cutting much ice today, but there is still a danger they will see the TSB and Visa problems as isolated events, not symptoms of a wider set of risks.
Regulators have long recognised banks’ legacy IT systems - the result of generations of technology upgrades and fixes, and of multiple mergers and acquisitions - as a significant issue. But they have also tended to view it as a chronic, long term one, which would be costly to fix quickly and might detract from other, more urgent priorities. To put it another way, in the era of increasing capital requirements and PPI redress, massive upgrades of IT haven’t been at the top of the regulatory agenda.
With the accelerating shift to digital, this may be about to change. I suspect both the FCA and the PRA are working hard to fit the very high volume but (mostly) individually minor financial “harm” into their risk assessment models. But this won't be easy.
At one end of the spectrum, for the PRA, it erodes confidence in the system, the cumulative effect of which could magnify future prudential problems. At the other, these sorts of outages push lots of vulnerability buttons, from those with only a single account to the SMEs that the FCA has historically struggled to put in the right focus.
This is just as big a challenge for banks. Regulators are likely at some point - maybe this is the moment - to make a step change in their approach to such failures. And operational risk in terms of customer loyalty is only going in the one direction.
Looking ahead, service reliability could become a much bigger factor in consumers switching banks than Open Banking or any other competition nudge.
The UK’s banking regulator has confirmed it will launch a formal investigation into the IT failure at TSB after suggesting the bank’s poor response to the crisis risked damaging trust in the entire sector.